visiongaiatechnology/vgt-global-threat-sync

GitHub: visiongaiatechnology/vgt-global-threat-sync

一个零停机的Linux内核级威胁情报同步引擎,每日自动聚合多个权威来源的恶意IP并通过ipset原子注入实现主动拦截。

Stars: 0 | Forks: 0

# 🌐 VGT Global Threat Sync — 每日威胁情报引擎 [![License](https://img.shields.io/badge/License-AGPLv3-green?style=for-the-badge)](LICENSE) [![Platform](https://img.shields.io/badge/Platform-Linux-FCC624?style=for-the-badge&logo=linux)](https://kernel.org) [![Kernel](https://img.shields.io/badge/Layer-Kernel_Level-red?style=for-the-badge)](#) [![Status](https://img.shields.io/badge/Status-DIAMANT-purple?style=for-the-badge)](#) [![Feeds](https://img.shields.io/badge/Threat_Feeds-6_Sources-orange?style=for-the-badge)](#) [![Cron](https://img.shields.io/badge/Sync-Daily_04:00-blue?style=for-the-badge)](#) [![VGT](https://img.shields.io/badge/VGT-VisionGaia_Technology-red?style=for-the-badge)](https://visiongaiatechnology.de) [![Donate](https://img.shields.io/badge/Donate-PayPal-00457C?style=for-the-badge&logo=paypal)](https://www.paypal.com/paypalme/dergoldenelotus) **VGT Global Threat Sync** 是一个适用于 Linux 服务器的零停机、原子化威胁情报同步引擎。它每日从 6 个权威威胁源拉取实时数据,聚合数万个恶意 IP 和子网,并通过 `ipset` 直接将其注入内核 —— 采用原子交换机制,确保更新期间零防护间隙。 无停机。无竞态条件。无间隙。纯粹的内核级防护。 ## 🔗 VGT Linux 防御生态 三种工具。同一理念。全面覆盖。 | 工具 | 类型 | 用途 | |---|---|---| | 🌐 **VGT Global Threat Sync** | **预防性** | 在已知攻击者到达前将其拦截 | | ⚔️ **[VGT Auto-Punisher](https://github.com/visiongaiatechnology/vgt-auto-punisher)** | **响应性** | 在攻击者触及服务器瞬间将其封禁 | | 🔥 **[VGT Windows Firewall Burner](https://github.com/visiongaiatechnology/vgt-windows-burner)** | **Windows** | 280,000+ 个 APT IP 烧录进 Windows 防火墙 | ## 🚨 问题所在 —— 仅靠响应式安全是不够的 像 Fail2Ban 和 Auto-Punisher 这样的工具是响应式的 —— 它们在第一次攻击发生后才进行封禁。已知的僵尸网络基础设施、APT C2 服务器和惯犯仍然可以发起那第一次攻击。 | 仅响应式 | 响应式 + Global Threat Sync | |---|---| | ❌ 已知僵尸网络先击中你 | ✅ 已知僵尸网络在第一个数据包前被拦截 | | ❌ 惯犯每天重试 | ✅ 已在先前的同步中被封禁 | | ❌ 没有关于已知恶意行为者的情报 | ✅ 6 个权威来源,每日更新 | | ❌ 手动管理黑名单 | ✅ 全自动,零停机更新 | | ❌ 更新间隙暴露服务器 | ✅ 原子交换 —— 从不出现防护间隙 | ## 🛡️ 威胁情报来源 — 白金级精选 ``` Feodo Tracker (abuse.ch) → Botnet C2 servers (Emotet, TrickBot, etc.) Spamhaus DROP → "Don't Route Or Peer" — worst of the internet Spamhaus EDROP → Extended DROP list — hijacked netblocks CINS Score (cinsscore.com) → Continuous threat scoring feed Blocklist.de → Attack IPs reported by intrusion sensors worldwide Emerging Threats (Proofpoint) → Commercial-grade threat intelligence, free feed ``` 汇总:**每日从权威来源更新数万个 IP 和子网**。 ## ⚡ 原子交换架构 这就是 VGT Global Threat Sync 与简单 cron 脚本的区别所在: ``` Standard approach (with downtime gap): Flush live set → [UNPROTECTED GAP] → Load new IPs → Protected again VGT Atomic Swap (zero-downtime): Load new IPs into SHADOW set (server stays protected by LIVE set) ↓ ipset swap SHADOW LIVE ← atomic kernel operation, nanoseconds ↓ Destroy old SHADOW set Server never had a gap. Ever. ``` ``` # 魔法命令行 ipset swap $IPSET_TMP $IPSET_LIVE ``` 一条命令。原子化。零停机。内核同时交换两个集合。 ## 🔒 源完整性验证 在任何交换发生之前,脚本会验证源数据的完整性: ``` if [ "$L_COUNT" -lt 5000 ]; then echo "[KRITISCH] Feed-Integrität kompromittiert. Abbruch." exit 1 fi ``` 如果源不可用、返回垃圾数据或被篡改 —— 同步将中止。