From: Rob Brewer <ipfire-devel@grantura.co.uk>
To: development@lists.ipfire.org
Subject: [PATCH] Ipblacklist.v3 Ancillary files
Date: Sat, 12 Feb 2022 16:27:15 +0000 [thread overview]
Message-ID: <su8n53$rqi$1@tuscan3.grantura.co.uk> (raw)
[-- Attachment #1: Type: text/plain, Size: 14558 bytes --]
Hi Michael and Adolf,
This is my first patch to test that I am using git correctly to generate the V3
patches. It should be almost identical Tim's original Ancillary files patch.
Can you please check that the format is correct and if this is OK I'll proceed
to generate the remaining patches.
Rob
>From a11e598f9d686ee7010eea89a441bfcc0dd565da Mon Sep 17 00:00:00 2001
From: Rob <granturav8(a)gmail.com>
Date: Sat, 12 Feb 2022 15:34:01 +0000
Subject: [PATCH] Ipblacklist.v3 Ancillary files
---
config/ipblacklist/sources | 138 +++++++++++++++++++++++++++++++
src/misc-progs/getipsetstat.c | 25 ++++++
src/misc-progs/ipblacklistctrl.c | 48 +++++++++++
3 files changed, 211 insertions(+)
create mode 100644 config/ipblacklist/sources
create mode 100644 src/misc-progs/getipsetstat.c
create mode 100644 src/misc-progs/ipblacklistctrl.c
diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources
new file mode 100644
index 000000000..3cfa7f7d4
--- /dev/null
+++ b/config/ipblacklist/sources
@@ -0,0 +1,138 @@
+############################################################################
+# #
+# IP Address blacklists for IPFire #
+# #
+# This file contains a list of blacklist sources that will replace the one #
+# internal to the updated if it is found at /var/ipfire/blacklist/sources. #
+# The intention is to provide a common source of information for both the #
+# updater and WUI. #
+# #
+# The chains created in the packet filter will be named by the top level #
+# key and this will also be used in the log message to identify the reason #
+# for the dropped packet. #
+# #
+# The fields are: #
+# #
+# name The blacklist's full name #
+# url URL of the file containing the list #
+# info URL giving information about the source #
+# parser The parser function used to extract IP addresses from the #
+# downloaded list #
+# rate Minimum period between checks for updates. Can be specified in #
+# days (d), hours (h) or minutes (m) #
+# category Used for documentation on the WUI. Can be one of the following #
+# 'application' Potentially unwanted applications #
+# 'attacker' Generic source of malicious packets #
+# 'c and c' Malware Command and Control source #
+# 'composite' Composite of other lists #
+# 'invalid' Invalid addresses on the public internet #
+# 'scanner' Port scanner that is not initself malicious #
+# disable Name of another list to disable if this one is enabled. Used #
+# when the other list is a subset of this one. #
+# #
+# The info and category fields are purely for documentation. #
+# #
+############################################################################
+
+%sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist',
+ 'url' =>
'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt',
+ 'info' =>
'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1h',
+ 'category' => 'composite',
+ 'disable' => ['FEODO_RECOMMENDED',
'FEODO_IP', 'FEODO_AGGRESIVE', 'SPAMHAUS_DROP', 'DSHIELD'] },
+ 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats
Compromised IPs',
+ 'url' =>
'https://rules.emergingthreats.net/blockrules/compromised-ips.txt',
+ 'info' =>
'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1h',
+ 'category' => 'attacker' },
+ 'SPAMHAUS_DROP' => { 'name' => "Spamhaus Don't Route or Peer
List",
+ 'url' =>
'https://www.spamhaus.org/drop/drop.txt',
+ 'info' =>
'https://www.spamhaus.org/drop/',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '12h',
+ 'category' => 'reputation' },
+ 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't
Route or Peer List",
+ 'url' =>
'https://www.spamhaus.org/drop/edrop.txt',
+ 'info' =>
'https://www.spamhaus.org/drop/',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1h',
+ 'category' => 'reputation' },
+ 'DSHIELD' => { 'name' => 'Dshield.org Recommended
Block List',
+ 'url' =>
'https://www.dshield.org/block.txt',
+ 'info' => 'https://dshield.org/',
+ 'parser' => 'dshield',
+ 'rate' => '1h',
+ 'category' => 'attacker' },
+ 'FEODO_RECOMMENDED'=> {'name' => 'Feodo Trojan IP Blocklist
(Recommended)',
+ 'url' =>
'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt',
+ 'info' =>
'https://feodotracker.abuse.ch/blocklist',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '5m',
+ 'category' => 'c and c' },
+ 'FEODO_IP' => { 'name' => 'Feodo Trojan IP Blocklist',
