PfBlocker
-
last edit:
This attempt to compile a list of malware IPs needs improvement. It functions but is picking up some legit domains.
I need to better vet my sourcesI'm leaving it for reference.
wget "http://urlquery.net/index.php" -O data.txt grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 > ips.txt wget "http://minotauranalysis.com/malwarelist.aspx" -O data.txt grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 >> ips.txt wget "http://siteinspector.comodo.com/public/recent_detections/index" -O data.txt grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 >> ips.txt wget "http://siteinspector.comodo.com/public/recent_detections?page=2" -O data.txt grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' data.txt | tail -n +3 >> ips.txt cp malwaredomains.txt domains.txt cat ips.txt domains.txt | sort | uniq > malwaredomains.txt
UrlQuery is offering up - https://gist.github.com/2191871 207.97.227.243 - as a Malicious domain.
That's the sort of problem I was running into w/ Malc0de. -
Linuxtracker,
I think It's time to move shell scripts to php.
This way you can use arrays funcions like sort,unique as well php ip funcions and preg_match and preg_replace. ;) -
Freakalad,
You can configure these host nanes on an pfsense alias or use dns forwarder to overide these ads hostname's ips.
Try alias first and put rejecting(better then deny for outgoing users) ads rule on top of lan rules.
If you could compile a txt via script with ads ips, then pfBlocker can help you on updating it Every x hours.
-
You can configure these host nanes on an pfsense alias or use dns forwarder to overide these ads hostname's ips.
Try alias first and put rejecting(better then deny for outgoing users) ads rule on top of lan rules.
If you could compile a txt via script with ads ips, then pfBlocker can help you on updating it Every x hours.I'l have to look into previous posts re details, rather than trying to enter it manually through the GUI, one entry at a time.
I'll look into it end I get more time to attend to it. -
Linuxtracker,
I think It's time to move shell scripts to php.
This way you can use arrays funcions like sort,unique as well php ip funcions and preg_match and preg_replace. ;)I trust you're right. Unfortunately I haven't a clue about PHP.
This bit I've hacked together came out of a semester of Unix, from 20 years ago.
I'll take it under advisement though. Maybe I can start puzzling something out.
-
On pfsense x64 i recive this error:
php: : There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table pfBlockerLevel1: Cannot allocate memory /tmp/rules.debug:20: cannot define table pfBlockerLevel2: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded - The line in question reads [18]: table <pfblockerlevel1>persist file "/var/db/aliastables/pfBlockerLevel1.txt"
php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:18: cannot define table pfBlockerLevel1: Cannot allocate memory /tmp/rules.debug:20: cannot define table pfBlockerLevel2: Cannot allocate memory pfctl: Syntax error in config file: pf rules not loaded The line in question reads [18]: table <pfblockerlevel1>persist file "/var/db/aliastables/pfBlockerLevel1.txt"
How can i fix this.
this is new fresh instal. Please, help.</pfblockerlevel1></pfblockerlevel1>
-
Increase Firewall Maximum Table Entries on system -> advanced -> firewall/NAT
-
I noticed that some of my systems (2.0.1 and 2.1-DEV) had the duplicated pfBlocker rules on the WAN as described by Andrew at http://forum.pfsense.org/index.php/topic,42543.msg225835.html#msg225835 This happens when there are floating rules. In the config file, the floating rules can have interface="". The floating rules are not in a separate section of the config file. In my case, they were mixed in with the WAN rules. The pfBlocker code found a section of WAN rules, so added its rules to WAN, found a section of floating rules, which it retains, then found another section of WAN rules and added its rules again to WAN.
I have fixed this in pfblocker.inc and submitted a pull request in Github.
Note: The duplicated rules didn't actually cause a problem - the 2nd copy would just never be matched. -
Thanks phill.davis! :)
I was trying to track this bug with no success.
-
I only seem to get the duplicate rules issue when I have floating, WAN, LAN and OPT1 rules. Systems without OPT1 don't seem to get the symptoms.
-
re: http://www.countryipblocks.net/
April 2nd, 2012
MAJOR ANNOUNCEMENT
Country IP Blocks is excited to announce we are about to release our new paid services model. We are anticipating the completion of our new control panels, for premium members, sometime this week. The only additional programming necessary will be the embedded shopping cart. We are still looking for an appropriate shopping cart and would be grateful to hear your ideas.
Answers to frequently asked questions:
Premium memberships will run $179 a year per license.
Premium members will have access to our daily updated database.
Premium members will be able to generate their access control lists through their control panel and, if they choose to do so, they can store their selections in the Country IP Blocks database and we will auto-generate their specific data each time we update the database. This data will be available each day through a user-specific URL. In other words, you make your country and format choices, set it and forget it, and we create your data for you.We will be offering a 10% discount to the first 100 businesses or individuals who contact us.
For those planning on using our soon to be released API, our expected pricing is $299 a year per license or $39 per month.
