From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rob Brewer To: development@lists.ipfire.org Subject: [PATCH] Ipblacklist.v3 Ancillary files Date: Sat, 12 Feb 2022 16:27:15 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6545876977163402905==" List-Id: --===============6545876977163402905== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael and Adolf, This is my first patch to test that I am using git correctly to generate the = V3=20 patches. It should be almost identical Tim's original Ancillary files patch. Can you please check that the format is correct and if this is OK I'll procee= d=20 to generate the remaining patches. Rob >>From a11e598f9d686ee7010eea89a441bfcc0dd565da Mon Sep 17 00:00:00 2001 From: Rob Date: Sat, 12 Feb 2022 15:34:01 +0000 Subject: [PATCH] Ipblacklist.v3 Ancillary files --- config/ipblacklist/sources | 138 +++++++++++++++++++++++++++++++ src/misc-progs/getipsetstat.c | 25 ++++++ src/misc-progs/ipblacklistctrl.c | 48 +++++++++++ 3 files changed, 211 insertions(+) create mode 100644 config/ipblacklist/sources create mode 100644 src/misc-progs/getipsetstat.c create mode 100644 src/misc-progs/ipblacklistctrl.c diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources new file mode 100644 index 000000000..3cfa7f7d4 --- /dev/null +++ b/config/ipblacklist/sources @@ -0,0 +1,138 @@ +############################################################################ +# # +# IP Address blacklists for IPFire # +# # +# This file contains a list of blacklist sources that will replace the one # +# internal to the updated if it is found at /var/ipfire/blacklist/sources. # +# The intention is to provide a common source of information for both the # +# updater and WUI. # +# # +# The chains created in the packet filter will be named by the top level # +# key and this will also be used in the log message to identify the reason # +# for the dropped packet. # +# # +# The fields are: # +# # +# name The blacklist's full name # +# url URL of the file containing the list # +# info URL giving information about the source # +# parser The parser function used to extract IP addresses from the # +# downloaded list # +# rate Minimum period between checks for updates. Can be specified in # +# days (d), hours (h) or minutes (m) # +# category Used for documentation on the WUI. Can be one of the following # +# 'application' Potentially unwanted applications # +# 'attacker' Generic source of malicious packets # +# 'c and c' Malware Command and Control source # +# 'composite' Composite of other lists # +# 'invalid' Invalid addresses on the public internet # +# 'scanner' Port scanner that is not initself malicious # +# disable Name of another list to disable if this one is enabled. Used # +# when the other list is a subset of this one. # +# # +# The info and category fields are purely for documentation. # +# # +############################################################################ + +%sources =3D ( 'EMERGING_FWRULE' =3D> { 'name' =3D> 'Emerging Threats Bl= ocklist', + 'url' =3D>=20 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', + 'info' =3D>=20 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'composite', + 'disable' =3D> ['FEODO_RECOMMENDED',=20 'FEODO_IP', 'FEODO_AGGRESIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, + 'EMERGING_COMPROMISED' =3D> { 'name' =3D> 'Emerging Threats=20 Compromised IPs', + 'url' =3D>=20 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', + 'info' =3D>=20 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'attacker' }, + 'SPAMHAUS_DROP' =3D> { 'name' =3D> "Spamhaus Don't Route = or Peer=20 List", + 'url' =3D>=20 'https://www.spamhaus.org/drop/drop.txt', + 'info' =3D>=20 'https://www.spamhaus.org/drop/', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '12h', + 'category' =3D> 'reputation' }, + 'SPAMHAUS_EDROP' =3D> { 'name' =3D> "Spamhaus Extended Don= 't=20 Route or Peer List", + 'url' =3D>=20 'https://www.spamhaus.org/drop/edrop.txt', + 'info' =3D>=20 'https://www.spamhaus.org/drop/', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'reputation' }, + 'DSHIELD' =3D> { 'name' =3D> 'Dshield.org Recommend= ed=20 Block List', + 'url' =3D>=20 'https://www.dshield.org/block.txt', + 'info' =3D> 'https://dshield.org/', + 'parser' =3D> 'dshield', + 'rate' =3D> '1h', + 'category' =3D> 'attacker' }, + 'FEODO_RECOMMENDED'=3D> {'name' =3D> 'Feodo Trojan IP Block= list=20 (Recommended)', + 'url' =3D>=20 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt', + 'info' =3D>=20 'https://feodotracker.abuse.ch/blocklist', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '5m', + 'category' =3D> 'c and c' }, + 'FEODO_IP' =3D> { 