PfBlockerNG v2.1 w/TLD
-
Malvertising in Action:
Published on Sep 1, 2016
Exploit kits are a class of threat that indiscriminately attempt to compromise all users. Malicious advertisements, or malvertising, are a common vector adversaries use to try and redirect users to an exploit kit.
https://www.youtube.com/watch?v=-E56rSF01no&feature=youtu.be
-
Hi all
I am looking for some IP/DNSBL blocklist / blacklist with very small false positive and was wondering from your experience with using different block lists which one would you recommend.Thanks in advance for taking the time to respond.
-
can someone help me on that:
i bave many firewall log entries likeSep 26 11:05:04 LAN 10.0.0.80:45511 127.0.0.1:8443
why is it blocked by pfblock rule?
and why 127.0.0.1?? -
can someone help me on that:
i bave many firewall log entries likeSep 26 11:05:04 LAN 10.0.0.80:45511 127.0.0.1:8443
why is it blocked by pfblock rule?
and why 127.0.0.1??Goto the General tab, and enable "Suppression", the Force Reload - All…. This will remove all RFC1918 and loopback addresses...
-
Okay thank you. Did that 8)
-
Is it possible to use some of the paid databases from Maxmind with pfBlockerNG ? (other than GeoLite2)
And if possible, how ?
-
Is it possible to use some of the paid databases from Maxmind with pfBlockerNG ? (other than GeoLite2)
And if possible, how ?
Hi, I have not tested it, but if you do have a paid subscription, I would think that they would give you an API key that could be added to the MaxMind URL…
You could manually edit the URL in /usr/local/www/pfblockerng/pfblockerng.php
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/www/pfblockerng/pfblockerng.php#L52
And adjust the MaxMind cron task to run once a week (I think thats the update freq. of the paid subscription database).
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L5303
-
http://10.10.10.1:8443 return a gif
It should be https://10.10.10.1:443 but that doesn't return and doesn't it log to dnsbl.log either.
Sorry guys if this is dumb, or I missed something obvious. I am power reading as much as I can possibly stand (eyes starting to hurt) about PFBNG, and I came across this and from my understanding from previous reading, this site should be blocked via all of the settings I have… I think?
I navigated to https://10.10.10.1:443 in chrome and got the "Your connection is not private" warning, not a Gif. This tells me something isn't working correct. I am not even sure where to start with my question, so I will start at the obvious:
This does mean something isn't working, correct? If so, what exactly may that be?
Once again, just trying to get my feet wet and start actually using pfsense for what its worth, I have had my box deployed for about a month now with no packages running, and for better or worse this was my first package to try!
Edit
Also, is there a list somewhere of all of the available DNSBL Feeds? I have read through lots of pages and have input all of BBCan's lists that I have found, I didn't document them.... and I am not sure how to printout a list of all that are currently running on my pfsense box. Like I said, pretty noob, but very interested in learning :)
I guess to this same question, like I said, I haven't kept a list, would it be an issue to have the same feed in multiple groups? I don't think this has happened, but without keeping valiant records of what I have added, it would be hard to even figure this out unless there is a way to show what all has been loaded and running (I assume there is a way to do this).
And what I have seen BBCan117 write SO MANY times is, its better not to block the world, still trying to figure out exactly how to do that...
Also, what I can say, I am somewhat happy I started using this, finally using the 8 GBs of RAM I put in this box! Up to almost 70% utalization, before PFBNG I was at ~2% LOL!
-
See the following:
https://forum.pfsense.org/index.php?topic=119954.msg663601#msg663601 -
See the following:
https://forum.pfsense.org/index.php?topic=119954.msg663601#msg663601Ok. Well, maybe it is ok. I pulled up 10.10.10.1:443 on my iPad s and just allowed it to show the website. The iPad tab in chrome did say "1x1 pixel". So I am thinking this means it actually is working, I doubt the chrome tab would say 1x1 pixel on its own lol.
-
Edited, I think I have figured out my issue, it was a dumb question in the first place :-[
-
I just wanted to ask if I can (ab)use the GeoIP data in PFBlocker.
I'm currently using it to drop outbound traffic to certain countries.
I'd also like to set up multiple aliases, so I can route traffic to certain other countries via a designated interface.Is this possible?
-
I just wanted to ask if I can (ab)use the GeoIP data in PFBlocker.
I'm currently using it to drop outbound traffic to certain countries.
I'd also like to set up multiple aliases, so I can route traffic to certain other countries via a designated interface.Is this possible?
You can goto the IPv4/6 Tab and create any combination of GeoIP aliases… Click the blue infoblock icons for further details... You can also use "Alias type" settings which will allow you to manually create your firewall rules and add the GeoIP Aliases as required.
-
How do you guys block these annoyings youtube ads popping up before the video playback starts or worst are showing up randomly during playback?
This is weird, I am not seeing any form or kind of advertisement on my computers, but on our android devides we see those. Two examples:
https://youtu.be/weyiTnwtGrk
https://youtu.be/d-AH_IEnLIgDamn I hate those!
I currently maintain a decent list of DNSBL ads feeds but for whatever reasons the ads are getting by.
http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext
http://hosts-file.net/ad_servers.txt
https://adaway.org/hosts.txt
http://sysctl.org/cameleon/hosts
http://winhelp2002.mvps.org/hosts.txt -
Hi, BBcan -
First, I'd like to thank you for this excellent tool!
I've been testing out the TLD feature with version 2.1.1_6 with a set of DNSBL lists totaling more than 600k domains. It's working really well, but as you explained it uses a lot of memory.
I think the memory situation could be improved significantly if deduplication could be improved to identify redundant subdomains that don't have a corresponding higher level domain in the list.
I've noticed that some of the larger lists I'm using (for example, hosts-file.net) contains large numbers of domains with randomly generated third, fourth, or fifth level subdomains. Other than Bambanek's DGA list (all 2nd level) most of the generated names are third level or below.
There are a few methods I can think of that this could be implemented.
The easiest method would be to simply truncate subdomains lower than a certain level (say, second, third or fourth) before deduplication. This would be relatively fast and should work relatively well. A configuration option could allow the user to determine how aggressively to apply this. More aggressive truncation would result in substantially shorter lists.
Another way is to dynamically by count the number of subdomains for each higher level domain, and if the count is greater than some configurable threshold replacing subdomains with the higher level domain. This would take more processing but could be a way to identify domains that could be replaced by a wildcard.
-
Hi, BBcan -
First, I'd like to thank you for this excellent tool!
Thanks!
I think the memory situation could be improved significantly if deduplication could be improved to identify redundant subdomains that don't have a corresponding higher level domain in the list.
I have intentions to add "Reputation" options to DNSBL… Similar to "Reputation" in the IPv4 section. Maybe after the next release of the package.
TLD will block the whole domain/sub-domains if the root domain is listed... Its really strange that some of these feeds will list >50 Sub-domains which are obviously DGA but not list the root domain name?
You can run the following command to find which domains are listed over a specific count.
You can modify this command:
find the first two TLD levels ( cut -d '.' -f 1-2)
find the first three TLD levels ( cut -d '.' -f 1-3)find count of 30 ( max=30 )
sed 's/local-data: \"\(.*\) 60.*/\1/' /var/unbound/pfb_dnsbl.conf | rev | cut -d '.' -f 1-2 | rev | awk -v max=50 '{a[$0]++}END{for(i in a){if(a[i] > max){print i}}}' Then you can choose which of these repeated domains to add to a [u][b]DNSBL Customlist[/b][/u], which will block the domain/sub-domains and remove all the duplicated entries... After adding them, run a "Force reload - DNSBL" Keep in mind that (msn.com and amazonaws.com) also have a lot of sub-domains listed... [code]grep "msn.com" /var/unbound/pfb_dnsbl.conf grep "amazonaws.com" /var/unbound/pfb_dnsbl.conf[/code][/i] -
Glad to hear you're planning a reputation system - that is basically what I was thinking when I'd suggested counting subdomains.
sed 's/local-data: \"\(.*\) 60.*/\1/' /var/unbound/pfb_dnsbl.conf | rev | cut -d '.' -f 1-2 | rev | awk -v max=50 '{a[$0]++}END{for(i in a){if(a[i] > max){print i}}}' Then you can choose which of these repeated domains to add to a [u][b]DNSBL Customlist[/b][/u], which will block the domain/sub-domains and remove all the duplicated entries... After adding them, run a "Force reload - DNSBL" This is an awesome suggestion! I hadn't thought of periodically searching for DGA type domains as a secondary process to build a filter. That would allow experimenting with various algorithms. For example, I was thinking today that maybe the TLD filter list could be used to moderate the clipping process so that it doesn't disproportionately affect country-code sites. [/i] -
For example, I was thinking today that maybe the TLD filter list could be used to moderate the clipping process so that it doesn't disproportionately affect country-code sites.