We will continue to offer free services. These will include access to network information 30 to 60 days old (upgrade to a premium membership and get access to the most current data).
Free services will no longer include access to format specific text files. But premium members will have the ability to auto-generate their own downloadable files.
Free services will also include access to our searchable IP database.
What will it mean for pfBlocker?
-
I want to thank marcelloc for a wonderful new package and all his hard work.
I wanted to ask do you think it would be possible to add in an option on the Lists tab, when adding a new one, then under Update Frequency, would it be possible to add an option for maybe once a week? For example one thing I use this feature for is to block ads and stuff from the mvps hosts.txt file they have available for download. It isn't really a big deal to get the absolute latest spam blocks for me, so that's why I ask if once a week could be done.
-
Hello. I'm new to this package. I would like to clear something up.
If just select Firewall - pfblocker - North America and only select United States, permit inbound and save.
Will that just allow US IP's to connect and deny every other country ?
That's the way I'm looking at it anyway.
Oh, a follow-up question. Linuxtracker has been talking about other Spammers IP's. The lists section want a local file or URL in .txt or .gz format. Is there a good URL for this that is safe ?
Thanks…great work.
-
The lists from linuxtracker are in gz format.
To allow only us ips on your firewall but not allowing all access to it, change action to alias only and apply it as source alias for your Nat/rules
-
Linuxtracker has been talking about other Spammers IP's. The lists section want a local file or URL in .txt or .gz format. Is there a good URL for this that is safe ?
Marcelloc keeps a copy of the lists here.
http://e-sac.siteseguro.ws/pfBlocker/lists/Since I was skiddish about publishing my personal host, marcelloc stepped up and graciously offered his own.
His links can be used for live updates and he uploads updated versions, when time permits.
My own latest copies are dated 4/12. If you want them, I can attach them here or pasetbin the contents.
Sidenote:
I've discovered that dropbox direct download links work well in pfBlocker.
I've been using one for an auto-generated malware list I'm testing.I may use that to publish the spam lists.
The dropbox app would push out updates, as soon as I make them available.I'll consider it tomorrow, after some sleep.
. -
For anyone who wants live updates to the most recent spam lists, here are dropbox links to them.
pfBlocker should pull right from these links.http://dl.dropbox.com/u/71477228/P2P_0-68.txt.gz
http://dl.dropbox.com/u/71477228/P2P_0-68.txt.gz
http://dl.dropbox.com/u/71477228/P2P_194-255.txt.gz
http://dl.dropbox.com/u/71477228/Non-US_Spam_IPs.txt.gz
http://dl.dropbox.com/u/71477228/Worst_Spammers.txt.gz
http://dl.dropbox.com/u/71477228/CorporateSpam.txt.gzI tend to update my lists about 2x week. The updated lists hit dropbox ~11:30pm EDT.
I'll add some details/comments to the top of the files this week.
I also have a malware list that seems to be behaving.
It targets 0day threats and gets wiped every day at midnight. After that, new IP ranges are added each hour.
I need to review it again. If I feel good about it, I'll post a live update link.
. -
Here are the Malware Lists that I've found to be safe to use.
(This is after testing a ½doz other lists that would blacklist urls for stupid reasons.)I put the addresses in pfBlocker list section and let them update hourly. You may prefer less freq updates.
This one is from Malware Domain List. I began testing it in February against known 0day threats.
At this point I have a lot of confidence in it.
http://www.malwaredomainlist.com/hostslist/ip.txtI also have two botnet lists that I've been running for a month or so.
http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklistThere are other lists I'm evaluating but am not comfortable releasing them as yet.
-
LinuxTracker,
Thanks for your contributions :)
-
I also use the following and they seem fine:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this blocks known russian business network, shadowserver command and control servers, dhsield and spamhaus.
http://rules.emergingthreats.net/blockrules/compromised-ips.txt (compromised hosts doing nastiness)If you choose one try the top one. Static blacklists are useful but many setups moving towards a more scored reputation rating for domains, IPs etc.
http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf
http://www.damballa.com/solutions/damballa_firstalert.phpHere are the Malware Lists that I've found to be safe to use.
(This is after testing a ½doz other lists that would blacklist urls for stupid reasons.)I put the addresses in pfBlocker list section and let them update hourly. You may prefer less freq updates.
This one is from Malware Domain List. I began testing it in February against known 0day threats.
At this point I have a lot of confidence in it.
http://www.malwaredomainlist.com/hostslist/ip.txtI also have two botnet lists that I've been running for a month or so.
http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklistThere are other lists I'm evaluating but am not comfortable releasing them as yet.
-
Oh and on these lists always set to log just like any countries you block. This makes it easier to identify blocked badness but also determine if something isn't working because of a blocklist (i.e I couldn't get to cuckoobox.org because site was in a country I had blocked at the time and I saw in logs blocked Syn packets trying to get to it).