[v2,6/8] ipblacklist: Ancillary files

Message ID 20200427143123.6378-7-ipfr@tfitzgeorge.me.uk
State New
Headers show
Series ipblacklist: IP Address Blacklists | expand

Commit Message

Tim FitzGeorge April 27, 2020, 2:31 p.m. UTC
getipsetstat     Gets information on IPSETs for WUI
ipblacklistctrl  Allows WUI to call main script as root
sources          List of blacklists used by main script and WUI

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
---
 config/ipblacklist/sources       | 138 +++++++++++++++++++++++++++++++++++++++
 src/misc-progs/getipsetstat.c    |  25 +++++++
 src/misc-progs/ipblacklistctrl.c |  48 ++++++++++++++
 3 files changed, 211 insertions(+)
 create mode 100644 config/ipblacklist/sources
 create mode 100644 src/misc-progs/getipsetstat.c
 create mode 100644 src/misc-progs/ipblacklistctrl.c

Patch

diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources
new file mode 100644
index 000000000..3cfa7f7d4
--- /dev/null
+++ b/config/ipblacklist/sources
@@ -0,0 +1,138 @@ 
+############################################################################
+#                                                                          #
+# IP Address blacklists for IPFire                                         #
+#                                                                          #
+# This file contains a list of blacklist sources that will replace the one #
+# internal to the updated if it is found at /var/ipfire/blacklist/sources. #
+# The intention is to provide a common source of information for both the  #
+# updater and WUI.                                                         #
+#                                                                          #
+# The chains created in the packet filter will be named by the top level   #
+# key and this will also be used in the log message to identify the reason #
+# for the dropped packet.                                                  #
+#                                                                          #
+# The fields are:                                                          #
+#                                                                          #
+# name     The blacklist's full name                                       #
+# url      URL of the file containing the list                             #
+# info     URL giving information about the source                         #
+# parser   The parser function used to extract IP addresses from the       #
+#          downloaded list                                                 #
+# rate     Minimum period between checks for updates. Can be specified in  #
+#          days (d), hours (h) or minutes (m)                              #
+# category Used for documentation on the WUI.  Can be one of the following #
+#          'application'  Potentially unwanted applications                #
+#          'attacker'     Generic source of malicious packets              #
+#          'c and c'      Malware Command and Control source               #
+#          'composite'    Composite of other lists                         #
+#          'invalid'      Invalid addresses on the public internet         #
+#          'scanner'      Port scanner that is not initself malicious      #
+# disable  Name of another list to disable if this one is enabled.  Used   #
+#          when the other list is a subset of this one.                    #
+#                                                                          #
+# The info and category fields are purely for documentation.               #
+#                                                                          #
+############################################################################
+
+%sources = ( 'EMERGING_FWRULE' => { 'name'     => 'Emerging Threats Blocklist',
+                                    'url'      => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt',
+                                    'info'     => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1h',
+                                    'category' => 'composite',
+                                    'disable'  => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESIVE', 'SPAMHAUS_DROP', 'DSHIELD'] },
+             'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs',
+                                    'url'      => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt',
+                                    'info'     => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1h',
+                                    'category' => 'attacker' },
+             'SPAMHAUS_DROP'   => { 'name'     => "Spamhaus Don't Route or Peer List",
+                                    'url'      => 'https://www.spamhaus.org/drop/drop.txt',
+                                    'info'     => 'https://www.spamhaus.org/drop/',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '12h',
+                                    'category' => 'reputation' },
+             'SPAMHAUS_EDROP'  => { 'name'     => "Spamhaus Extended Don't Route or Peer List",
+                                    'url'      => 'https://www.spamhaus.org/drop/edrop.txt',
+                                    'info'     => 'https://www.spamhaus.org/drop/',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1h',
+                                    'category' => 'reputation' },
+             'DSHIELD'         => { 'name'     => 'Dshield.org Recommended Block List',
+                                    'url'      => 'https://www.dshield.org/block.txt',
+                                    'info'     => 'https://dshield.org/',
+                                    'parser'   => 'dshield',
+                                    'rate'     => '1h',
+                                    'category' => 'attacker' },
+             'FEODO_RECOMMENDED'=> {'name'     => 'Feodo Trojan IP Blocklist (Recommended)',
+                                    'url'      => 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt',
+                                    'info'     => 'https://feodotracker.abuse.ch/blocklist',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '5m',
+                                    'category' => 'c and c' },
+             'FEODO_IP'        => { 'name'     => 'Feodo Trojan IP Blocklist',
