From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Thu, 30 Jan 2020 12:54:47 +0000 Message-ID: <81ABE497-571B-4E21-B18D-B4C5B1A0F795@ipfire.org> In-Reply-To: <10abc961-d743-9bdf-585c-156ba98b0b45@tfitzgeorge.me.uk> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6991234883223730441==" List-Id: --===============6991234883223730441== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 29 Jan 2020, at 20:40, Tim FitzGeorge wrote: >=20 > Hi, >=20 > On 28/01/2020 17:14, Michael Tremer wrote: >> Hi, >>=20 >> Apologies for my late reply again. I marked this email in my inbox and the= n it scrolled down because of loads of new stuff coming in. Please feel free = to ping me if I do not respond in time. >=20 > That's OK. It took me a little longer than expected to check the patches. >>=20 >>> On 24 Jan 2020, at 19:40, Tim FitzGeorge wrote: >>>=20 >>> I'm now nearly ready to submit the updated patches, but before then I'd >>> like to check that you're happy with some of my design decisions. >>=20 >> Cool. >>=20 >>> _IPTables_Chains_ >>>=20 >>> When setting up the firewall (in iptables_init()), four new chains are >>> created, IPBLACKLISTIN, IPBLACKLISTOUT, IPBLACKLISTREDIN and >>> IPBLACKLISTREDOUT. The first two are inserted into the INPUT, OUTPUT >>> and FORWARD chains, before the IPS chains. The main script is called to >>> restore the previously saved blacklists, creating the rules in the >>> latter two chains. >>=20 >> For readability you can simply call them BLACKLIST*. The IP is a given. >=20 > Good point. I'll make the change. >=20 >>=20 >>> In iptables_red_up(), rules are created to forward traffic to/from the >>> red interface from IPBLACKLISTIN/IPBLACKLISTOUT to >>> IPBLACKLISTREDIN/IPBLACKLISTREDOUT. >>> I did consider putting the blacklist rules into the >>> IPBLACKLISTIN/IPBLACKLISTOUT, but this couldn't be done until red comes >>> up and would require much more processing at this point - not a problem >>> if your red interface comes up and stays up, but if you've got one that >>> disconnects on no traffic you probably don't want the extra overhead. >>> The way I've done it also has the side effects of 1) the main script >>> doesn't have to worry about what the red interface is, and 2) if you're >>> using multiple blacklists, the check for the red interface is only done >>> once. >>=20 >> You would only want to check the interface once and then jump into the cha= in. Can we not realise it that way? >=20 > I'm not sure what you're suggesting. > I insert BLACKLISTIN into INPUT & FORWARD and BLACKLISTOUT into OUTPUT & > FORWARD. These receive all non-ICMP traffic. On red up traffic from > the red interface is sent from BLACKLISTIN to BLACKLISTREDIN and traffic > to the red interface is sent from BLACKLISTOUT to BLACKLISTREDOUT. > The rules to check against the IPSets are put into the *RED* chain, > checking against the source or destination addresses as appropriate. This sounds very complicated to me. Why can we not check this in BLACKLISTIN/OUT? >>=20 >>> _Log_WUI_Pages_ >>>=20 >>> The two Log WUI pages are edited from existing pages. I've resisted the >>> temptation to reformat them, which means that they can be diff'ed with >>> the corresponding pages. >>=20 >> Loads of the UI code is messy and deliberately not touched any more. I gue= ss this is fine. >=20 > Yes, it's not pretty, but it is pragmatic. >>=20 >>> _Update_ >>>=20 >>> The update is fairly simple - it calculates whether the check period is >>> passed, tries a download specifying the If-Modified-Since and parses the >>> returned file. It then compares the new list with the existing list, >>> adding new addresses/networks and deleting those that have been removed. >>> There's a check to handle a list changing from a list of addresses to a >>> list of networks, in which case it changes the type of the IPSet - this >>> should be a vary rare event, but could happen for a composite list. >>=20 >> Why do you need the diff? Has that been in the first patchset? >=20 > It was, yes. >=20 > Originally I did it for performance. It took over a minute to process > the ALIENVAULT list (over 80 000 entries); just calling ipset with > changes reduced this to a few seconds. I've since modified the code to > pipe commands to a process running 'ipset restore', which has > drastically speed up the processing, but it's still a little bit quicker > to just do changes. >=20 > The second reason is that it doesn't feel right to flush the old list, > thus removing its protection while the new one is loaded, especially if > the new list is the same as the old list (not all sources implement > IP-Modified-Since). The actual period of reduced protection may be > short, but I prefer to avoid it. Okay. I was hoping that the =E2=80=9Cipset restore=E2=80=9D update would flus= h and add everything again in one large atomic operation. >>=20 >> Just reloading the whole ipset should be easier. >>=20 >>> _Enabling/Disabling_Blacklists_ >>>=20 >>> For changes to the existing firewall rules, the firewall is shut down >>> and restarted from scratch. The blacklist script does this on the fly, >>> since the possibilities are simpler than all the options available