From: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
To: development@lists.ipfire.org
Subject: [PATCH 3/5] ipblacklist: Ancillary files
Date: Mon, 25 Nov 2019 20:13:07 +0000 [thread overview]
Message-ID: <20191125201309.10840-4-ipfr@tfitzgeorge.me.uk> (raw)
In-Reply-To: <20191125201309.10840-1-ipfr@tfitzgeorge.me.uk>
[-- Attachment #1: Type: text/plain, Size: 15594 bytes --]
getipsetstat Gets information on IPSETs for WUI
ipblacklistctrl Allows WUI to call main script as root
sources List of blacklists used by main script and WUI
Signed-off-by: Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
---
config/ipblacklist/sources | 151 +++++++++++++++++++++++++++++++++++++++
src/misc-progs/getipsetstat.c | 28 ++++++++
src/misc-progs/ipblacklistctrl.c | 52 ++++++++++++++
3 files changed, 231 insertions(+)
create mode 100644 config/ipblacklist/sources
create mode 100644 src/misc-progs/getipsetstat.c
create mode 100644 src/misc-progs/ipblacklistctrl.c
diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources
new file mode 100644
index 000000000..ab991e12a
--- /dev/null
+++ b/config/ipblacklist/sources
@@ -0,0 +1,151 @@
+############################################################################
+# #
+# IP Address blacklists for IPFire #
+# #
+# This file contains a list of blacklist sources that will replace the one #
+# internal to the updated if it is found at /var/ipfire/blacklist/sources. #
+# The intention is to provide a common source of information for both the #
+# updater and WUI. #
+# #
+# The chains created in the packet filter will be named by the top level #
+# key and this will also be used in the log message to identify the reason #
+# for the dropped packet. #
+# #
+# The fields are: #
+# #
+# name The blacklist's full name #
+# url URL of the file containing the list #
+# info URL giving information about the source #
+# parser The parser function used to extract IP addresses from the #
+# downloaded list #
+# method Method used to download updates. #
+# rate Minimum number of hours between checks for updates #
+# safe 'yes' if the list is unlikely to contain addresses that can be #
+# used for legitimate traffic, or 'no' otherwise #
+# disable Name of another list to disable if this one is enabled. Used #
+# when the other list is a subset of this one. #
+# #
+# The info and safe fields are purely for documentation. #
+# #
+# Note that the Emerging Threats blacklist is a composite list containing #
+# addresses from some of the other lists. It is unnecessary to enable #
+# this list if the other lists are enabled. #
+# #
+############################################################################
+
+%sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist',
+ 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt',
+ 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs',
+ 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt',
+ 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'SPAMHAUS_DROP' => { 'name' => "Spamhaus Don't Route or Peer List",
+ 'url' => 'https://www.spamhaus.org/drop/drop.txt',
+ 'info' => 'https://www.spamhaus.org/drop/',
+ 'parser' => 'text-with-semicolon-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 12,
+ 'safe' => 'yes' },
+ 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't Route or Peer List",
+ 'url' => 'https://www.spamhaus.org/drop/edrop.txt',
+ 'info' => 'https://www.spamhaus.org/drop/',
+ 'parser' => 'text-with-semicolon-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List',
+ 'url' => 'https://www.dshield.org/block.txt',
+ 'info' => 'https://dshield.org/',
+ 'parser' => 'dshield',
+ 'method' => 'check-header-time',
+ 'rate' => 2,
+ 'safe' => 'no' },
+ 'FEODO_IP' => { 'name' => 'Feodo Trojan IP Blocklist',
+ 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt',
+ 'info' => 'https://feodotracker.abuse.ch/blocklist',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'FEODO_AGGRESIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggresive)',
+ 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt',
+ 'info' => 'https://feodotracker.abuse.ch/blocklist',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no',
+ 'disable' => 'FEODO_IP' },
+ 'ABUSE_CH' => { 'name' => 'Abuse.ch Ransomware C&C Blocklist',
+ 'url' => 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt',
+ 'info' => 'https://ransomwaretracker.abuse.ch/blocklist/',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'CIARMY' => { 'name' => 'The CINS Army List',
+ 'url' => 'https://cinsscore.com/list/ci-badguys.txt',
+ 'info' => 'https://cinsscore.com/#list',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'TOR_ALL' => { 'name' => 'Known TOR Nodes',
+ 'url' => 'https://www.dan.me.uk/torlist',
+ 'info' => 'https://www.dan.me.uk/tornodes',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'wget',
+ 'rate' => 1,
+ 'safe' => 'no',
+ 'disable' => 'TOR_EXIT' },
+ 'TOR_EXIT' => { 'name' => 'Known TOR Exit Nodes',
+ 'url' => 'https://www.dan.me.uk/torlist/?exit',
+ 'info' => 'https://www.dan.me.uk/tornodes',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'wget',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'TALOS_MALICIOUS' => { 'name' => 'Talos Malicious hosts list',
+ 'url' => 'https://www.talosintelligence.com/documents/ip-blacklist',
+ 'info' => 'https://www.talosintelligence.com/reputation',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'wget',
+ 'rate' => 24,
+ 'safe' => 'no' },
+ 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation database',
+ 'url' => 'https://reputation.alienvault.com/reputation.generic',
+ 'info' => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 1,
+ 'safe' => 'no' },
+ 'BOGON' => { 'name' => 'Bogus address list (Martian)',
+ 'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt',
+ 'info' => 'https://www.team-cymru.com/bogon-reference.html',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 24,
+ 'safe' => 'yes' },
+ 'BOGON_FULL' => { 'name' => 'Full Bogus Address List',
+ 'url' => 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt',
+ 'info' => 'https://www.team-cymru.com/bogon-reference.html',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'check-header-time',
+ 'rate' => 24,
+ 'safe' => 'yes',
+ 'disable' => 'BOGON' },
+ 'SHODAN' => { 'name' => 'ISC Shodan scanner blacklist',
+ 'url' => 'https://isc.sans.edu/api/threatlist/shodan?tab',
+ 'info' => 'https://isc.sans.edu',
+ 'parser' => 'text-with-hash-comments',
+ 'method' => 'wget',
+ 'rate' => 24,
+ 'safe' => 'no' }
+ );
diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c
new file mode 100644
index 000000000..aee79542a
--- /dev/null
+++ b/src/misc-progs/getipsetstat.c
@@ -0,0 +1,28 @@
+/* IPFire helper program - GetIPSetStat
+ *
+ * Get the list from IPSET LIST
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+
+int main(void)
+{
+ if (!(initsetuid()))
+ exit(1);
+
+ safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt");
+ safe_system("chown nobody:nobody /var/tmp/ipsets.txt");
+
+ safe_system("/usr/sbin/ipset list AUTOBLACKLIST -q -f /var/tmp/autoblacklist.txt");
+ safe_system("chown -f nobody:nobody /var/tmp/autoblacklist.txt");
+
+ return 0;
+}
diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctrl.c
new file mode 100644
index 000000000..506fa2f46
--- /dev/null
+++ b/src/misc-progs/ipblacklistctrl.c
@@ -0,0 +1,52 @@
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence. See the file COPYING for details.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+int main(int argc, char *argv[]) {
+
+ if (!(initsetuid()))
+ exit(1);
+
+ if (argc < 2) {
+ fprintf(stderr, "\nNo argument given.\n"
+ "ipblacklistctrl (update|restore|log-on|log-off|"
+ "enable|disable|autoblacklist-update|autoblacklist-clear)\n\n");
+ exit(1);
+ }
+
+ if (strcmp(argv[1], "update") == 0) {
+ safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "restore") == 0) {
+ safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "log-on") == 0) {
+ safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "log-off") == 0) {
+ safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "enable") == 0) {
+ safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "disable") == 0) {
+ safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "autoblacklist-update") == 0) {
+ safe_system("/usr/local/bin/ipblacklist autoblacklist-update >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "autoblacklist-clear") == 0) {
+ safe_system("/usr/local/bin/ipblacklist autoblacklist-clear >/dev/null 2>&1 &");
+ } else {
+ fprintf(stderr, "\nBad argument given.\n"
+ "ipblacklistctrl (update|restore|log-on|log-off|"
+ "enable|disable|autoblacklist-update|autoblacklist-clear)\n\n");
+ exit(1);
+ }
+
+ return 0;
+}
--
2.16.4
next prev parent reply other threads:[~2019-11-25 20:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-25 20:13 [PATCH 0/5] ipblacklist: IP Address Blacklists Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 1/5] ipblacklist: Main script Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 2/5] ipblacklist: WUI and language file Tim FitzGeorge
2019-11-25 20:13 ` Tim FitzGeorge [this message]
2019-11-25 20:13 ` [PATCH 4/5] ipblacklist: Modifications to system Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 5/5] ipblacklist: Build infrastructure Tim FitzGeorge
2019-11-25 21:09 ` [PATCH 0/5] ipblacklist: IP Address Blacklists Peter Müller
2019-11-27 21:34 ` Tim FitzGeorge
2019-11-28 12:03 ` Michael Tremer
2019-11-28 21:39 ` Peter Müller
2019-11-29 23:25 ` Tim FitzGeorge
2019-12-02 11:17 ` Michael Tremer
2019-12-04 17:05 ` Peter Müller
2019-12-05 22:25 ` Michael Tremer
2019-12-08 20:50 ` Tim FitzGeorge
2019-12-13 23:11 ` Michael Tremer
2019-12-02 11:06 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191125201309.10840-4-ipfr@tfitzgeorge.me.uk \
--to=ipfr@tfitzgeorge.me.uk \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox