HackerList for pfBlockerNG
-
What a smart idea ;) Very Interesting thank you for replying.
I have a few wordpress sites that get attacked about 80 times a day so I could definitely look into this method.I have copied your post onto my computer so I won't lose this ;)
I Suppose from there if you wanted to put them into categories like Government, Windows, Apple and big lists like iplist.com do then you would have to Whois every single one of the ips. Thats a lot of work!
Very interesting many thanks for taking the time to give me an example. ;)
-
My lists are automatically made by Suricata blocking privileged ports tcp/udp [0-1023] and few other well known services/servers ports like RDP, VNC,RADMIN,mySQL,SIP…
Once Suricata block them it also save them and automatically import them to a pfblocker alias list after a day ( just in case I need to delete an IP from Suricata list ).So here you have my lists from two servers in two different countries:
-
Thank you for the list - will be adding it to my ipv4 feeds. How often do you recommend we update the list? Just trying to determine which feed I place it in and didn't want to hammer your server harder than necessary :)
-
@ecfx:
My lists are automatically made by Suricata blocking privileged ports tcp/udp [0-1023] and few other well known services/servers ports like RDP, VNC,RADMIN,mySQL,SIP…
Once Suricata block them it also save them and automatically import them to a pfblocker alias list after a day ( just in case I need to delete an IP from Suricata list ).So here you have my lists from two servers in two different countries:
That is a good solution for ports where you are not running a valid service. It doesn't work in situations where there is a web server trying to differentiate between legitimate and illegitimate traffic.
Do you happen to have these lists posted somewhere they can be automatically updated by pfSense?
-
Thank you for the list - will be adding it to my ipv4 feeds. How often do you recommend we update the list? Just trying to determine which feed I place it in and didn't want to hammer your server harder than necessary :)
I update the list once or twice a week, so setting pfBlocker to update once a week would make sense.
I appreciate your consideration of the load on my server. Recent versions of pfBlocker use a HEAD command before a GET command to download the lists. The HEAD (header) command checks the date of the file to see if it has changed and takes minimul bandwidth (although there is all the overhead of establishing a HTTPS connection over TCP/IP first).
-
Many Thanks for the lists btw ;)
In my search for finding out how some people get their lists I contacted a security company who had lists and asked them how they got there lists also asking how to get lists of companies you want to block like the Goverment, Windows, Apple, ISP's, BBC, CNN, Captia and so on.
In the UK we have a big problem with companies spying on you so I was very interested in finding out how to create lists like iplists.comI got a very interesting reply witch Ill share on here as you might find it interesting.
–-----
If you are looking for the IP addresses allocated to ISPs you may check
this page:. http://bgp.he.net
They have a global report per country:
. http://bgp.he.net/country/GB
You just need to get the individual announcements from those UK ASNs,
for instance:. http://bgp.he.net/AS8220#_prefixes
I did check it out and its very good for tracking and finding ips to companies.
Of course I am in the UK so he gave me a UK example.Very interesting ;)
-
Is this no longer being hosted? I have been getting the following the last couple of days:
Could not resolve host: pfblockerlists.smallbusinesstech.net Retry in 5 seconds…
. cURL Error: 6
Could not resolve host: pfblockerlists.smallbusinesstech.net Retry in 5 seconds...
. cURL Error: 6
Could not resolve host: pfblockerlists.smallbusinesstech.net Retry in 5 seconds...
.. Permission deniedOr is this a problem on my end with DNS resolution? I am using dns.watch for my DNS resolution at the moment.
-
Is this no longer being hosted? I have been getting the following the last couple of days:
Could not resolve host: pfblockerlists.smallbusinesstech.net Retry in 5 seconds…
. cURL Error: 6
Could not resolve host: pfblockerlists.smallbusinesstech.net Retry in 5 seconds...
. cURL Error: 6
Could not resolve host: pfblockerlists.smallbusinesstech.net Retry in 5 seconds...
.. Permission deniedOr is this a problem on my end with DNS resolution? I am using dns.watch for my DNS resolution at the moment.
As far as I can tell, everything is good with my server as well as with my DNS nameservers. Attached is a screenshot from mxtoolbox.com showing current DNS queries. However, I have receive two other reports today from people who were not able to access my servers, so something must have gone down in the DNS world. My guess is that the problem will sort it out over the next several hours, but if it doesn't you might try using a different DNS server to see if it makes a difference.
-
I did a little more digging and it looks like there must be some issue between them and Namecheap (my registrar) and some resolvers.
soren@soren-desktop:~$ nslookup pfblockerlists.smallbusinesstech.net 84.200.69.80 Server: 84.200.69.80 Address: 84.200.69.80#53 ** server can't find pfblockerlists.smallbusinesstech.net: SERVFAIL soren@soren-desktop:~$ nslookup pfblockerlists.smallbusinesstech.net 4.2.2.2 Server: 4.2.2.2 Address: 4.2.2.2#53 Non-authoritative answer: Name: pfblockerlists.smallbusinesstech.net Address: 68.14.213.194 soren@soren-desktop:~$ nslookup pfblockerlists.smallbusinesstech.net 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 ** server can't find pfblockerlists.smallbusinesstech.net: SERVFAIL84.200.69.80 is dns.watch's main resolver. 4.2.2.2 is a resolver hosted by Level 3 Communications. 8.8.8.8 is a resolver hosted by Google.
-
I contacted Namecheap. They said their upstream DNS provider (whoever that is) had done some maintenance which had caused problems with DNSSEC. It should now be resolved.
-
I contacted Namecheap. They said their upstream DNS provider (whoever that is) had done some maintenance which had caused problems with DNSSEC. It should now be resolved.
I can now resolve and update the list. Thank you for your much valued work :)