for >>> the firewall and also the necessary code for doing updates means that >>> adding this code is fairly simple. This includes turning logging on and >>> off. >>=20 >> What do you mean by that? /etc/init.d/firewall restart? >>=20 >> That is something we cannot do because IPsec and some other services creat= e temporary rules that would be lost. >=20 > No. I'm actually trying to say the opposite (badly). The existing > IPFire code only implements some firewall changes by shutting down and > restarting the firewall, but all the IP Blacklist functions > (enable/disable/update lists, enable/disable logging) can be done > without this - the necessary rules can be added to/deleted from the > BLACKLISTRED* chains without affecting any of the rest of the firewall > system. Ah cool. That is how it needs to be. -Michael > Tim P.S. Is there actually a reason why you do not have a shell account on our se= rvers and host your changed on our git server? I am not sure if I ever offere= d you one, but it would help me a lot to have a look at the code in a git rep= o :) >=20 >>=20 >>> _Logging_ >>>=20 >>> The main scripts logs to syslog as ipblacklist, but if you run it from >>> the command line it'll also output to the terminal. >>> There's also some debug code which can be turned on by setting a value >>> in the settings file - it's turned on at the lowest level automatically >>> if you run from the command line. >>=20 >> Yes that is fine. >>=20 >> Best, >> -Michael >>=20 >>> Tim >>>=20 >>> On 06/01/2020 11:27, Michael Tremer wrote: >>>> Hello all, >>>>=20 >>>>> On 4 Jan 2020, at 19:02, Tim FitzGeorge wrot= e: >>>>>=20 >>>>> Hello, >>>>>=20 >>>>> I've now updated the code - screenshots are attached. >>>>>=20 >>>>> IP_Address_Blacklists.png >>>>>=20 >>>>> This is the settings page. I don't think there's anything unexpected h= ere. >>>>=20 >>>> Yes, that looks a lot like the other IPFire pages :) >>>>=20 >>>>> IP_Address_Blacklist_Logs.png >>>>>=20 >>>>> The log page, replacing the status information that was previously at >>>>> the top of the settings page. >>>>=20 >>>> Looks great! >>>>=20 >>>>> I've sorted the lists alphabetically, rather than by the number of hits >>>>> since the worst threat is not necessary the largest number of blocked >>>>> packets (which could implied by sorting it by number). >>>>=20 >>>> Yes, that is indeed a very good idea. >>>>=20 >>>> You could add a % sign in the percentage column, so it cannot be confuse= d so easily with the other column. >>>>=20 >>>>> Firewall_log_blacklist.png >>>>>=20 >>>>> Details page accessed from the log. Almost identical to the other >>>>> similar pages. >>>>=20 >>>> *thumbs up* >>>>=20 >>>>> Log_Summary.png >>>>>=20 >>>>> This is an extract from the Log Summary page produced by logwatch. >>>>>=20 >>>>> I still need to do some tidying, remove unused language strings etc., >>>>> and then update and test the patches, so it'll be some time before I'm >>>>> ready to submit updated patches. >>>>=20 >>>> Feel free to send some RFC to the list. It might be slightly noisy, but = it is easier to review changes bit after bit. >>>>=20 >>>> Great great work! >>>>=20 >>>> -Michael >>>>=20 >>>>>=20 >>>>> Tim >>>>>=20 >>>>> On 28/12/2019 20:59, Tim FitzGeorge wrote: >>>>>> Hi, >>>>>>=20 >>>>>> I'll code and test what we've agreed on. In the meantime I'm going to >>>>>> reply on the sub-thread started by Tom Rymes as to what we call the li= st >>>>>> categories, so that we can keep that discussion separate from further >>>>>> functionality etc. discussion. >>>>>>=20 >>>>>> Tim >>>>>>=20 >>>>>> On 21/12/2019 18:34, Tim FitzGeorge wrote: >>>>>>> Hi, >>>>>>>=20 >>>>>>> I've got my systems checking for downloads at 15 minute intervals and >>>>>>> using If-Modified-Since. This all seems to be working OK. >>>>>>>=20 >>>>>>> Responses to comments below: >>>>>>>=20 >>>>>>> On 18/12/2019 12:07, Michael Tremer wrote: >>>>>>>> Hi, >>>>>>>>=20 >>>>>>>>> On 17 Dec 2019, at 18:21, Tim FitzGeorge = wrote: >>>>>>>>>=20 >>>>>>>>> Hi, >>>>>>>>>=20 >>>>>>>>> I think we've agreed on the following: >>>>>>>>>=20 >>>>>>>>> - Checks to be made every 15 minutes, subject to per-list minimum r= ate. >>>>>>>>> - Modify download to use If-Modified-Since rather than separate HEAD >>>>>>>>> request. >>>>>>>>> - Remove automatic blacklist. >>>>>>>>=20 >>>>>>>> I thought someone wants to counter my argument. This is not a dictat= orship :) >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> other comments are below. >>>>>>>>>=20 >>>>>>>>> Tim >>>>>>>>>=20 >>>>>>>>> On 16/12/2019 22:20, Michael Tremer wrote: >>>>>>>>>> Hi, >>>>>>>>>>=20 >>>>>>>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge wrote: >>>>>>>>>>>=20 >>>>>>>>>>> Hi, >>>>>>>>>>>=20 >>>>>>>>>>> I've attached the current GUI screenshot. >>>>>>>>>>=20 >>>>>>>>>> Thanks for that. >>>>>>>>>>=20 >>>>>>>>>> I have a couple of suggestions/concerns about it: >>>>>>>>>>=20 >>>>>>>>>> a) I am not sure what the value is about the top box that is calle= d =E2=80=9CStatus=E2=80=9D. It is basically a summary of the iptables output,= but will it help the user? A blacklist with more or fewer entries is not bet= ter or worse, blocking more packets isn=E2=80=99t better than blocking fewer.