Auto IP block list generation



  • I searched these forums for a related answer and came up empty, but if there is a related post, please direct me to it. I love using pfsense for traffic filtering and analytics. I use basic pfsense rules and packages pfBlockerNG, snort, and suricata to achieve this. Working with the current available pfsense packages, my question is this;

    Basic request:
    Take all traffic hitting my WAN on Telnet port 23 and add it to an IP list. This IP list I can in-turn distribute to my friends running pfsense. Is there a way within pfsense to automate this with cron or other methods?

    End goal:
    Have an auto updating list of IPs on various attack ports hitting my WAN (22,23,3389,etc.). This list I then distribute between friends or others that want the list via hosting on my web servers or uploading to github that they can point their pfBlockerNG IPv4 Lists auto-updating Source feature at.

    Also, if anyone wants help with how to use http://iplists.firehol.org/ 's on pfBlockerNG, pm or email me and I'd be happy to explain.

    Attached are current WAN blocks on port 23 (couple others unintentionally) of the last ~40 min for your viewing pleasure






  • Banned

    Sure, custom rules in suricata legacy mode.

    Write custom rules with an easy to read/type description/SID

    
    drop tcp $EXTERNAL_NET any -> any 23 (msg:"tel_drag_net, TCP"; classtype:network-scan; sid:0023; rev:0;)
    
    

    Modify/replicate that as necessary to serve your purposes, you can also create aliases in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.

    This will create entries in your snort2c table.

    You can export your snort2c table to file with

    pfctl -T show -t snort2c | gzip > /usr/local/etc/snort2c.gz
    

    Then you can export that file to whatever you want.
    Filter that file by the description(s) and/or SID(s) you chose using whatever tools you prefer to extract the list of IP's you need.

    Check out the links in my signature for more details, they weren't written for the specific purpose you are after but can easily be leveraged to accomplish what you described.

    This can all be automated once you get your rules setup how like them.


  • LAYER 8 Global Moderator

    What is the point of such a list?  Do you actually have telnet open on your firewall?  I guess not since your blocking them..

    Other than using such a list to not log the traffic.. Your firewall is already blocking, there would be zero point to creating another rule to block again.

    The only point of such a list would be to use this list as a source to block these guys from talking to your open ports you have open.. But wouldn't it be simpler to just create limit your forwards to your known sources you want to allow.

    If you want these these IPs to get on say a bad list that you use in pfblocker – I would get with bcan and ask him what would be the best place to send them for the lists he uses, etc.

    Either way your just playing wack-a-mole with such lists anyway.  There are much better ways to be more secure then playing cat and mouse game of wack-a-mole to be honest..

    Since you clearly do not have telnet open on your firewall, if your worried about the log spam why not just create a rule to not log traffic to dest port 23??



  • There wasn't much of a practical purpose because yes, even pfSense's default rules block these requests. I've been using pfSense as more of a learning/research tool for myself and was playing with pfBlockerNG/Snort/Suricata/Cron now to better learn custom rules/scripting (something I'm not so awesome at yet).

    So in short;

    • I am already logging through rules/etc. and exporting the syslog info to my PRTG/Splunk box. (if you have other network analytic/monitoring suggestions, I'm always looking to learn).
    • I have been playing more recently with pfBlockerNG and figured I'd start back with the basics of IP lists for learning some custom rules/scripting.
    • If the information I gather from this can be used for a practical purpose more so than just sending between friends, I'll be happy send it to bcan or anyone else that'd like the info.

    pfBasic
    I'll try working with your suggestion on the custom rules in suricata. I'll also check out the links in your signature. If I have some further questions on it, mind if I pm you?

    Finally, these we the blocklists I was running for now, have any other suggestions?
    https://firehol.org/ Level 1,2,3,4 & anonymous & abusers & webclient
    https://www.iblocklist.com Ads,Spyware,Spider,Hijacked,Dshield,Proxy
    https://greensnow.co/ List.txt
    and the IPs in the GRIZZLY STEPPE release


  • Banned

    @TSubs:

    pfBasic
    I'll try working with your suggestion on the custom rules in suricata. I'll also check out the links in your signature. If I have some further questions on it, mind if I pm you?

    Not at all, feel free :). However, if the questions could be useful to someone in the future they might as well be public. Also, I'm not an IT Pro and don't work in IT in any capacity. I just think this stuff is interesting, so there's value in asking me questions in public because if I'm wrong someone smarter than me can correct me.
    Again, if you'd still prefer PM please do, just a disclaimer!

    @TSubs:

    Finally, these we the blocklists I was running for now, have any other suggestions?
    https://firehol.org/ Level 1,2,3,4 & anonymous & abusers & webclient
    https://www.iblocklist.com Ads,Spyware,Spider,Hijacked,Dshield,Proxy
    https://greensnow.co/ List.txt
    and the IPs in the GRIZZLY STEPPE release

    You can find a lot of great lists in the pfBlockerNG subforum, also maybe some in the Cache/Proxy subforum.



  • @TSubs:

    Also, if anyone wants help with how to use http://iplists.firehol.org/ 's on pfBlockerNG, pm or email me and I'd be happy to explain.

    I tried FireHOL Level 1 but it started blocking my LAN addresses which are in 192.168.0.x range.

    I did some reading:

    https://github.com/firehol/blocklist-ipsets/issues/12
    https://www.reddit.com/r/PFSENSE/comments/612h65/anyone_using_firehol_blocklists/

    and seems the issue is FireHOL Level 1 includes RFC1918 addresses so when it is applied to both inbound and outbound it messes things up.

    Can you explain to this newbie how to avoid issues with this but still use the FireHOL Level 1 list?



  • I only block FireHOL Level 1 inbound on my WAN -> LAN (that way doesn't block private IP space of my LAN -> WAN). If you still need some help I can provide some screenshots and other info. Custom IP lists can be a great thing when setup right on pfblockerNG (props to BBcan177).


Log in to reply