• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Auto IP block list generation

Scheduled Pinned Locked Moved Firewalling
7 Posts 4 Posters 3.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    TSubs
    last edited by Apr 1, 2017, 6:08 PM

    I searched these forums for a related answer and came up empty, but if there is a related post, please direct me to it. I love using pfsense for traffic filtering and analytics. I use basic pfsense rules and packages pfBlockerNG, snort, and suricata to achieve this. Working with the current available pfsense packages, my question is this;

    Basic request:
    Take all traffic hitting my WAN on Telnet port 23 and add it to an IP list. This IP list I can in-turn distribute to my friends running pfsense. Is there a way within pfsense to automate this with cron or other methods?

    End goal:
    Have an auto updating list of IPs on various attack ports hitting my WAN (22,23,3389,etc.). This list I then distribute between friends or others that want the list via hosting on my web servers or uploading to github that they can point their pfBlockerNG IPv4 Lists auto-updating Source feature at.

    Also, if anyone wants help with how to use http://iplists.firehol.org/ 's on pfBlockerNG, pm or email me and I'd be happy to explain.

    Attached are current WAN blocks on port 23 (couple others unintentionally) of the last ~40 min for your viewing pleasure
    1.JPG
    1.JPG_thumb
    2.JPG
    2.JPG_thumb
    3.JPG
    3.JPG_thumb

    1x 2.3.3-RELEASE-p1 (amd64) VM running on esxi 6.5

    1 Reply Last reply Reply Quote 0
    • P
      pfBasic Banned
      last edited by Apr 1, 2017, 10:45 PM Apr 1, 2017, 10:42 PM

      Sure, custom rules in suricata legacy mode.

      Write custom rules with an easy to read/type description/SID

      
      drop tcp $EXTERNAL_NET any -> any 23 (msg:"tel_drag_net, TCP"; classtype:network-scan; sid:0023; rev:0;)
      
      

      Modify/replicate that as necessary to serve your purposes, you can also create aliases in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.

      This will create entries in your snort2c table.

      You can export your snort2c table to file with

      pfctl -T show -t snort2c | gzip > /usr/local/etc/snort2c.gz
      

      Then you can export that file to whatever you want.
      Filter that file by the description(s) and/or SID(s) you chose using whatever tools you prefer to extract the list of IP's you need.

      Check out the links in my signature for more details, they weren't written for the specific purpose you are after but can easily be leveraged to accomplish what you described.

      This can all be automated once you get your rules setup how like them.

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Apr 2, 2017, 1:07 PM

        What is the point of such a list?  Do you actually have telnet open on your firewall?  I guess not since your blocking them..

        Other than using such a list to not log the traffic.. Your firewall is already blocking, there would be zero point to creating another rule to block again.

        The only point of such a list would be to use this list as a source to block these guys from talking to your open ports you have open.. But wouldn't it be simpler to just create limit your forwards to your known sources you want to allow.

        If you want these these IPs to get on say a bad list that you use in pfblocker – I would get with bcan and ask him what would be the best place to send them for the lists he uses, etc.

        Either way your just playing wack-a-mole with such lists anyway.  There are much better ways to be more secure then playing cat and mouse game of wack-a-mole to be honest..

        Since you clearly do not have telnet open on your firewall, if your worried about the log spam why not just create a rule to not log traffic to dest port 23??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          TSubs
          last edited by Apr 3, 2017, 5:18 AM

          There wasn't much of a practical purpose because yes, even pfSense's default rules block these requests. I've been using pfSense as more of a learning/research tool for myself and was playing with pfBlockerNG/Snort/Suricata/Cron now to better learn custom rules/scripting (something I'm not so awesome at yet).

          So in short;

          • I am already logging through rules/etc. and exporting the syslog info to my PRTG/Splunk box. (if you have other network analytic/monitoring suggestions, I'm always looking to learn).
          • I have been playing more recently with pfBlockerNG and figured I'd start back with the basics of IP lists for learning some custom rules/scripting.
          • If the information I gather from this can be used for a practical purpose more so than just sending between friends, I'll be happy send it to bcan or anyone else that'd like the info.

          pfBasic
          I'll try working with your suggestion on the custom rules in suricata. I'll also check out the links in your signature. If I have some further questions on it, mind if I pm you?

          Finally, these we the blocklists I was running for now, have any other suggestions?
          https://firehol.org/ Level 1,2,3,4 & anonymous & abusers & webclient
          https://www.iblocklist.com Ads,Spyware,Spider,Hijacked,Dshield,Proxy
          https://greensnow.co/ List.txt
          and the IPs in the GRIZZLY STEPPE release

          1x 2.3.3-RELEASE-p1 (amd64) VM running on esxi 6.5

          1 Reply Last reply Reply Quote 0
          • P
            pfBasic Banned
            last edited by Apr 3, 2017, 6:37 AM

            @TSubs:

            pfBasic
            I'll try working with your suggestion on the custom rules in suricata. I'll also check out the links in your signature. If I have some further questions on it, mind if I pm you?

            Not at all, feel free :). However, if the questions could be useful to someone in the future they might as well be public. Also, I'm not an IT Pro and don't work in IT in any capacity. I just think this stuff is interesting, so there's value in asking me questions in public because if I'm wrong someone smarter than me can correct me.
            Again, if you'd still prefer PM please do, just a disclaimer!

            @TSubs:

            Finally, these we the blocklists I was running for now, have any other suggestions?
            https://firehol.org/ Level 1,2,3,4 & anonymous & abusers & webclient
            https://www.iblocklist.com Ads,Spyware,Spider,Hijacked,Dshield,Proxy
            https://greensnow.co/ List.txt
            and the IPs in the GRIZZLY STEPPE release

            You can find a lot of great lists in the pfBlockerNG subforum, also maybe some in the Cache/Proxy subforum.

            1 Reply Last reply Reply Quote 0
            • O
              occamsrazor
              last edited by May 15, 2017, 9:40 PM

              @TSubs:

              Also, if anyone wants help with how to use http://iplists.firehol.org/ 's on pfBlockerNG, pm or email me and I'd be happy to explain.

              I tried FireHOL Level 1 but it started blocking my LAN addresses which are in 192.168.0.x range.

              I did some reading:

              https://github.com/firehol/blocklist-ipsets/issues/12
              https://www.reddit.com/r/PFSENSE/comments/612h65/anyone_using_firehol_blocklists/

              and seems the issue is FireHOL Level 1 includes RFC1918 addresses so when it is applied to both inbound and outbound it messes things up.

              Can you explain to this newbie how to avoid issues with this but still use the FireHOL Level 1 list?

              pfSense CE on Qotom Q355G4 8GB RAM/60GB SSD
              Ubiquiti Unifi wired and wireless network, APC UPSs
              Mac OSX and IOS devices, QNAP NAS

              1 Reply Last reply Reply Quote 0
              • T
                TSubs
                last edited by Jul 8, 2017, 4:13 PM

                I only block FireHOL Level 1 inbound on my WAN -> LAN (that way doesn't block private IP space of my LAN -> WAN). If you still need some help I can provide some screenshots and other info. Custom IP lists can be a great thing when setup right on pfblockerNG (props to BBcan177).

                1x 2.3.3-RELEASE-p1 (amd64) VM running on esxi 6.5

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received