- The patch for this was created by Stefan Schantl - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. - The combined list was removed because it is just the three others which can be selected in the WUI to give the equivalent result.
Created-by: Stefan Schantl stefan.schantl@ipfire.org Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/ipblocklist/sources | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 0835c0f9c..69f964dd9 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -124,5 +124,23 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://www.blocklist.de', 'parser' => 'ip-or-net-list', 'rate' => '30m', - 'category' => 'attacker' } + 'category' => 'attacker' }, + '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' } );
- Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/ipblocklist/sources | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 69f964dd9..1cef06dd1 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -142,5 +142,11 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://blacklist.3coresec.net', 'parser' => 'ip-or-net-list', 'rate' => '1d', - 'category' => 'attacker' } + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } );
Hi Adolf & Stefan,
I noticed some indentation inconsistencies in this ipblocklist sources fie -- some old, some new with this commit. Here is my (perhaps naive) attempt to patch the indentation issues. ---
diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 1cef06dd1..eefd1a8d5 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -36,14 +36,15 @@
package IPblocklist::List;
-our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', +our %sources = ( + 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', 'parser' => 'ip-or-net-list', 'rate' => '1h', 'category' => 'composite', 'disable' => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESSIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, - 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', + 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', 'parser' => 'ip-or-net-list', @@ -74,7 +75,7 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '5m', 'category' => 'c and c', 'disable' => 'FEODO_RECOMMENDED' }, - 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', + 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', 'info' => 'https://feodotracker.abuse.ch/blocklist', 'parser' => 'ip-or-net-list', @@ -126,27 +127,27 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '30m', 'category' => 'attacker' }, '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'reputation' }, - '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/http.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, - 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', - 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', - 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', - 'parser' => 'ip-or-net-list', - 'rate' => '5m', - 'category' => 'reputation' } + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } );
Ugh, obviously I do not know how to get my mail client to send this without making a mess of the patch text 🙁
Okay, if this doesn't work, I'll stop bother you with this 🙂 --- diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 1cef06dd1..eefd1a8d5 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -36,14 +36,15 @@
package IPblocklist::List;
-our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', +our %sources = ( + 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', 'parser' => 'ip-or-net-list', 'rate' => '1h', 'category' => 'composite', 'disable' => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESSIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, - 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', + 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', 'parser' => 'ip-or-net-list', @@ -74,7 +75,7 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '5m', 'category' => 'c and c', 'disable' => 'FEODO_RECOMMENDED' }, - 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', + 'FEODO_AGGRESSIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggressive)', 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', 'info' => 'https://feodotracker.abuse.ch/blocklist', 'parser' => 'ip-or-net-list', @@ -126,27 +127,27 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'rate' => '30m', 'category' => 'attacker' }, '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'reputation' }, - '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', - 'url' => 'https://blacklist.3coresec.net/lists/http.txt', - 'info' => 'https://blacklist.3coresec.net', - 'parser' => 'ip-or-net-list', - 'rate' => '1d', - 'category' => 'attacker' }, - 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', - 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', - 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', - 'parser' => 'ip-or-net-list', - 'rate' => '5m', - 'category' => 'reputation' } + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } );
-
Adolf Belka -
Charles Brown