= It is about the quality of the blocks. >>>>>>>>>=20 >>>>>>>>> I agree that the size of the lists is not all that useful, but the >>>>>>>>> information about the number of blocked packets can be an indicatio= n of >>>>>>>>> compromise. It depends on the type of the list, but a list that ta= rgets >>>>>>>>> C&C channels (e.g. the FEODO lists) should not show any input packe= ts >>>>>>>>> being blocked, unless one of the computers being protected is infec= ted. >>>>>>>>> Apart from the BOGON lists, none of the lists should show any output >>>>>>>>> packets being blocked; again it's a potential indication of infecti= on if >>>>>>>>> otherwise. >>>>>>>>=20 >>>>>>>> The Shodan list will definitely show some activity unless you are be= hind CG NAT. >>>>>>>>=20 >>>>>>>> Should we not have this rather in the logging section? >>>>>>>>=20 >>>>>>>> And these counters here will be reset when the firewall is being rel= oaded. Should this data therefore not be collected from the logs so that you = can go back in time? That would be very important to identify any start of co= mpromise. >>>>>>>>=20 >>>>>>>=20 >>>>>>> That makes sense. I'll remove the status from this page and create a >>>>>>> log page for the information. If anyone actually wants the iptables >>>>>>> information it's available in from Firewall > iptables anyway. >>>>>>>=20 >>>>>>> Do you think it makes more sense to show packets blocked in/out or >>>>>>> packets blocked per source interface? The latter would of (limited) >>>>>>> help in tracking down potential compromise. >>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> b) I would prefer to move the settings box to the top. If you like= you can show the size of the blacklists there and when they have been update= d, too. >>>>>>>>>=20 >>>>>>>>> I put the status at the top since it's usually what I want to see w= hen I >>>>>>>>> go to the page. Under normal circumstances I don't change the sett= ings, >>>>>>>>> so I'd rather not have to scroll past them to get to the informatio= n I'm >>>>>>>>> actually interested in. The update times are just useful to show t= hat >>>>>>>>> the lists are actually being updated. The size is interesting to m= e, >>>>>>>>> but as you say it probably won't help the average user, especially = if >>>>>>>>> you don't know which lists block individual addresses and which blo= ck >>>>>>>>> nets (BOGON, DSHIELD and EMERGING_COMPROMISED). >>>>>>>>=20 >>>>>>>> See my comment on the order above. Splitting the page might make sen= se. >>>>>>>>=20 >>>>>>>> When you show size, does that mean lines in the blacklists? So it co= uld be networks or single IP addresses? Does it not make sense to count IP ad= dresses (i.e. 256 for a /24 network and so on) and put it in the table? >>>>>>> It's lines in the blacklist. >>>>>>>=20 >>>>>>>>=20 >>>>>>>> I think I would only be interested in the size for two things: >>>>>>>>=20 >>>>>>>> a) Is there any chance for overblocking? i.e. does the list have 2 b= illion entries which would be half the public IPv4 address space or so. I can= not really come up with a good example here. >>>>>>>>=20 >>>>>>>> Or >>>>>>>>=20 >>>>>>>> b) What is the performance impact/memory consumption of the list? >>>>>>>=20 >>>>>>> It would be interesting to show the type (single address or net), num= ber >>>>>>> of entries and number of addresses; the first two affect performance, >>>>>>> the second memory use and the latter the number of blocked addresses, >>>>>>> but that's really only going to be of interest to a very small number= of >>>>>>> people, who can always do 'ipset list -t' to get the information. So >>>>>>> I'll remove the size column. >>>>>>>=20 >>>>>>>>=20 >>>>>>>>> I originally had the status and settings in one list, but I decided= that >>>>>>>>> it was getting a bit messy and difficult to follow. I've attached a >>>>>>>>> screenshot of a quickly hacked page. (Note that the status area on= ly >>>>>>>>> appears once the blacklists have been enabled.) >>>>>>>>=20 >>>>>>>> You are right. This is getting quite tight there. >>>>>>>>=20 >>>>>>>> You could write packets in/out into on column like 2k/1023, but see = my concerns about this above. >>>>>>>=20 >>>>>>> Actually I've come to the conclusion that the number of bytes blocked >>>>>>> isn't all that important; it's sufficient to show the number of packe= ts. >>>>>>>=20 >>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> c) I would suggest to remove the =E2=80=9Csafe=E2=80=9D column bec= ause that is a very hard summary of what the lists do. We should explain that= on the wiki. I guess this is too complicated to explain to our users in one = sentence and it needs at least a page of text. People who do not read that ha= ve you just lost out. >>>>>>>>>=20 >>>>>>>>> I agree that it's it's an over simplistic summary of the lists. I = note >>>>>>>>> that Tom Rymes has asked to keep it, but I think its only value is = if it >>>>>>>>> suggests to users that things are more complicated than they appear= and >>>>>>>>> therefore prompts them to read the Wiki. >>>>>>>>=20 >>>>>>>> I will reply to that separately. >>>>>>>=20 >>>>>>> Looking at that reply, I think it makes sense to include a category >>>>>>> column in both the settings and the log summary page - the former to >>>>>>> help selection of which lists to use, and the latter as a help when >>>>>>> deciding whether the information could indicate compromise or not. >>>>>>>=20 >>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> d) I do not understand what the =E2=80=9Cupdate check rate=E2=80= =9D means. I suppose we should show the update interval of the lists in the t= able and just refresh them according to that. >>>>>>>>>=20 >>>>>>>>> It's the minimum check period for updates. The system checks for >>>>>>>>> updates at either the rate specific to the list or this rate, which= ever >>>>>>>>> is slower. This is a hangover from the early days, copied from the= IPS >>>>>>>>> updates. I suppose it could have a value for some people who may w= ish >>>>>>>>> to lower the check rate, but I'm not sure that it has sufficient va= lue >>>>>>>>> to be worth keeping. >>>>>>>>=20 >>>>>>>> No, I would not let the user decide when and how often to update the= lists. >>>>>>>=20 >>>>>>> OK. I'll remove it. >>>>>>>=20 >>>>>>>>=20 >>>>>>>> Generally there is this argument internally how often some databases= should be updated. People with slow internet connections or volume based dat= a plans will find this rather expensive to update those lists too often. >>>>>>>>=20 >>>>>>>> If we ever want to go ahead with that in IPFire 2, there should be a= global switch for a =E2=80=9Clow data mode=E2=80=9D which then delays updati= ng these things. >>>>>>>=20 >>>>>>> That makes sense. Maybe also the ability to set when downloads take >>>>>>> place - but as you say that's for the future. >>>>>>>=20 >>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> e) Do we want to keep the automatic blacklists now? I do not think= it will actually improve the security of IPFire. >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> I'll remove them. I think they do have a use, in that they can det= ect >>>>>>>>> someone doing a port scan and block them before they find an open p= ort, >>>>>>>>> but as you say there is also the possibility of a DOS. >>>>>>>>=20 >>>>>>>> How would this block a DOS? >>>>>>>=20 >>>>>>> Sorry, I didn't make myself clear - there's the possibility that some= one >>>>>>> could cause a DOS with the automatic list by faking the source IP >>>>>>> address and sending a few packets on a random port. >>>>>>>=20 >>>>>>>>=20 >>>>>>>> -Michael >>>>>>>=20 >>>>>>> Tim >>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> I'll update the code based on our discussions, and submit an upda= ted set >>>>>>>>>>> of patches - I imagine there will have to be at least one more it= eration. >>>>>>>>>>=20 >>>>>>>>>> Let=E2=80=99s wait until we have come to decisions :) >>>>>>>>>>=20 >>>>>>>>>> -Michael >>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> Tim >>>>>>>>>>>=20 >>>>>>>>>>> (No additional comments below) >>>>>>>>>>>=20 >>>>>>>>>>> On 13/12/2019 23:11, Michael Tremer wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>>=20 >>>>>>>>>>>> Again my apologies for my late reply. Busy busy weeks. >>>>>>>>>>>>=20 >>>>>>>>>>>>> On 8 Dec 2019, at 20:50, Tim FitzGeorge wrote: >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Hello, >>>>>>>>>>>>>=20 >>>>>>>>>>>>> It's my turn to apologise for being slow to respond - I've had = a busy >>>>>>>>>>>>> week, but I should have plenty of time over the next couple of = weeks. >>>>>>>>>>>>=20 >>>>>>>>>>>> No worries. Turns out we all do :) >>>>>>>>>>>>=20 >>>>>>>>>>>>> I've made most of the comments inline, however I think Michael = had a >>>>>>>>>>>>> question (which I can't find now) about what happens if someone= enables >>>>>>>>>>>>> all the lists. One thing which would perhaps make this less li= kely is >>>>>>>>>>>>> that the WUI tags the available lists with whether they're safe= or not, >>>>>>>>>>>>> with a footnote that safe means that the list only blocks malic= ious >>>>>>>>>>>>> traffic. This won't guarantee that a user won't still try to e= nable all >>>>>>>>>>>>> the lists, but it should make them realise that they should thi= nk first. >>>>>>>>>>>>=20 >>>>>>>>>>>> We had a couple of features going slightly wrong or being =E2=80= =9Cmisunderstood=E2=80=9D by some users. People still seem to panic when they= see =E2=80=9Clocal recursor=E2=80=9D. To this day I do not know why. >>>>>>>>>>>>=20 >>>>>>>>>>>> We cannot make everything idiot-proof. And when some user if of = that category, they probably should shutdown their IPFire box, educate themse= lves and then come back again. So I do not want to limit people, but make thi= ngs as easy as possible. >>>>>>>>>>>>=20 >>>>>>>>>>>> If someone enables all the lists, good luck with passing packets= :) >>>>>>>>>>>>=20 >>>>>>>>>>>>> I have considered replacing this tag with a risk high/medium/lo= w and >>>>>>>>>>>>> maybe adding a category (invalid/application/scanner/C&C or som= ething >>>>>>>>>>>>> like that), but that may provide too much information and dissu= ade them >>>>>>>>>>>>> from actually following the links to checkout what the list act= ually does. >>>>>>>>>>>>=20 >>>>>>>>>>>> Can