PfBlocker
-
Thanks BBcan17. Those lists look good I will use some of them. I managed to get my script to work with the AdAway lists.
I have posted it on paste bin http://pastebin.com/xJYz9qgW
I have also posted the cleaned up list of URLs from those three sites http://pastebin.com/vFbA20CG which will make the script much quicker if you pass it into the script at run time, it will only update newly added sites. Which you could then add the new IP address to the IP list for those URLs as of 5/23 http://pastebin.com/f3kUW3arThere are about 10000 IP address and they seem to be blocking a ton of traffic
I have not tested it a lot but I have noticed some sites that are blocked that shouldn't be like unix.stackexchange.com ( already removed from the pastebin IP list )
please excuse my poor bash code.
![Screenshot - 05232014 - 11:10:29 AM.png](/public/imported_attachments/1/Screenshot - 05232014 - 11:10:29 AM.png)
![Screenshot - 05232014 - 11:10:29 AM.png_thumb](/public/imported_attachments/1/Screenshot - 05232014 - 11:10:29 AM.png_thumb) -
Hi w1ll1am,
Spammers must die! There is also a website called "Phishtank" that has Phishing URL's posted also.
I think you might get some false positives with this method. As some of these hosts are actually hosted by Big ISP's.
These URLs would be better suited for DNS lookup blocking methods (hosts file). Need to find a way to weed out the false positives.
I would like to have this accomplished on my MS Active Directory DNS server so that it can handle all of the workstations it manages and filter out DNS requests to these URLS. It would be a good addition to the DNS Forwarder/BIND etc packages in pfSense also.
I pulled some of the hosts from the first link and ran a Dig command. It shows as Yahoo.
[1]
dig +short ypn-js.overture.com
us.srv.ysm.yahoodns.net.
98.139.225.108[2]
dig +short 13.ptp22.com
50.62.128.39IPVOID shows it being Registered by GoDaddy.
http://www.ipvoid.com/scan/50.62.128.39/[3]
dig +short admeld.comGoogle
173.194.43.97
173.194.43.103
173.194.43.98
173.194.43.105
173.194.43.110
173.194.43.101
173.194.43.99
173.194.43.100
173.194.43.102
173.194.43.96
173.194.43.104http://kb.bothunter.net/ipInfo/nowait.php?IP=173.194.43.97
-
I just made a URL Table Alias with http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt on a 2.1-RELEASE Alix nanoBSD. The table loads into pf with 9252 entries. Used it as source in a block rule on WAN and it works. So the list itself is not bad. And you can easily use it anyway without pfBlocker, just using the ordinary URL Table Alias and Firewall Rules features of pfSense.
I still have this list in my firewall rules. But to date it still has the 9252 IP's so I assume it has never been updated since last year. As I am working on the new thread of JFL (https://forum.pfsense.org/index.php?topic=78062.0), I was wondering, are all instructions in this thread obsolete (so I should also delete this large IP-list?)
-
I have been using pfblocker for over a year now. I consider pfBlocker and Snort combo an essential part of a firewall. PFBlocker successfully removes entire countries such as China removing about 80% of the intrusions and Snort takes care of the rest, and handles exotic things such as detecting port scanning. Ever since, I have had zero problems with real intrusions into my network.
After making intense use of it to also handle my whitelists and blacklists (because it likes to re-order the rules otherwise) I find it convenient that shows me in the dashboard the status and blocks with labels in the firewall log.
I wish though that I could selectively set the logging flag because if I choose logging for black lists, I end up getting the blocked country also.
I do not want to use an alias or to create these rules manually in the rules because I want pfblocker to manage them so I can see this in the dashboard. And it re-orders the rules if it doesn't manage them itself. Also when I have problems I can mass disable all the block rules from pfblocker so I can diagnose who is generating the false positive.
Very simple change I hope.
Thanks,
Kevin -
I have logging enabled in pfBlocker but I never see anything in the system logs even when I see that the pfBlocker widget has blocked some packets. Any idea what I may need to change to remedy this problem?