+ 'url' =>
'https://feodotracker.abuse.ch/downloads/ipblocklist.txt',
+ 'info' =>
'https://feodotracker.abuse.ch/blocklist',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '5m',
+ 'category' => 'c and c',
+ 'disable' => 'FEODO_RECOMMENDED' },
+ 'FEODO_AGGRESIVE' => { 'name' => 'Feodo Trojan IP Blocklist
(Aggresive)',
+ 'url' =>
'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt',
+ 'info' =>
'https://feodotracker.abuse.ch/blocklist',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '5m',
+ 'category' => 'c and c',
+ 'disable' => ['FEODO_IP',
'FEODO_RECOMMENDED'] },
+ 'CIARMY' => { 'name' => 'The CINS Army List',
+ 'url' =>
'https://cinsscore.com/list/ci-badguys.txt',
+ 'info' =>
'https://cinsscore.com/#list',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '15m',
+ 'category' => 'reputation' },
+ 'TOR_ALL' => { 'name' => 'Known TOR Nodes',
+ 'url' =>
'https://www.dan.me.uk/torlist',
+ 'info' =>
'https://www.dan.me.uk/tornodes',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1h',
+ 'category' => 'application',
+ 'disable' => 'TOR_EXIT' },
+ 'TOR_EXIT' => { 'name' => 'Known TOR Exit Nodes',
+ 'url' =>
'https://www.dan.me.uk/torlist/?exit',
+ 'info' =>
'https://www.dan.me.uk/tornodes',
+ 'parser' => 'ip-or-net-list',,
+ 'rate' => '1h',
+ 'category' => 'application' },
+ 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation
database',
+ 'url' =>
'https://reputation.alienvault.com/reputation.generic',
+ 'info' =>
'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1h',
+ 'category' => 'reputation' },
+ 'BOGON' => { 'name' => 'Bogus address list
(Martian)',
+ 'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt',
+ 'info' => 'https://www.team-cymru.com/bogon-reference.html',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1d',
+ 'category' => 'invalid' },
+ 'BOGON_FULL' => { 'name' => 'Full Bogus Address List',
+ 'url' => 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt',
+ 'info' => 'https://www.team-cymru.com/bogon-reference.html',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '4h',
+ 'category' => 'invalid',
+ 'disable' => 'BOGON' },
+ 'SHODAN' => { 'name' => 'ISC Shodan scanner
blacklist',
+ 'url' =>
'https://isc.sans.edu/api/threatlist/shodan?tab',
+ 'info' => 'https://isc.sans.edu',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '1d',
+ 'category' => 'scanner' },
+ 'BLOCKLIST_DE' => { 'name' => 'Blocklist.de all attacks
list',
+ 'url' =>
'https://lists.blocklist.de/lists/all.txt',
+ 'info' => 'https://www.blocklist.de',
+ 'parser' => 'ip-or-net-list',
+ 'rate' => '30m',
+ 'category' => 'attacker' }
+ );
diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c
new file mode 100644
index 000000000..781bfc55b
--- /dev/null
+++ b/src/misc-progs/getipsetstat.c
@@ -0,0 +1,25 @@
+/* IPFire helper program - GetIPSetStat
+ *
+ * Get the list from IPSET LIST
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+
+int main(void)
+{
+ if (!(initsetuid()))
+ exit(1);
+
+ safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt");
+ safe_system("chown nobody:nobody /var/tmp/ipsets.txt");
+
+ return 0;
+}
diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctrl.c
new file mode 100644
index 000000000..7536b1e97
--- /dev/null
+++ b/src/misc-progs/ipblacklistctrl.c
@@ -0,0 +1,48 @@
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence. See the file COPYING for details.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+int main(int argc, char *argv[]) {
+
+ if (!(initsetuid()))
+ exit(1);
+
+ if (argc < 2) {
+ fprintf(stderr, "\nNo argument given.\n"
+ "ipblacklistctrl (update|restore|log-on|log-off|"
+ "enable|disable)\n\n");
+ exit(1);
+ }
+
+ if (strcmp(argv[1], "update") == 0) {
+ safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "restore") == 0) {
+ safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "log-on") == 0) {
+ safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "log-off") == 0) {
+ safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "enable") == 0) {
+ safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &");
+ } else if (strcmp(argv[1], "disable") == 0) {
+ safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &");
+ } else {
+ fprintf(stderr, "\nBad argument given.\n"
+ "ipblacklistctrl (update|restore|log-on|log-off|"
+ "enable|disable)\n\n");
+ exit(1);
+ }
+
+ return 0;
+}
--
2.34.1
x
reply other threads:[~2022-02-12 16:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='su8n53$rqi$1@tuscan3.grantura.co.uk' \
--to=ipfire-devel@grantura.co.uk \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox