How do I change Blacklists settings in squid + squidguard?



  • Hi all I'm back  :o after being hacked bigtime…. :-X I must of had bad settings on my first pfsense setup, but I'm back up and running with a new install. I have it setup and a lot more secure now, as I learnt a lot from being hacked as not only did they crash my pfsense they also hacked my main pc,  they installed some kernel on bash on windows that broke my windows install, I have fully scanned and removed  all drives.

    *Now my problem is I have setup squid + squidguard I instaledl all 3 lists below:

    http://squidguard.mesd.k12.or.us/blacklists.tgz
    http://www.shallalist.de/Downloads/shallalist.tar.gz
    http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist

    Out of all them list I only turned on 4 in the list to deny link: virus, spyware, malware, ads, now I can not get into some sites like ebay and that:
    Error I get from squid:

    **$g['access was denied to'] proxy": 403 Forbidden

    Reason:
    Client address: 192.168.1.X  (Changed the last IP number to X)
    Client name: 192.168.1.X
    Client group: default
    Target group: none
    URL: http://redir.opera.com/speeddials/partner/ebay_au**

    Now when I want back to squid it has all changed and all I have is "Squid Proxy Reports" under "Status" Now I can not find a way to change the lists to allow or find what list is causing the problem in the firewall.

    Can someone tell me how to fix this please? Thanks…
    EDIT: I keep getting this error:"pfr_update_stats: assertion failed."  Is this error to do with squidguard as well?



  • Hi all,
            I have been at this flat out, and found something we all might like to take note of for future setups.

    First off I believe the problem "pfr_update_stats: assertion failed." is from some type of programming conflict.

    The 2 conflicting programs are pfBlockerNG and SquidGuard.

    The fail only happens after I have setup both programs.

    How to create the error for yourself to test.
    First install pfBlockerNG and install the info below.

    doktornotor and BBcan17 thanks for the php code!

    1. Select Diagnostics>Edit File
    2. Enter
    Code: [Select]
    /usr/local/www/pfBlockerNG_import.php
    in Save / Load from path
    3. Click Load
    4. Paste the php code that doktornotor posted, into the editing field:
    Code: [Select]

    /*
            pfBlockerNG_import.php
    
            pfBlockerNG
            Copyright (C) 2014 BBcan177@gmail.com
            All rights reserved.
    
            Redistribution and use in source and binary forms, with or without
            modification, are permitted provided that the following conditions are met:
    
            1\. Redistributions of source code must retain the above copyright notice,
                     this list of conditions and the following disclaimer.
    
            2\. Redistributions in binary form must reproduce the above copyright
                     notice, this list of conditions and the following disclaimer in the
                     documentation and/or other materials provided with the distribution.
    
            THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
            INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
            AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
            AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
            OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
            SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
            INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
            CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
            ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
            POSSIBILITY OF SUCH DAMAGE.
    
    */
    
    require_once("config.inc");
    require_once("util.inc");
    require_once("functions.inc");
    require_once("pkg-utils.inc");
    require_once("pfsense-utils.inc");
    require_once("globals.inc");
    require_once("services.inc");
    
    print "";
    $pfblist_new = array ( array (    "none" => "", 
                "aliasname" => "IBlock",
                "description" => "pfBlockerNG IBlock",
                "infolists" => "",
                "row" => array (array ("format"   => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_BT_Hijack"),
                      array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_BT_FS"),
                      array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_BT_Web"),
                      array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_BT_Spy"),
                      array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_Badpeer"),
                      array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_Ads"),
                      array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_Proxy")),
                "action"=> "Disabled",
                "cron"   => "04hours",
                "dow"   => "1",
                 "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled"),
    
               array (   "none" => "",
                "aliasname" => "PRI1",
                "description" => "pfBlockerNG PRI1",
                "infolists" => "",
                "row" => array (array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://rules.emergingthreats.net/blockrules/compromised-ips.txt",
                         "header"=> "ET_Comp"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
                         "header"=> "ET_Block"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.spamhaus.org/drop/drop.txt",
                         "header"=> "Spamhaus_drop"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.spamhaus.org/drop/edrop.txt",
                         "header"=> "Spamhaus_edrop"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://cinsscore.com/list/ci-badguys.txt",
                         "header"=> "CIArmy"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist",
                         "header"=> "Abuse_Zeus"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist",
                         "header"=> "Abuse_Spyeye"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist",
                         "header"=> "Abuse_Palevo"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv",
                         "header"=> "Abuse_SSLBL"),
                      array ("format"   => "block",
                         "state"   => "Disabled",
                         "url"   => "https://feeds.dshield.org/block.txt",
                         "header"=> "dShield_Block"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://labs.snort.org/feeds/ip-filter.blf",
                         "header"=> "Snort_BL"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "http://osint.bambenekconsulting.com/feeds/goz-iplist.txt",
                         "header"=> "BBC_Goz")),
                "action"=> "Disabled",
                "cron"   => "01hour",
                "dow"   => "1",
                "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled"),
    