Also, is there any way to have it persist the stats, e.g. how many packets it blocks? Looks like every time the firewall filter gets reloaded, the pfBlocker widget goes back to showing all 0's for the number of packets it has blocked.
-
logging means that the blocks/rejects will show up in your firewall log, not your system log. If you click on the red/yellow X, it should tell you which rule was triggered.
persist stats would be great but the system grabs the stats directly from the rules in realtime. That is why is why they reset to 0 when your rules are reloaded.
-
Any news on where to find updated lists??
-
Any news on where to find updated lists??
check out this thread https://forum.pfsense.org/index.php?topic=78062.msg426417#msg426417 its a great script but if you prefer to use pfBlocker, you can grab some of the list from it.. Just make sure the list is compilable with pfBlocker
-
I have been using pfblocker for over a year now. I consider pfBlocker and Snort combo an essential part of a firewall. PFBlocker successfully removes entire countries such as China
Hi Kevin,
The Country Database in pfBlocker hasn't been updated for over 2 years now. The data is obsolete. I know they are working on a new service (most likely for paid members) that will provide updates for the Country Lists.
I have written a script that does what pfBlocker does but with a lot of other missing features. You can see more details in the following link:
Its a long forum post, so you need to read all of its posts in their entirety.
https://forum.pfsense.org/index.php?topic=78062.msg426963#msg426963I also wrote a patch for the pfBlocker widget to show when the Alias was last updated and indication of any download failures.
I also write a patch for diag_dns.php which is the "Firewall Log" GUI Screen. This update has the ability to show which Blocklist (Irevelent of the Alias) caused the Block. So even if the Filter Logs clear, you can easily find the IP/Blocklist match. This can also be used from Snort, when you click on the "!" icon which will show you if any of the Snort Alerts are on any of your Blocklists. It will actually show you if any of the IPs are founded in the Alerted IPs Range.
I would recommend that you use "Aliases" as they give you more control than the method that you are currently using.
-
@Hollander:
I just made a URL Table Alias with http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt on a 2.1-RELEASE Alix nanoBSD. The table loads into pf with 9252 entries. Used it as source in a block rule on WAN and it works. So the list itself is not bad. And you can easily use it anyway without pfBlocker, just using the ordinary URL Table Alias and Firewall Rules features of pfSense.
I still have this list in my firewall rules. But to date it still has the 9252 IP's so I assume it has never been updated since last year. As I am working on the new thread of JFL (https://forum.pfsense.org/index.php?topic=78062.0), I was wondering, are all instructions in this thread obsolete (so I should also delete this large IP-list?)
Hi Hollander,
the ET RBN list has been discontinued. Along with the RBN malvertisers list.
Emerging Threats RBN rules.
THIS RULESET HAS BEEN OBSOLETED!! This file is left to simply note this fact.
More information available at doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
-
First of all, pfBlocker is a great package, cheers to the authors! However, it would be very useful (some users already highlighted this) to have more options for "Update frequency". Specifically I would like to see one very short and one longer frequency, like "Every 10 Minutes" and "Once a week". Could you add this?
And just out of curiosity, how is this updating handled, I don't see any crontab entry for pfBlocker?
-
Hi Hollander,
the ET RBN list has been discontinued. Along with the RBN malvertisers list.
Thank you Sir ;D
-
The Country Database in pfBlocker hasn't been updated for over 2 years now. The data is obsolete. I know they are working on a new service (most likely for paid members) that will provide updates for the Country Lists.
I have written a script that does what pfBlocker does but with a lot of other missing features. You can see more details in the following link:
I am prollally stupid once again, BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?
Thank you ;D
-
@Hollander:
BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?
Hello Hollander,
First step is to add "unzip" as its a dependency:
pkg_add -r unzip
(See this thread to get 8.3 Package Archive ENV path)
https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084Code from the Script:
441 # ================================================================ 442 443 # MaxMind GeoIP COUNTRY CODE Blocklist (** Installation STEPS **) 444 # 445 # - Package Dependency (UNZIP) as stated above. 446 # - Uncomment "#" the [ countrycode ] line below, save/exit. 447 # - Run this script from the shell [ ./pfiprep killdb ] 448 # which will create the [ countrycode ] config file. 449 # (Don't run the script when CRON is expected to run) 450 # - When the script exits "EDIT" the [ countrycode ] file and 451 # enter "#" infront of the Countries to Whitelist. 452 # - Re-Run the script [ ./pfiprep ] 453 # 454 # - To remove Country Blocking Completely, re-comment [ #countrycode ] 455 # and run from the shell [ ./pfiprep killdb ] or [ ./pfiprep killdb dskip ] 456 # ================================================================ 457 458 # Maxmind GeoIP Country Code - Blocklist Download 459 # 460 # This will only download on the first Tuesday of Each Month 461 # Any changes to the [ Countrycode ] text file will be done at that time. 462 # When the CSV Database is downloaded it will create a [ cccsv.lock ] file 463 # in the $userfolder path to avoid downloading multiple times. If you 464 # want to bypass, delete the [ cccsv.lock ] file. 465 466 header=CountryBlock 467 group=tier10 468 addr=https://geolite.maxmind.com/download/geoip/database/ 469 infile=GeoIPCountryCSV.zip 470 471 #countrycode 472 # ================================================================
( I cleaned up the Text instructions in my Github Gist. So it may not match your existing Script. )
Steps:
- Remove "#" from line 471 ( countrycode ) , and save/exit the script.
- From the "Shell" run [ [b]./pfiprep killdb ]
- This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
- It will create a file called "countrycode" which is a list of all the countries.
- On First Install, the script will exit and ask you to edit the "countrycode" file.
- Put a "#" infront of the countries to whitelist.
- Save/Exit "countrycode" file.
8.) Re-run the script [ [b]./pfiprep ]
Keep in mind about how the script functions:
-
Block the IPs from the Countries you have Selected (If you enabled Country Blocking Feature)
-
Each additional Blocklist that gets downloaded, the script will check for duplication against all previously downloaded Lists (Including the Country Blocklists) so that you don't add the same Blocked IPs or Ranges that are already on the Masterfile List.
-
Other functionality of the script is "IP Reputation" which looks to see how many Malicious IPs are found in a /24 Range. If the script finds over the "max" variable setting, it will block those particular ranges and remove the individual IPs from each Blocklist. The first Blocklist that contains the "Repeat Offending Range" will get the "x.x.x.0/24" block, while all of the other list have these repeat offenders are removed as the first list is blocking the whole range.
-
If you decide to remove a "Blocklist", it is recommended to refresh the database as you can see from above that all of the Blocklists are essentially tied together to remove duplication and process "IP Reputation".
Refreshing the database can be achieved in two ways:
[ [b]./pfiprep killdb ] This will delete the database and re-download all Blocklists.
or
[ [b]./pfiprep killdb dskip ] Which will kill the database and re-use the existing Download Blocklist Files.
The script will automatically download the Maxmind Country Code Database on the First Tuesday of Each Month. As each Blocklist gets downloaded, it will resync against the updated Country Blocklists as per the schedule settings for each Blocklist. I never considered to perform a [ [b]./pfiprep killdb dskip ] each month, but I think this might be something that I should add to the next version of the script.
At any time, you can edit the "countrycode" file and it will automatically re-configure the Country Blocking at the next scheduled CRON job. (But if you do make changes, I recommend resyncing the database.)
I also added a few additional Blocklists ( from the gist hit the "revision icon" to see the changes)
I hope this is clear. Let me know if you need any more help.
-
Maxmind seems to be a commercial company. Despite the fact their GeoIP files are publicly accessible, is it allowed to just take them? They appear to charge a fee for access to their lists.
-
@KOM:
Maxmind seems to be a commercial company. Despite the fact their GeoIP files are publicly accessible, is it allowed to just take them? They appear to charge a fee for access to their lists.
