getipsetstat Gets information on IPSETs for WUI ipblacklistctrl Allows WUI to call main script as root sources List of blacklists used by main script and WUI
Signed-off-by: Tim FitzGeorge ipfr@tfitzgeorge.me.uk --- config/ipblacklist/sources | 151 +++++++++++++++++++++++++++++++++++++++ src/misc-progs/getipsetstat.c | 28 ++++++++ src/misc-progs/ipblacklistctrl.c | 52 ++++++++++++++ 3 files changed, 231 insertions(+) create mode 100644 config/ipblacklist/sources create mode 100644 src/misc-progs/getipsetstat.c create mode 100644 src/misc-progs/ipblacklistctrl.c
diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources new file mode 100644 index 000000000..ab991e12a --- /dev/null +++ b/config/ipblacklist/sources @@ -0,0 +1,151 @@ +############################################################################ +# # +# IP Address blacklists for IPFire # +# # +# This file contains a list of blacklist sources that will replace the one # +# internal to the updated if it is found at /var/ipfire/blacklist/sources. # +# The intention is to provide a common source of information for both the # +# updater and WUI. # +# # +# The chains created in the packet filter will be named by the top level # +# key and this will also be used in the log message to identify the reason # +# for the dropped packet. # +# # +# The fields are: # +# # +# name The blacklist's full name # +# url URL of the file containing the list # +# info URL giving information about the source # +# parser The parser function used to extract IP addresses from the # +# downloaded list # +# method Method used to download updates. # +# rate Minimum number of hours between checks for updates # +# safe 'yes' if the list is unlikely to contain addresses that can be # +# used for legitimate traffic, or 'no' otherwise # +# disable Name of another list to disable if this one is enabled. Used # +# when the other list is a subset of this one. # +# # +# The info and safe fields are purely for documentation. # +# # +# Note that the Emerging Threats blacklist is a composite list containing # +# addresses from some of the other lists. It is unnecessary to enable # +# this list if the other lists are enabled. # +# # +############################################################################ + +%sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', + 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', + 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', + 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', + 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'SPAMHAUS_DROP' => { 'name' => "Spamhaus Don't Route or Peer List", + 'url' => 'https://www.spamhaus.org/drop/drop.txt', + 'info' => 'https://www.spamhaus.org/drop/', + 'parser' => 'text-with-semicolon-comments', + 'method' => 'check-header-time', + 'rate' => 12, + 'safe' => 'yes' }, + 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't Route or Peer List", + 'url' => 'https://www.spamhaus.org/drop/edrop.txt', + 'info' => 'https://www.spamhaus.org/drop/', + 'parser' => 'text-with-semicolon-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List', + 'url' => 'https://www.dshield.org/block.txt', + 'info' => 'https://dshield.org/', + 'parser' => 'dshield', + 'method' => 'check-header-time', + 'rate' => 2, + 'safe' => 'no' }, + 'FEODO_IP' => { 'name' => 'Feodo Trojan IP Blocklist', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'FEODO_AGGRESIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggresive)', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no', + 'disable' => 'FEODO_IP' }, + 'ABUSE_CH' => { 'name' => 'Abuse.ch Ransomware C&C Blocklist', + 'url' => 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt', + 'info' => 'https://ransomwaretracker.abuse.ch/blocklist/', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'CIARMY' => { 'name' => 'The CINS Army List', + 'url' => 'https://cinsscore.com/list/ci-badguys.txt', + 'info' => 'https://cinsscore.com/#list', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'TOR_ALL' => { 'name' => 'Known TOR Nodes', + 'url' => 'https://www.dan.me.uk/torlist', + 'info' => 'https://www.dan.me.uk/tornodes', + 'parser' => 'text-with-hash-comments', + 'method' => 'wget', + 'rate' => 1, + 'safe' => 'no', + 'disable' => 'TOR_EXIT' }, + 'TOR_EXIT' => { 'name' => 'Known TOR Exit Nodes', + 'url' => 'https://www.dan.me.uk/torlist/?exit', + 'info' => 'https://www.dan.me.uk/tornodes', + 'parser' => 'text-with-hash-comments', + 'method' => 'wget', + 'rate' => 1, + 'safe' => 'no' }, + 'TALOS_MALICIOUS' => { 'name' => 'Talos Malicious hosts list', + 'url' => 'https://www.talosintelligence.com/documents/ip-blacklist', + 'info' => 'https://www.talosintelligence.com/reputation', + 'parser' => 'text-with-hash-comments', + 'method' => 'wget', + 'rate' => 24, + 'safe' => 'no' }, + 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation database', + 'url' => 'https://reputation.alienvault.com/reputation.generic', + 'info' => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputati...', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 1, + 'safe' => 'no' }, + 'BOGON' => { 'name' => 'Bogus address list (Martian)', + 'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt', + 'info' => 'https://www.team-cymru.com/bogon-reference.html', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 24, + 'safe' => 'yes' }, + 'BOGON_FULL' => { 'name' => 'Full Bogus Address List', + 'url' => 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt', + 'info' => 'https://www.team-cymru.com/bogon-reference.html', + 'parser' => 'text-with-hash-comments', + 'method' => 'check-header-time', + 'rate' => 24, + 'safe' => 'yes', + 'disable' => 'BOGON' }, + 'SHODAN' => { 'name' => 'ISC Shodan scanner blacklist', + 'url' => 'https://isc.sans.edu/api/threatlist/shodan?tab', + 'info' => 'https://isc.sans.edu', + 'parser' => 'text-with-hash-comments', + 'method' => 'wget', + 'rate' => 24, + 'safe' => 'no' } + ); diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c new file mode 100644 index 000000000..aee79542a --- /dev/null +++ b/src/misc-progs/getipsetstat.c @@ -0,0 +1,28 @@ +/* IPFire helper program - GetIPSetStat + * + * Get the list from IPSET LIST + * + */ + +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> +#include <sys/types.h> +#include <fcntl.h> +#include "setuid.h" + + +int main(void) +{ + if (!(initsetuid())) + exit(1); + + safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt"); + safe_system("chown nobody:nobody /var/tmp/ipsets.txt"); + + safe_system("/usr/sbin/ipset list AUTOBLACKLIST -q -f /var/tmp/autoblacklist.txt"); + safe_system("chown -f nobody:nobody /var/tmp/autoblacklist.txt"); + + return 0; +} diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctrl.c new file mode 100644 index 000000000..506fa2f46 --- /dev/null +++ b/src/misc-progs/ipblacklistctrl.c @@ -0,0 +1,52 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <fcntl.h> +#include "setuid.h" + +int main(int argc, char *argv[]) { + + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n" + "ipblacklistctrl (update|restore|log-on|log-off|" + "enable|disable|autoblacklist-update|autoblacklist-clear)\n\n"); + exit(1); + } + + if (strcmp(argv[1], "update") == 0) { + safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "restore") == 0) { + safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "log-on") == 0) { + safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "log-off") == 0) { + safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "enable") == 0) { + safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "disable") == 0) { + safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "autoblacklist-update") == 0) { + safe_system("/usr/local/bin/ipblacklist autoblacklist-update >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "autoblacklist-clear") == 0) { + safe_system("/usr/local/bin/ipblacklist autoblacklist-clear >/dev/null 2>&1 &"); + } else { + fprintf(stderr, "\nBad argument given.\n" + "ipblacklistctrl (update|restore|log-on|log-off|" + "enable|disable|autoblacklist-update|autoblacklist-clear)\n\n"); + exit(1); + } + + return 0; +}