Public threat-feed and blocklists to automatic IP blocking for Linux and macOS firewalls.
Threat feeds and blocklists are useful, but manually translating them into firewall rules is repetitive and fragile. Autosecure handles download, parsing, validation, and rule refresh in one script with backend support for iptables, firewalld, ufw, nft, and pf (macOS). This package is based on spamhaus script and contributors which has not been maintained in over 10 years. I have since extended its functionality beyond the original script.
Autosecure is very lightweight and can be setup to run daily on a cron to auto-update, its designed to not impact any existing firewall rules and will manage its own set. It's a perfect set and forget to protect any machine from bad actors.
Homebrew (macOS)
brew tap vincentkoc/homebrew-tap
brew install autosecureAPT (Debian/Ubuntu)
curl -1sLf 'https://dl.cloudsmith.io/public/vincentkoc/autosecure/setup.deb.sh' | sudo -E bash
sudo apt-get update
sudo apt-get install autosecureRPM (RHEL/Fedora)
curl -1sLf 'https://dl.cloudsmith.io/public/vincentkoc/autosecure/setup.rpm.sh' | sudo -E bash
sudo dnf install autosecureScript only
curl -fsSL -o autosecure.sh https://raw.githubusercontent.com/vincentkoc/autosecure/master/autosecure.sh
chmod +x autosecure.sh
sudo ./autosecure.shhttps://www.spamhaus.org/drop/drop.txthttps://www.spamhaus.org/drop/edrop.txthttps://feeds.dshield.org/block.txthttps://feodotracker.abuse.ch/downloads/ipblocklist.txthttps://reputation.alienvault.com/reputation.data
Additional URLs to parse can be passed in using the enviroment variable AUTOSECURE_EXTRA_FEEDS as comma seperated strings. Just a note the ZeusTracker feed is intentionally disabled because the endpoint is no longer available.
If you want to discover more sources, see: threatfeeds.io
- Firewall backend auto-detection:
iptables,firewalld,ufw,nftables,pf - IPv4 blocklist ingestion with optional IPv6 support (
ip6tables) - Optional
ipsetacceleration for large lists - Safe refresh flow with cached fallback if feeds fail
- Quiet cron-friendly mode
AUTOSECURE_FIREWALL_BACKEND=auto|iptables|firewalld|ufw|nft|pf(default:auto)AUTOSECURE_RULE_POSITION=append|top(default:append)AUTOSECURE_XTABLES_WAIT=<seconds>(default:5)AUTOSECURE_IPV6_ENABLE=0|1(default:0)AUTOSECURE_IPSET_ENABLE=0|1(default:0)AUTOSECURE_EXTRA_FEEDS=<url1,url2,...>AUTOSECURE_EGF=0|1(default:1)
sudo AUTOSECURE_FIREWALL_BACKEND=pf autosecure.sh -q
sudo AUTOSECURE_FIREWALL_BACKEND=nft autosecure.sh -q
sudo AUTOSECURE_FIREWALL_BACKEND=iptables autosecure.sh -q
sudo AUTOSECURE_FIREWALL_BACKEND=firewalld autosecure.sh -q
sudo AUTOSECURE_FIREWALL_BACKEND=ufw autosecure.sh -qLinux (APT/RPM/package install)
Use the packaged binary path:
crontab -e
0 3 * * * /usr/local/bin/autosecure -qmacOS (Homebrew install)
Use the Homebrew-installed binary path:
crontab -e
0 3 * * * /opt/homebrew/bin/autosecure -qIf you are on Intel macOS Homebrew, use:
0 3 * * * /usr/local/bin/autosecure -qScript-only install (any OS)
Use the absolute path where you placed the script:
crontab -e
0 3 * * * /absolute/path/to/autosecure.sh -qResolve the executable path first:
command -v autosecure || command -v autosecure.shiptables (IPv4)
Flush chains:
sudo iptables -F Autosecure
sudo iptables -F AutosecureActDetach chain jumps:
sudo iptables -D INPUT -j Autosecure
sudo iptables -D FORWARD -j Autosecure
sudo iptables -D OUTPUT -j AutosecureDelete chains:
sudo iptables -X Autosecure
sudo iptables -X AutosecureActip6tables (IPv6 mode)
If AUTOSECURE_IPV6_ENABLE=1 was used, clear IPv6 chains similarly:
sudo ip6tables -F Autosecure
sudo ip6tables -F AutosecureAct
sudo ip6tables -D INPUT -j Autosecure
sudo ip6tables -D FORWARD -j Autosecure
sudo ip6tables -D OUTPUT -j Autosecure
sudo ip6tables -X Autosecure
sudo ip6tables -X AutosecureActnftables backend
Inspect table:
sudo nft list table inet autosecureRemove table:
sudo nft delete table inet autosecuremacOS pf backend
How it works on macOS:
- Backend
autoselectspf. - On first run,
/etc/pf.confis auto-bootstrapped with:anchor "autosecure"load anchor "autosecure" from "/etc/pf.anchors/autosecure"
- Runtime rules are loaded into anchor
autosecureand tableautosecure_bad_hosts. - Common noisy
pfctl -fwarnings are filtered, while realpfctlerrors are still shown.
Inspect anchor and table:
sudo pfctl -a autosecure -s rules
sudo pfctl -a autosecure -t autosecure_bad_hosts -T showFlush block table entries:
sudo pfctl -a autosecure -t autosecure_bad_hosts -T flushReload anchor file:
sudo pfctl -a autosecure -f /etc/pf.anchors/autosecureValidate main pf config if needed:
sudo pfctl -nf /etc/pf.confOpen an issue for bugs or a pull request for improvements.
Made with π by Vincent Koc Β· GPL-3.0