'name' =3D> 'Feodo Trojan IP Block= list', + 'url' =3D>=20 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt', + 'info' =3D>=20 'https://feodotracker.abuse.ch/blocklist', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '5m', + 'category' =3D> 'c and c', + 'disable' =3D> 'FEODO_RECOMMENDED' }, + 'FEODO_AGGRESIVE' =3D> { 'name' =3D> 'Feodo Trojan IP Block= list=20 (Aggresive)', + 'url' =3D>=20 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', + 'info' =3D>=20 'https://feodotracker.abuse.ch/blocklist', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '5m', + 'category' =3D> 'c and c', + 'disable' =3D> ['FEODO_IP',=20 'FEODO_RECOMMENDED'] }, + 'CIARMY' =3D> { 'name' =3D> 'The CINS Army List', + 'url' =3D>=20 'https://cinsscore.com/list/ci-badguys.txt', + 'info' =3D>=20 'https://cinsscore.com/#list', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '15m', + 'category' =3D> 'reputation' }, + 'TOR_ALL' =3D> { 'name' =3D> 'Known TOR Nodes', + 'url' =3D>=20 'https://www.dan.me.uk/torlist', + 'info' =3D>=20 'https://www.dan.me.uk/tornodes', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'application', + 'disable' =3D> 'TOR_EXIT' }, + 'TOR_EXIT' =3D> { 'name' =3D> 'Known TOR Exit Nodes', + 'url' =3D>=20 'https://www.dan.me.uk/torlist/?exit', + 'info' =3D>=20 'https://www.dan.me.uk/tornodes', + 'parser' =3D> 'ip-or-net-list',, + 'rate' =3D> '1h', + 'category' =3D> 'application' }, + 'ALIENVAULT' =3D> { 'name' =3D> 'AlienVault IP Reputat= ion=20 database', + 'url' =3D>=20 'https://reputation.alienvault.com/reputation.generic', + 'info' =3D>=20 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputati= on', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1h', + 'category' =3D> 'reputation' }, + 'BOGON' =3D> { 'name' =3D> 'Bogus address list=20 (Martian)', + 'url' =3D> 'https://www.team-cymru.= org/Services/Bogons/bogon-bn-agg.txt', + 'info' =3D> 'https://www.team-cymru.= com/bogon-reference.html', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1d', + 'category' =3D> 'invalid' }, + 'BOGON_FULL' =3D> { 'name' =3D> 'Full Bogus Address Li= st', + 'url' =3D> 'https://www.team-cymru.= org/Services/Bogons/fullbogons-ipv4.txt', + 'info' =3D> 'https://www.team-cymru.= com/bogon-reference.html', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '4h', + 'category' =3D> 'invalid', + 'disable' =3D> 'BOGON' }, + 'SHODAN' =3D> { 'name' =3D> 'ISC Shodan scanner=20 blacklist', + 'url' =3D>=20 'https://isc.sans.edu/api/threatlist/shodan?tab', + 'info' =3D> 'https://isc.sans.edu', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '1d', + 'category' =3D> 'scanner' }, + 'BLOCKLIST_DE' =3D> { 'name' =3D> 'Blocklist.de all atta= cks=20 list', + 'url' =3D>=20 'https://lists.blocklist.de/lists/all.txt', + 'info' =3D> 'https://www.blocklist.d= e', + 'parser' =3D> 'ip-or-net-list', + 'rate' =3D> '30m', + 'category' =3D> 'attacker' } + ); diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c new file mode 100644 index 000000000..781bfc55b --- /dev/null +++ b/src/misc-progs/getipsetstat.c @@ -0,0 +1,25 @@ +/* IPFire helper program - GetIPSetStat + * + * Get the list from IPSET LIST + * + */ + +#include +#include +#include +#include +#include +#include +#include "setuid.h" + + +int main(void) +{ + if (!(initsetuid())) + exit(1); + + safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt"); + safe_system("chown nobody:nobody /var/tmp/ipsets.txt"); + + return 0; +} diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctr= l.c new file mode 100644 index 000000000..7536b1e97 --- /dev/null +++ b/src/misc-progs/ipblacklistctrl.c @@ -0,0 +1,48 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include +#include +#include +#include +#include +#include +#include "setuid.h" + +int main(int argc, char *argv[]) { + + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n" + "ipblacklistctrl (update|restore|log-on|log-off|" + "enable|disable)\n\n"); + exit(1); + } + + if (strcmp(argv[1], "update") =3D=3D 0) { + safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "restore") =3D=3D 0) { + safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "log-on") =3D=3D 0) { + safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "log-off") =3D=3D 0) { + safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "enable") =3D=3D 0) { + safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "disable") =3D=3D 0) { + safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &"); + } else { + fprintf(stderr, "\nBad argument given.\n" + "ipblacklistctrl (update|restore|log-on|log-off|" + "enable|disable)\n\n"); + exit(1); + } + + return 0; +} --=20 2.34.1 x --===============6545876977163402905==--