we have a screenshot of the GUI right now? I didn=E2=80=99t = run the code, yet. >>>>>>>>>>>>=20 >>>>>>>>>>>> We should document the lists like we do it with the rulesets of = the IPS. People might ignore this, but that is on them. >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Tim >>>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> On 05/12/2019 22:25, Michael Tremer wrote: >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> On 4 Dec 2019, at 17:05, Peter M=C3=BCller wrote: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Hello Tim, hello Michael, >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> please see my responses inline... >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> We could periodically update the blacklists on our main mi= rror (and >>>>>>>>>>>>>>>>>> wait for the network to sync it), make sure it is signed a= nd write >>>>>>>>>>>>>>>>>> a small downloader that fetches, validates and installs th= em. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> @All: Thoughts on this? >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> I think there are a number of points here. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Firstly, from the point of a third party using IPFire, is t= his really >>>>>>>>>>>>>>>>> solving the privacy disclosure problem? There's no way rou= nd disclosing >>>>>>>>>>>>>>>>> your public IP address to someone you're downloading from; = all this does >>>>>>>>>>>>>>>>> is change who that information is being disclosed to. For = the user >>>>>>>>>>>>>>>>> there's no way of knowing whether the source is more or les= s protective >>>>>>>>>>>>>>>>> of the user's privacy than the blacklist provider. Indeed = it won't be >>>>>>>>>>>>>>>>> possible to know who the lists are being downloaded from un= til the >>>>>>>>>>>>>>>>> download starts. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> There is a way: Tor. But that is a totally different story. >>>>>>>>>>>>>>> Well, I see a third option on this: Use the mirror infrastruc= ture we already >>>>>>>>>>>>>>> have. Every IPFire installation discloses its public IP addre= ss to one of these >>>>>>>>>>>>>>> servers sooner or later, so we do not disclose additional dat= a if the blacklists >>>>>>>>>>>>>>> were fetched from these. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Needless to say, Tor (hidden services) would be better, but t= hat is a different >>>>>>>>>>>>>>> story indeed. :-) >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> The point is rather that a forget list can be sent instead o= f the =E2=80=9Creal=E2=80=9D one. >>>>>>>>>>>>>>> I did not get this. Forget? Forged?? ??? >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Yes, I meant to write forged, but auto-correct didn=E2=80=99t = let me. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Secondly, latency; some of the lists are updated every 5 mi= nutes. While >>>>>>>>>>>>>>>>> I've limited the maximum check rate to hourly, will the upd= ates >>>>>>>>>>>>>>>>> propagate quickly enough. For reference on my main system = the 24 >>>>>>>>>>>>>>>>> updates on the CIARMY list made 143 498 changes (additions = or >>>>>>>>>>>>>>>>> deletions). I've seem it do over 200 000. >>>>>>>>>>>>>>> Yes, I observe that behaviour for CINS/CIArmy too. Unfortunat= ely, they do not >>>>>>>>>>>>>>> document a recommended update interval anywhere, so we can on= ly guess. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Personally, more static lists seem to be preferable for packe= t filtering. Highly >>>>>>>>>>>>>>> dynamic ones such as CIArmy should be done via DNSBL queries = or something similar >>>>>>>>>>>>>>> - do we really want to have that list here? >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> It is not really an option to implement a DNSBL into a packet = filter, but I get your point. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> One of the 'selling points' for an IP address blacklist is that= it can >>>>>>>>>>>>> respond quickly to new threats - or rather new attackers. Whil= e a new >>>>>>>>>>>>> IDS/IPS rule needs time to analyse the threat, generate a rule = and check >>>>>>>>>>>>> it, it's easy to add an address to a list. So, I think the CIA= rmy list >>>>>>>>>>>>> is potentially useful for protecting home systems etc. with bud= get >>>>>>>>>>>>> hardware, but I would be very careful about using it for a prot= ecting a >>>>>>>>>>>>> general access website. >>>>>>>>>>>>=20 >>>>>>>>>>>> If they are very volatile, we should honour that and update them= often, too. >>>>>>>>>>>>=20 >>>>>>>>>>>> It probably is more about false-positives being removed very qui= ckly instead of adding threats very quickly. The average IPFire user is proba= bly not under threats like these to need to react very quickly. >>>>>>>>>>>>=20 >>>>>>>>>>>> So I do not see much value in adding those lists and then updati= ng once a day. Does it have to be every 5 min? No. I would suggest 15 which s= hould be good enough for everyone. >>>>>>>>>>>>=20 >>>>>>>>>>>> Other lists should of course not be updated every 15 minutes whe= n not needed. >>>>>>>>>>>>=20 >>>>>>>>>>>> Running every 15 minutes would allow us to retry downloading lis= ts that are on an hourly schedule if the download failed. >>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> How did you come up with the hour? Will it be retried more o= ften if the download was not successful? >>>>>>>>>>>>>>> One hour is the most common interval indeed, but adding some = random time might >>>>>>>>>>>>>>> be useful in order to reduce load on the servers providing a = blacklist. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Yes, definitely. Otherwise we will shoot down our mirrors. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> When I implemented that section of code, specifying the minimum= check >>>>>>>>>>>>> period in hours seemed to provide a convenient way of allowing = a check >>>>>>>>>>>>> period covering a wide range, with an hour as the fastest and a= week as >>>>>>>>>>>>> the slowest. I didn't looked at the CIArmy list until much lat= er. Most >>>>>>>>>>>>> of the lists don't change nearly as much, but the CIArmy list is >>>>>>>>>>>>> described as one that deliberately responds quickly. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> From my production system, for yesterday: >>>>>>>>>>>>>=20 >>>>>>>>>>>>> The following block lists were updated: >>>>>>>>>>>>> BLOCKLIST_DE: 24 Time(s) - 9341 change(s) >>>>>>>>>>>>> BOGON_FULL: 1 Time(s) - 10 change(s) >>>>>>>>>>>>> CIARMY: 24 Time(s) - 159134 change(s) >>>>>>>>>>>>> DSHIELD: 7 Time(s) - 18 change(s) >>>>>>>>>>>>> EMERGING_FWRULE: 1 Time(s) - 50 change(s) >>>>>>>>>>>>> FEODO_AGGRESIVE: 24 Time(s) - 13 change(s) >>>>>>>>>>>>> SHODAN: 1 Time(s) - 0 change(s) >>>>>>>>>>>>> SPAMHAUS_DROP: 1 Time(s) - 0 change(s) >>>>>>>>>>>>> TOR_EXIT: 24 Time(s) - 162 change(s) >>>>>>>>>>>>=20 >>>>>>>>>>>> Very interesting statistics. >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> and my test system: >>>>>>>>>>>>>=20 >>>>>>>>>>>>> The following block lists were updated: >>>>>>>>>>>>> ALIENVAULT: 19 Time(s) - 5331 change(s) >>>>>>>>>>>>> EMERGING_COMPROMISED: 1 Time(s) - 26 change(s) >>>>>>>>>>>>> TALOS_MALICIOUS: 1 Time(s) - 36 change(s) >>>>>>>>>>>>>=20 >>>>>>>>>>>>> That covers most of the lists. From the WUI, since 1 Dec: >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Blacklist Entries pkts bytes Last updated >>>>>>>>>>>>> in in >>>>>>>>>>>>> AUTOBLACKLIST 0 731 51144 Sun Dec 8 18:40:02 2019 >>>>>>>>>>>>> BLOCKLIST_DE 28020 857 46735 Sun Dec 8 18:40:02 2019 >>>>>>>>>>>>> BOGON_FULL 214 5255 189K Sun Dec 8 16:50:04 2019 >>>>>>>>>>>>> CIARMY 15000 19774 976K Sun Dec 8 18:04:01 2019 >>>>>>>>>>>>> DSHIELD 20 7992 321K Sun Dec 8 16:45:13 2019 >>>>>>>>>>>>> EMERGING_FWRULE 1647 197 8383 Fri Dec 6 05:29:07 2019 >>>>>>>>>>>>> FEODO_AGGRESIVE 7169 0 0 Sun Dec 8 18:50:07 2019 >>>>>>>>>>>>> SHODAN 32 34 1530 Sun Dec 8 17:54:09 2019 >>>>>>>>>>>>> SPAMHAUS_DROP 823 0 0 Fri Dec 6 18:22:35 2019 >>>>>>>>>>>>> SPAMHAUS_EDROP 111 82 16433 Thu Dec 5 17:27:09 2019 >>>>>>>>>>>>> TOR_EXIT 1055 0 0 Sun Dec 8 18:31:02 2019 >>>>>>>>>>>>=20 >>>>>>>>>>>> This as well. >>>>>>>>>>>>=20 >>>>>>>>>>>> Those are more packets than I would have expected. >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> (I've left out the pkts/bytes out fields which were all 0) >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Note that where possible I do a HEAD request first and then only >>>>>>>>>>>>> download the list if the modification time has changed since th= e last >>>>>>>>>>>>> check. For dynamically generated lists this isn't possible. >>>>>>>>>>>>=20 >>>>>>>>>>>> You won=E2=80=99t need a HEAD request for it. You can include it= in the GET request. >>>>>>>>>>>>=20 >>>>>>>>>>>> Have a look at location downloader where I use that. The server = will respond with 304 and not send any payload. >>>>>>>>>>>>=20 >>>>>>>>>>>> https://git.ipfire.org/?p=3Dlocation/libloc.git;a=3Dblob;f=3Dsrc= /python/location-downloader.in;h=3D1b5932d5822e03737d32b2a27816815b2f7e74dd;h= b=3DHEAD#l151 >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> If the download isn't successful it just gives up and waits for= the next >>>>>>>>>>>>> attempt (apart from the usual retries in the library). I proba= bly >>>>>>>>>>>>> should to change that so that it only applies the per list mini= mum >>>>>>>>>>>>> update period in this case (specified in the sources file) rath= er than >>>>>>>>>>>>> the user specified value as well. >>>>>>>>>>>>=20 >>>>>>>>>>>> I think it is not the worst if an update fails. It might just ha= ppen every once in a while. >>>>>>>>>>>>=20 >>>>>>>>>>>> So I would suggest to just re-run the script more often and when= the mtime of the file is older than the threshold, a download is attempted. = You can use that timestamp for the GET request. >>>>>>>>>>>>=20 >>>>>>>>>>>>> I already use a time offset on the downloads - when it's starte= d from >>>>>>>>>>>>> boot, backup restore or WUI enable, it checks to see if it's in= stalled >>>>>>>>>>>>> in the fcrontab, and if not adds itself at a randomly generated= offset >>>>>>>>>>>>> in the hour. >>>>>>>>>>>>=20 >>>>>>>>>>>> That should potentially go to red.up, or if we can settle on 15 = minutes, I would consider that often enough to quickly update all lists after= a reboot. >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Third, bandwidth; while the downloads are fairly small (ALI= ENVAULT is >>>>>>>>>>>>>>>>> the largest at a few MB), there are going to be a lot of th= em. How will >>>>>>>>>>>>>>>>> this affect the willingness of people to mirror IPFire? >>>>>>>>>>>>>>> I do not consider this being a problem as we do not generate = that much traffic >>>>>>>>>>>>>>> to them. Of course, that depends on the update interval again. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> That depends on your point of view. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> I do not have a problem with this at all in my data center, bu= t there are plenty of people with a volume-based LTE plan or simply a 128 kBi= t/s connection. It will take a longer time to download the lists for them. We= need to mind that. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> Talking about the preference of packet filter and IPS, I p= refer to >>>>>>>>>>>>>>>>>> use the latter as well as it gains more insight in what ki= nd of malicious >>>>>>>>>>>>>>>>>> traffic tried to pass a firewall machine. On systems with = low resources, >>>>>>>>>>>>>>>>>> this might be problematic and removing load from the IPS c= an be preferred >>>>>>>>>>>>>>>>>> (make this configurable?!), on others, people might want t= o have both >>>>>>>>>>>>>>>>>> results. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> You're only going to get one result for a packet whichever = way round the >>>>>>>>>>>>>>>>> IP blacklist and IPS are since whichever comes first will d= rop the >>>>>>>>>>>>>>>>> packet before it reaches the second (well it would be possi= ble to put >>>>>>>>>>>>>>>>> the IP blacklist first and get it to log and mark packets w= hich are then >>>>>>>>>>>>>>>>> dropped after the IPS, but I think that's getting a little = complicated. >>>>>>>>>>>>>>>>> In addition I've seen the messages about the trouble markin= g was >>>>>>>>>>>>>>>>> causing in the QoS). >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> I think it's a 50/50 choice as to which is more valuable fi= rst; it's >>>>>>>>>>>>>>>>> probably going to differ from packet to packet. For me the= possibility >>>>>>>>>>>>>>>>> of reducing the IPS load means I prefer putting the IP blac= klist first >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> It should be fairly easy to add the choice of where to put = the IP >>>>>>>>>>>>>>>>> blacklist. I think it'll have to be in the main firewall s= cript, so >>>>>>>>>>>>>>>>> it'll require a firewall restart, but it's not something th= at'll be >>>>>>>>>>>>>>>>> changed often. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I do not think that the user should choose this. If we canno= t easily make a decision, how can our users do this? Not saying they are stup= id here, we are just giving them something so that they do not have to put th= e thought and research into things themselves and make their jobs easier. >>>>>>>>>>>>>>> Agreed. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I think performance matters. And if the IPS comes first, the= most likely case would be that we are seeing a SYN packet that is being scan= ned and after that being dropped by the blacklist. It was pointless to even s= can the empty packet (TCP fast open aside). This is only different for other = packets with payloads. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> We would protect the IPS from a SYN flooding attack here at = least and from scanning more packets unnecessarily. >>>>>>>>>>>>>>> So dropping packets from blacklisted IP addresses/networks be= fore IPS is it, then. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I do not even think it makes sense to swap the order in the = outgoing direction. >>>>>>>>>>>>>>> Me too. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> What IPFire is lacking is a statistical analysis for those l= ogs. Collecting more and more data isn=E2=80=99t helpful from my point of vie= w. Only if you are looking at a very specific thing.This is true, but I am no= t sure if it makes sense to spend too much work on this. >>>>>>>>>>>>>>> Based on my personal experience, firewall hits observed on a = single machine exposed >>>>>>>>>>>>>>> to the internet are interesting, but the overall situation ac= ross multiple machines >>>>>>>>>>>>>>> is even more interesting. Very quickly, you'll end on somethi= ng like a centralised >>>>>>>>>>>>>>> logging server and custom statistical analysis here... >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Probably a project for IPFire 4.0 :) >>>>>>>>>>>>>>=20 >>>>>>>>>>>>> Or use one of the existing services, like the DSHIELD client >>>>>>>>>>>>> https://dshield.org/howto.html (subject to privacy concerns aga= in). >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> Personally, I consider Spamhaus DROP/EDROP can be safely e= nabled by default. >>>>>>>>>>>>>>>>>> I would love to see the bogon ruleset here, too (think abo= ut 8chan successor >>>>>>>>>>>>>>>>>> hosted at unallocated RIPE space in Saint Petersburg), but= that will likely cause >>>>>>>>>>>>>>>>>> interference if RED does not have a public IP address assi= gned. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> I can add a field to the options file that controls whether= a list is >>>>>>>>>>>>>>>>> enabled by default. >>>>>>>>>>>>>>> Thank you. :-) >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> To stress the point from above again: We would then share al= l public IP addresses of all IPFire systems in the world with Spamhaus and wh= o is hosting their infrastructure. That can be considered a threat. >>>>>>>>>>>>>>> This is my only objection against this patchset. Now, what ca= n we do about it? >>>>>>>>>>>>>>> One possibility is to apply the patchset now and implement a = custom download >>>>>>>>>>>>>>> source thing later on, or do that before releasing Core Updat= e 139 (or which version >>>>>>>>>>>>>>> the patchset will be to) after we agreed on something. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> I do not see this being merged for 139. But that is not import= ant. We need to get it right first and then release it. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> As far as I know, nobody has tested this, yet. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> There are a number of people who have been running an earlier v= ersion >>>>>>>>>>>>> which I shared on GitHub. There were a few early issues, but i= t seems >>>>>>>>>>>>> to be OK now. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> https://forum.ipfire.org/viewtopic.php?f=3D27&t=3D21845 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> This version wasn't integrated into IPFire, so (for example) it= inserted >>>>>>>>>>>>> itself into the INPUT IPTables chain rather than having it's ch= ains >>>>>>>>>>>>> created as part of the firewall start-up script. >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> I have huge concerns about the automatic blacklist. @Peter: Wh= at is your opinion on this? >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> While I implemented it, I'm aware of its potential to cause pro= blems, >>>>>>>>>>>>> which is why it has to be separately enabled. It's not caused = me any >>>>>>>>>>>>> issues at the default settings (blocks at over 10 packets per h= our until >>>>>>>>>>>>> 1 hour has passed without seeing packets from the address), but= I've not >>>>>>>>>>>>> used it on a site with publicly announced services. If I was g= oing to >>>>>>>>>>>>> use it on a web site I would want to, at the very minimum, drop= the >>>>>>>>>>>>> block period drastically. >>>>>>>>>>>>=20 >>>>>>>>>>>> I suppose this is entirely unusable on an IPFire box in a data c= enter that hosts things. Let=E2=80=99s say our rack in Hanover. >>>>>>>>>>>>=20 >>>>>>>>>>>> You will have hits from some broken IP stacks and people might j= ust end up on this without doing anything wrong. >>>>>>>>>>>>=20 >>>>>>>>>>>> You can denial-of-service easily as well and I suppose without a= ggregation of data from many many systems, it does not make sense to instantl= y block addresses. And even then you probably would block an entire subnet. >>>>>>>>>>>>=20 >>>>>>>>>>>> So I am not sure how I should feel about it. I do not think that= it adds anything because the packets would have been blocked anyways. >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> On the other hand, it's good at responding quickly. Usually I = see only >>>>>>>>>>>>> 1-2% of blocks from the automatic list: >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Reason Count % First Last >>>>>>>>>>>>> CIARMY 2416 45 Dec 6 00:00 Dec 6 23:59 >>>>>>>>>>>>> DSHIELD 1353 25 Dec 6 00:00 Dec 6 23:59 >>>>>>>>>>>>> INPUT 1294 24 Dec 6 00:00 Dec 6 23:59 >>>>>>>>>>>>> AUTOBLACKLIST 122 2 Dec 6 00:20 Dec 6 16:28 >>>>>>>>>>>>> BLOCKLIST_DE 89 2 Dec 6 00:20 Dec 6 23:46 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> and sometimes none at all, but one one occasion it blocked over= 8000 >>>>>>>>>>>>> packets. Again I'm aware this is for a home system, which is r= ather >>>>>>>>>>>>> different than from a Web server. >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> If we do, I will have a look at the licensing stuff (DShield = and Spamhaus do not >>>>>>>>>>>>>>> seem to be problematic, as they are hosted on 3rd party serve= rs, too). >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> One of them will be, sooner or later. And one is enough I supp= ose. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> DShield (https://dshield.org/api/#threatfeeds) and firehol >>>>>>>>>>>>> (http://iplists.firehol.org/) seem to host copies of most of th= e lists >>>>>>>>>>>>> as well. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> I do not really want to overthink this - we didn=E2=80=99t do = this with clamav for example either. But it probably is a decision to be made= by the user what they want to enable and we should not enable anything by de= fault. So no data will be leaked as long as the user does not consent. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Thanks, and best regards, >>>>>>>>>>>>>>> Peter M=C3=BCller >>>>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> >>>>>>>>=20 >>>>>>>=20 >>>>>>=20 >>>>>=20 >>>>> --===============6991234883223730441==--