               array (    "none" => "",
                "aliasname" => "PRI2",
                "description" => "pfBlockerNG PRI2",
                "infolists" => "",
                "row" => array (array ("format"   => "gz_2",
                         "state"   => "Disabled",
                         "url"   => "https://reputation.alienvault.com/reputation.snort.gz",
                         "header"=> "Alienvault"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://atlas.arbor.net/summary/attacks.csv",
                         "header"=> "Atlas_Attacks"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://atlas.arbor.net/summary/botnets.csv",
                         "header"=> "Atlas_Botnets"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://atlas.arbor.net/summary/fastflux.csv",
                         "header"=> "Atlas_Fastflux"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://atlas.arbor.net/summary/phishing.csv",
                         "header"=> "Atlas_Phishing"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://atlas.arbor.net/summary/scans.csv",
                         "header"=> "Atlas_Scans"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.cyber-ta.org/releases/malware/SOURCES/Attacker.Cumulative.Summary",
                         "header"=> "SRI_Attackers"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.cyber-ta.org/releases/malware/SOURCES/CandC.Cumulative.Summary",
                         "header"=> "SRI_CC"),
                      array ("format"   => "html",
                         "state"   => "Disabled",
                         "url"   => "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1",
                         "header"=> "HoneyPot")),
                "action"=> "Disabled",
                "cron"  => "04hours",
                "dow"   => "1",
                "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled"),
    
               array (    "none" => "",
                "aliasname" => "PRI3",
                "description" => "pfBlockerNG PRI3",
                "infolists" => "",
                "row" => array (array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.malwaredomainlist.com/hostslist/ip.txt",
                         "header"=> "MDL"),
                      array ("format"   => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.nothink.org/blacklist/blacklist_malware_http.txt",
                         "header"=> "Nothink_BL"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.nothink.org/blacklist/blacklist_ssh_week.txt",
                         "header"=> "Nothink_SSH"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.nothink.org/blacklist/blacklist_malware_dns.txt",
                         "header"=> "Nothink_Malware"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://danger.rulez.sk/projects/bruteforceblocker/blist.php",
                         "header"=> "DangerRulez"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "https://www.autoshun.org/files/shunlist.csv",
                         "header"=> "Shunlist"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.infiltrated.net/blacklisted",
                         "header"=> "Infiltrated"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://www.dragonresearchgroup.org/insight/sshpwauth.txt",
                         "header"=> "DRG_SSH"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://www.dragonresearchgroup.org/insight/vncprobe.txt",
                         "header"=> "DRG_VNC"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://www.dragonresearchgroup.org/insight/http-report.txt",
                         "header"=> "DRG_HTTP"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://feodotracker.abuse.ch/blocklist/?download=ipblocklist",
                         "header"=> "Feodo_Block"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://feodotracker.abuse.ch/blocklist/?download=badips",
                         "header"=> "Feodo_Bad"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.reputationauthority.org/toptens.php",
                         "header"=> "WatchGuard"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://vmx.yourcmc.ru/BAD_HOSTS.IP4",
                         "header"=> "VMX"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "http://www.geopsy.org/blacklist.html",
                         "header"=> "Geopsy"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "https://www.maxmind.com/en/anonymous_proxies",
                         "header"=> "Maxmind"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "http://www.botscout.com/last_caught_cache.htm",
                         "header"=> "BotScout"),   
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "https://www.juniper.net/security/auto/spam",
                         "header"=> "Juniper"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://blocklist.greensnow.co/greensnow.txt",
                         "header"=> "Greensnow"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://lists.blocklist.de/lists/all.txt",
                         "header"=> "BlocklistDE"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt",
                         "header"=> "SFS_Toxic")),
                "action"=> "Disabled",
                "cron"  => "04hours",
                "dow"   => "1",
                "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled"),
    
               array (    "none" => "",
                "aliasname" => "SEC1",
                "description" => "pfBlockerNG SEC1",
                "infolists" => "",
                "row" => array (array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "http://www.malwaregroup.com/ipaddresses/malicious",
                         "header"=> "MalwareGroup"),
                      array ("format" => "gz_2",
                         "state"   => "Disabled",
                         "url"   => "https://www.openbl.org/lists/base_90days.txt.gz",
                         "header"=> "OpenBL"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://malc0de.com/bl/IP_Blacklist.txt",
                         "header"=> "Malcode"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://www.badips.com/get/list/any/2",
                         "header"=> "BadIPs")),
                "action"=> "Disabled",
                "cron"  => "04hours",
                "dow"   => "1",
                "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled"),
    
               array (    "none" => "",
                "aliasname" => "TOR",
                "description" => "pfBlockerNG TOR",
                "infolists" => "",
                "row" => array (array ("format" => "gz",
                         "state"   => "Disabled",
                         "url"   => "http://list.iblocklist.com/?list=togdoptykrlolpddwbvz&fileformat=p2p&archiveformat=gz",
                         "header"=> "IBlock_Tor"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "https://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv",
                         "header"=> "Blut_Tor"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "https://rules.emergingthreats.net/open/suricata/rules/tor.rules",
                         "header"=> "ET_Tor")),
                "action"=> "Disabled",
                "cron"  => "04hours",
                "dow"   => "1",
                "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled"),
    
               array (    "none" => "",
                "aliasname" => "MAIL",
                                    "description" => "pfBlockerNG MAIL",
                                    "infolists" => "",
                                    "row" => array (array ("format"   => "txt",
                                              "state"   => "Disabled",
                                                            "url"   => "https://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt",
                                                            "header"=> "VirBL"),
                      array ("format" => "zip",
                         "state"   => "Disabled",
                         "url"   => "http://www.stopforumspam.com/downloads/bannedips.zip",
                         "header"=> "SFS_All"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://antispam.imp.ch/spamlist",
                         "header"=> "Improware"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "http://toastedspam.com/denylist.cgi",
                         "header"=> "ToastedSpam"),
                      array ("format" => "html",
                         "state"   => "Disabled",
                         "url"   => "http://rss.uribl.com/reports/7d/dns_a.html",
                         "header"=> "URIBL"),
                      array ("format" => "txt",
                         "state"   => "Disabled",
                         "url"   => "http://spamcop.net/w3m?action=map;net=cmaxcnt;mask=65535;sort=spamcnt;format=text",
                         "header"=> "SpamCop"),
                      array ("format" => "gz_2",
                         "state"   => "Disabled",
                         "url"   => "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz",
                         "header" => "Nix_Spam")),
                "action"=> "Disabled",
                "cron"  => "08hours",
                "dow"   => "1",
                "aliaslog" => "enabled",
                "custom"=> "",
                "custom_update" => "disabled")
          );
    
    print "Checking for Existing pfBlockerNG Alias/Lists\n";
    
    // Check for Existing pfBlockerNG Allias/Lists
    if (is_array($config['installedpackages']['pfblockernglistsv4']['config'])) {
       print "Found existing Alias/Lists. Merging Existing Alias/Lists with Imported Version\n\n"; 
       $pfblist = $config['installedpackages']['pfblockernglistsv4']['config'];
       $pfbfinal = array_merge($pfblist, $pfblist_new);
       $config['installedpackages']['pfblockernglistsv4']['config'] = $pfbfinal;
    } else {
       print "No existing Alias/Lists found. Importing new Version.\n\n";
       $config['installedpackages']['pfblockernglistsv4']['config'] = $pfblist_new;
    }
    
    print  "pfBlockerNG Alias List Import Completed.";
    write_config();
    
    ?>;
    
    

    ====================================================================
    5. Click Save
    6. ssh into the pfSense console
    7. Type 8 to get to the shell
    8. Paste
    Code: [Select]
    php -f /usr/local/www/pfBlockerNG_import.php
    9. Press Return
    10. Once the update is complete, the shell will return pfBlockerNG Alias List Import Completed.[2.2.1-RELEASE]
    11. Exit pfSense console
    12. Select Firewall>pfBlockerNG>IPv4 to see the changes

    After you have enabled the list on and to deny and enable all lists.

    Now install squid + squidguard and Install the lists below:

    http://squidguard.mesd.k12.or.us/blacklists.tgz
    http://www.shallalist.de/Downloads/shallalist.tar.gz
    http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist

    After you have installed squidguard, save settings.
    Go into the blacklists and block the lists: virus, spyware, malware, ads for this test.

    To make the "pfr_update_stats: assertion failed." error, go back to pfblockerNG and disable all the lists and save the settings, now go back to general web configure display readouts to refresh the page.

    Now go back to pfBlocker and enable all the disabled lists.
    In a little while you will see on the pfsense backend console start to display the error: "pfr_update_stats: assertion failed." now this error will not stop and it has broken your pfsense somehow as even if you remove and try and install squidguard again with no lists this error will start.

    The .xml restore file will not fix this problem, I tried many backups but the system was corrupted somehow.

    Only way I found to fix this was to either reinstall pfsense or set back to factory defaults to get rid of the problem. and then set the system backup from scratch.

    Please do not test this on your working environment unless your willing to reset the whole setup.

    Thanks for your time, any comments on how to fix this are welcome  8)


  • Moderator

    The issue is that one of the IPv4 feeds has 127.0.0.1 listed. So that will cause that error message.

    Goto the General tab and enable the Suppression option. Follow that with a Force Reload all.



  • @BBcan177:

    The issue is that one of the IPv4 feeds has 127.0.0.1 listed. So that will cause that error message.

    Goto the General tab and enable the Suppression option. Follow that with a Force Reload all.

    Thanks for your reply BBcan177

    I found the setting in pfblockerNG that you where talking about but i could not work out what you meant by Force Reload all.

    Now that I have this suppression enabled is it safe to install squidguard again….? as I don't really feel like setting this up again if it fails. ::)


  • Banned

    @sprinteroz:

    I found the setting in pfblockerBg that you where talking about but i could not work out what you meant by Force Reload all.

    Click the Update tab.



  • @doktornotor:

    @sprinteroz:

    I found the setting in pfblockerBg that you where talking about but i could not work out what you meant by Force Reload all.

    Click the Update tab.

    Ok thanks done… Just a quick question before i install squidguard again how do i change the lists in squadguard once its installed encase I would like to add or remover rules on the lists.


Log in to reply