+                                    'url'      => 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt',
+                                    'info'     => 'https://feodotracker.abuse.ch/blocklist',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '5m',
+                                    'category' => 'c and c',
+                                    'disable'  => 'FEODO_RECOMMENDED' },
+             'FEODO_AGGRESIVE' => { 'name'     => 'Feodo Trojan IP Blocklist (Aggresive)',
+                                    'url'      => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt',
+                                    'info'     => 'https://feodotracker.abuse.ch/blocklist',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '5m',
+                                    'category' => 'c and c',
+                                    'disable'  => ['FEODO_IP', 'FEODO_RECOMMENDED'] },
+             'CIARMY'          => { 'name'     => 'The CINS Army List',
+                                    'url'      => 'https://cinsscore.com/list/ci-badguys.txt',
+                                    'info'     => 'https://cinsscore.com/#list',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '15m',
+                                    'category' => 'reputation' },
+             'TOR_ALL'         => { 'name'     => 'Known TOR Nodes',
+                                    'url'      => 'https://www.dan.me.uk/torlist',
+                                    'info'     => 'https://www.dan.me.uk/tornodes',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1h',
+                                    'category' => 'application',
+                                    'disable'  => 'TOR_EXIT' },
+             'TOR_EXIT'        => { 'name'     => 'Known TOR Exit Nodes',
+                                    'url'      => 'https://www.dan.me.uk/torlist/?exit',
+                                    'info'     => 'https://www.dan.me.uk/tornodes',
+                                    'parser'   => 'ip-or-net-list',,
+                                    'rate'     => '1h',
+                                    'category' => 'application' },
+             'ALIENVAULT'      => { 'name'     => 'AlienVault IP Reputation database',
+                                    'url'      => 'https://reputation.alienvault.com/reputation.generic',
+                                    'info'     => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1h',
+                                    'category' => 'reputation' },
+             'BOGON'           => { 'name'     => 'Bogus address list (Martian)',
+                                    'url'      => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt',
+                                    'info'     => 'https://www.team-cymru.com/bogon-reference.html',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1d',
+                                    'category' => 'invalid' },
+             'BOGON_FULL'      => { 'name'     => 'Full Bogus Address List',
+                                    'url'      => 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt',
+                                    'info'     => 'https://www.team-cymru.com/bogon-reference.html',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '4h',
+                                    'category' => 'invalid',
+                                    'disable'  => 'BOGON' },
+             'SHODAN'          => { 'name'     => 'ISC Shodan scanner blacklist',
+                                    'url'      => 'https://isc.sans.edu/api/threatlist/shodan?tab',
+                                    'info'     => 'https://isc.sans.edu',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '1d',
+                                    'category' => 'scanner' },
+             'BLOCKLIST_DE'    => { 'name'     => 'Blocklist.de all attacks list',
+                                    'url'      => 'https://lists.blocklist.de/lists/all.txt',
+                                    'info'     => 'https://www.blocklist.de',
+                                    'parser'   => 'ip-or-net-list',
+                                    'rate'     => '30m',
+                                    'category' => 'attacker' }
+           );
diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c
new file mode 100644
index 000000000..781bfc55b
--- /dev/null
+++ b/src/misc-progs/getipsetstat.c
@@ -0,0 +1,25 @@ 
+/* IPFire helper program - GetIPSetStat
+ *
+ * Get the list from IPSET LIST
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+
+int main(void)
+{
+	if (!(initsetuid()))
+		exit(1);
+
+	safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt");
+	safe_system("chown nobody:nobody /var/tmp/ipsets.txt");
+
+	return 0;
+}
diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctrl.c
new file mode 100644
index 000000000..7536b1e97
--- /dev/null
+++ b/src/misc-progs/ipblacklistctrl.c
@@ -0,0 +1,48 @@ 
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence.  See the file COPYING for details.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+int main(int argc, char *argv[]) {
+
+    if (!(initsetuid()))
+        exit(1);
+
+    if (argc < 2) {
+        fprintf(stderr, "\nNo argument given.\n"
+                "ipblacklistctrl (update|restore|log-on|log-off|"
+                "enable|disable)\n\n");
+        exit(1);
+    }
+
+    if (strcmp(argv[1], "update") == 0) {
+        safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &");
+    } else if (strcmp(argv[1], "restore") == 0) {
+        safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &");
+    } else if (strcmp(argv[1], "log-on") == 0) {
+        safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &");
+    } else if (strcmp(argv[1], "log-off") == 0) {
+        safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &");
+    } else if (strcmp(argv[1], "enable") == 0) {
+        safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &");
+    } else if (strcmp(argv[1], "disable") == 0) {
+        safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &");
+    } else {
+        fprintf(stderr, "\nBad argument given.\n"
+                "ipblacklistctrl (update|restore|log-on|log-off|"
+                "enable|disable)\n\n");
+        exit(1);
+    }
+
+    return 0;
+}