Yes this is the Free Version of the Maxmind Database that is Updated Once per month. It is 98% accurate for Countries as per their website.
http://dev.maxmind.com/geoip/legacy/geolite/
They have a paid version but you would only need that if you wanted City or other GeoIP data.
-
OK great. Thank you for that. I looked around but didn't see the distinction before I posted. I don't want to take what isn't mine to take, and I admit I'm a little late to this thread.
-
@Hollander:
BB, but I can't seem to find how to do country blocking with your script. I know it is possible, but have I missed something? I want to block a great deal of countries I consider nothing good to come from ( 8) ;D ). If I overlooked something, could you please point me to the text I must have overlooked?
Hello Hollander,
First step is to add "unzip" as its a dependency:
pkg_add -r unzip
(See this thread to get 8.3 Package Archive ENV path)
https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084Code from the Script:
441 # ================================================================ 442 443 # MaxMind GeoIP COUNTRY CODE Blocklist (** Installation STEPS **) 444 # 445 # - Package Dependency (UNZIP) as stated above. 446 # - Uncomment "#" the [ countrycode ] line below, save/exit. 447 # - Run this script from the shell [ ./pfiprep killdb ] 448 # which will create the [ countrycode ] config file. 449 # (Don't run the script when CRON is expected to run) 450 # - When the script exits "EDIT" the [ countrycode ] file and 451 # enter "#" infront of the Countries to Whitelist. 452 # - Re-Run the script [ ./pfiprep ] 453 # 454 # - To remove Country Blocking Completely, re-comment [ #countrycode ] 455 # and run from the shell [ ./pfiprep killdb ] or [ ./pfiprep killdb dskip ] 456 # ================================================================ 457 458 # Maxmind GeoIP Country Code - Blocklist Download 459 # 460 # This will only download on the first Tuesday of Each Month 461 # Any changes to the [ Countrycode ] text file will be done at that time. 462 # When the CSV Database is downloaded it will create a [ cccsv.lock ] file 463 # in the $userfolder path to avoid downloading multiple times. If you 464 # want to bypass, delete the [ cccsv.lock ] file. 465 466 header=CountryBlock 467 group=tier10 468 addr=https://geolite.maxmind.com/download/geoip/database/ 469 infile=GeoIPCountryCSV.zip 470 471 #countrycode 472 # ================================================================
( I cleaned up the Text instructions in my Github Gist. So it may not match your existing Script. )
Steps:
- Remove "#" from line 471 ( countrycode ) , and save/exit the script.
- From the "Shell" run [ [b]./pfiprep killdb ]
- This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
- It will create a file called "countrycode" which is a list of all the countries.
- On First Install, the script will exit and ask you to edit the "countrycode" file.
- Put a "#" infront of the countries to whitelist.
- Save/Exit "countrycode" file.
8.) Re-run the script [ [b]./pfiprep ]
Keep in mind about how the script functions:
-
Block the IPs from the Countries you have Selected (If you enabled Country Blocking Feature)
-
Each additional Blocklist that gets downloaded, the script will check for duplication against all previously downloaded Lists (Including the Country Blocklists) so that you don't add the same Blocked IPs or Ranges that are already on the Masterfile List.
-
Other functionality of the script is "IP Reputation" which looks to see how many Malicious IPs are found in a /24 Range. If the script finds over the "max" variable setting, it will block those particular ranges and remove the individual IPs from each Blocklist. The first Blocklist that contains the "Repeat Offending Range" will get the "x.x.x.0/24" block, while all of the other list have these repeat offenders are removed as the first list is blocking the whole range.
-
If you decide to remove a "Blocklist", it is recommended to refresh the database as you can see from above that all of the Blocklists are essentially tied together to remove duplication and process "IP Reputation".
Refreshing the database can be achieved in two ways:
[ [b]./pfiprep killdb ] This will delete the database and re-download all Blocklists.
or
[ [b]./pfiprep killdb dskip ] Which will kill the database and re-use the existing Download Blocklist Files.