您现有的防护保持完好。绝不静默失败。 ## 📊 实时输出 ``` [VGT] Starte globale Threat-Intelligence Synchronisation... [VGT] Ingesting Feed: feodotracker.abuse.ch... [VGT] Ingesting Feed: spamhaus DROP... [VGT] Ingesting Feed: spamhaus EDROP... [VGT] Ingesting Feed: cinsscore.com... [VGT] Ingesting Feed: blocklist.de... [VGT] Ingesting Feed: emergingthreats... [VGT] 47,832 Bedrohungs-Vektoren identifiziert. Injektiere in Shadow-Memory... [VGT] Führe atomaren State-Swap durch... [VGT] Matrix in rules.v4 gebrannt. [VGT] SYNCHRONISATION ABGESCHLOSSEN. Status: DIAMANT. ``` ## 🚀 安装 ### 需求 - Linux (Debian / Ubuntu / CentOS) - Root 权限 - `curl`, `ipset`, `iptables`, `awk`, `grep` ### 设置 ``` # Clone the repository git clone https://github.com/visiongaiatechnology/vgt-global-threat-sync.git cd vgt-global-threat-sync # Make executable chmod +x vgt_global_threat_sync.sh # Run first sync manually sudo ./vgt_global_threat_sync.sh ``` ### 使用 Cron 自动化(推荐) ``` # Edit crontab sudo crontab -e # Add this line — runs daily at 04:00 0 4 * * * /root/vgt_global_threat_sync.sh > /dev/null 2>&1 ``` 每日 04:00 同步 —— 每天早晨在工作时间开始前获取最新威胁情报。 ## 🔍 管理黑名单 ``` # Count currently blocked IPs ipset list VGT_GLOBAL_THREAT | grep -c "^[0-9]" # View all blocked ranges ipset list VGT_GLOBAL_THREAT # Emergency flush (removes all threat sync blocks) ipset flush VGT_GLOBAL_THREAT # Manual sync trigger sudo ./vgt_global_threat_sync.sh ``` ## 🏗️ 与 Auto-Punisher 结合 完整的 Linux 防御栈: ``` 04:00 daily → Threat Sync updates known bad actors (preventive) 24/7 → Auto-Punisher terminates unknown attackers in real-time (reactive) Result: Known threats never reach you. Unknown threats get one shot — then permanent ban. ``` ``` # Run both as systemd services for complete coverage systemctl enable vgt-punisher systemctl start vgt-punisher # + cron for threat sync ``` ## 📦 系统规格 ``` ARCHITECTURE Atomic Shadow-Swap (Zero-Downtime Updates) THREAT_FEEDS 6 authoritative sources SYNC_SCHEDULE Daily via cron (recommended: 04:00) BAN_MECHANISM ipset hash:net (O(1) lookup complexity) INTEGRITY_CHECK Aborts if feed returns < 5,000 IPs PERSISTENCE iptables-save → /etc/iptables/rules.v4 OVERHEAD ~0% CPU after sync (kernel-level O(1) lookups) DEPENDENCIES curl, ipset, iptables, awk, grep ``` ## ⚠️ 重要说明 - **以 Root 运行** —— 内核级操作需要 Root 权限 - **首次运行约需 30 秒** —— 源下载 + 注入 - **后续运行速度很快** —— 原子交换近乎瞬时完成 - **源完整性检查** —— 如果源看起来被篡改,同步将中止 - **与 Auto-Punisher 结合** —— 以覆盖对未知威胁的响应 ## 🏢 由 VisionGaia Technology 构建 [![VGT](https://img.shields.io/badge/VGT-VisionGaia_Technology-red?style=for-the-badge)](https://visiongaiatechnology.de) VisionGaia Technology 构建企业级安全和 AI 工具 —— 按照 DIAMANT VGT SUPREME 标准精心打造。 *版本 1.0.0 (DIAMANT SUPREME) — VGT Global Threat Sync // 原子威胁情报引擎*
标签:CISA项目, Cron定时任务, DevSecOps, Ipset, Iptables, IP 地址批量处理, IP黑名单, Sysadmin, 上游代理, 入侵防御, 内核级防护, 原子更新, 威胁情报, 威胁订阅源, 应用安全, 开发者工具, 恶意IP封锁, 插件系统, 网络安全, 网络拦截, 自动化防御, 防火墙, 隐私保护, 零停机