There is an option in Alexa TOP1M, that allows for whitelisting specific TLDs… So I guess it could work similar to that where selected ccTLDs are excluded from the Reputation process... Will keep this in mind.... Thanks!
-
BBcan177,
Thank you for all the work you’ve done in developing pfBlockerNG. I stumbled across pfBlockerNG while looking for an adblock solution on pfSense and have been pleased at how well it works.
I would like to share my experience with pfBlockerNG DNSBL on an iOS device and suggest a new feature. As some other people have pointed out, Safari on iOS presents a certificate warning for the HTTPS sites DNSBL redirects. (https://www.reddit.com/r/PFSENSE/comments/4f56zk/blocking_ads_using_pfblockerng_dnsbl/) As you point out, other browsers like Chrome on iOS behave better and silently drop the redirected requests. While the iOS device is connected to a network that is protected by pfBlockerNG, Chrome presents a much better user experience since it does not constantly show certificate warnings.
However, Chrome on iOS does not support adblock extensions like Safari does. When the iOS device moves to a network that isn’t protected by pfBlockerNG, sites loaded by Chrome now contain ads. Ironically, Safari presents a better user experience since it supports adblock extensions and does not present certificate warnings for ad domains.
A frustrating trivia fact: on the latest version of iOS, the only way to remove a certificate that was trusted in Safari is to use the “Reset All Settings” option. (https://apple.stackexchange.com/questions/130612/how-do-you-remove-ssl-certificate-exceptions-on-ios/130626#130626) Certificates trusted in Safari are not part of a “Profile” that can be deleted. If a user accidentally clicks on “Continue” or “Trust” for any of the numerous certificate warnings presented by Safari for DNSBL redirects, the only way to revoke the self-signed certificate is to reset the iOS device.
In one of your responses (https://www.reddit.com/r/PFSENSE/comments/4f56zk/blocking_ads_using_pfblockerng_dnsbl/d26da1c/), you mention that:
“Solutions like installing AD Blocking with a pi-hole device work by basically sending an NXDOMAIN for these DNS queries. This works, however, you don't get a log of what was blocked.”
Would it be possible to offer two options for DNSBL – redirect and serve pixel as it is currently doing or sending NXDOMAIN, at the cost of some logging? Perhaps even offering the ability to select different options for HTTP and HTTP requests.
Eg:
(current behavior)
HTTP: pixel
HTTPS: pixel(configuration that would help out some iOS users)
HTTP: pixel
HTTPS: NXDOMAIN(other possible configuration)
HTTP: NXDOMAIN
HTTPS: NXDOMAIN–--
Edit: I just found your post https://forum.pfsense.org/index.php?topic=124945.msg691099#msg691099 that says "Upcoming version will allow mixing of the DNSBL VIP and 0.0.0.0 so that the domains that are causing these erorrs, can utilize 0.0.0.0 whilst all others use the DNSBL VIP and the logging remains intact... or if you didn't want to log the blocked alerts...."
It seems like you're already working on this feature. :) Thanks!
-
BBcan177,
Thank you for all the work you’ve done in developing pfBlockerNG. I stumbled across pfBlockerNG while looking for an adblock solution on pfSense and have been pleased at how well it works.
Thanks!
Edit: I just found your post https://forum.pfsense.org/index.php?topic=124945.msg691099#msg691099 that says "Upcoming version will allow mixing of the DNSBL VIP and 0.0.0.0 so that the domains that are causing these erorrs, can utilize 0.0.0.0 whilst all others use the DNSBL VIP and the logging remains intact… or if you didn't want to log the blocked alerts...."
It seems like you're already working on this feature. :) Thanks!
Yes the next release will have this feature…