The script will automatically download the Maxmind Country Code Database on the First Tuesday of Each Month. As each Blocklist gets downloaded, it will resync against the updated Country Blocklists as per the schedule settings for each Blocklist. I never considered to perform a [ [b]./pfiprep killdb dskip ] each month, but I think this might be something that I should add to the next version of the script.
At any time, you can edit the "countrycode" file and it will automatically re-configure the Country Blocking at the next scheduled CRON job. (But if you do make changes, I recommend resyncing the database.)
I also added a few additional Blocklists ( from the gist hit the "revision icon" to see the changes)
I hope this is clear. Let me know if you need any more help.
Thanks BB, you know you are one of my heros on this board, I just hit you with my karma stick again ;D
I will try it, and report back here.
_PS About me learning grep: yes, you are completely right. But: time :-[ Currently I am dividing time between my own job, WIFE complaining ( ;D ), and helping out the poor who are being quite abused by the system in this 'highly developed society we seem to be living in'. Which translates in barely educated, low salary workers, who don't understand all the mumbo-jumbo crap in official letters, being fined hundreds of euros because they underpaid taxes by 2 euros. It seems I can read at least some of these 'government officials' bullshit letters, and as I can't stand injustice, I'm the one writing the legal letters on behalf of my quite illerate co-citizens, which, unfortunately, takes a lot of time.[/i]
I'm now thinking if I am brave enough to execute:
true `yes no`
;D
(This seems to be a dangerous command)._
-
I am running into a problem, BB :-\
- Remove "#" from line 471 ( countrycode ) , and save/exit the script.
- From the "Shell" run [ [b]./pfiprep killdb ]
- This should download the Maxmind Country Code .zip file and automatically extract the .csv country Code Database.
- It will create a file called "countrycode" which is a list of all the countries.
- On First Install, the script will exit and ask you to edit the "countrycode" file.
- Put a "#" infront of the countries to whitelist.
The file is created, but nothing is in it (zero bytes). The script issued this:
[2.1.4-RELEASE][root@112]/home/badips(9): ./pfiprep killdb **** UPDATE PROCESS START - Sat Jul 26 17:13:39 CEST 2014 **** Deleting pfIP Rep Databases. Databases have been Deleted! find: /home/badips/countrycodes: No such file or directory rm: /home/badips/cc_csv.lock: No such file or directory find: /home/badips/GeoIPCountryWhois.csv: No such file or directory rm: /home/badips/cc_csv.lock: No such file or directory looking up geolite.maxmind.com connecting to geolite.maxmind.com:443 SSL connection established using RC4-SHA Certificate subject: /serialNumber=dfgdighiofgiodfiogdiofgdjkfq4Js/C=US/O=*.maxmind.com/OU=GT53364002/OU=See www.rap112sl.com/resources/cps (c)11/OU=Domain Control Validated - Rap112SL(R)/CN=*.maxmind.com Certificate issuer: /C=US/O=GeoTrust, Inc./CN=Rap112SL CA requesting https://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip remote size / mtime: 1444832 / 1404267648 /home/badips/GeoIPCountryCSV.zip 100% of 1410 kB 164 kBps unzip: cannot find or open /home/badipsGeoIPCountryCSV.zip, /home/badipsGeoIPCountryCSV.zip.zip or /home/badipsGeoIPCountryCSV.zip.ZIP. cut: /home/badips/GeoIPCountryWhois.csv: No such file or directory Please edit [ /home/badips/countrycodes ] and comment # the countries to SAFELIST before proceeding with CC Blocking [2.1.4-RELEASE][root@112]/home/badips(10):
(I scrambled that serial number there since I don't know if it should be pasted here).
What should I do?
Thank you ;D
-
Hi Hollander, Looks like I missed a "/",
In pfiprepman, Line 416
** $pathunzip -o $userfolder$infile**
change it to:
$pathunzip -o $userfolder/$infile
Sorry about that.