From patchwork Sat Feb 12 16:27:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rob Brewer X-Patchwork-Id: 5147 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Jwwqv3hH3z3xfS for ; Sat, 12 Feb 2022 16:27:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Jwwqs4GBDz2lg; Sat, 12 Feb 2022 16:27:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Jwwqs2mFxz30GR; Sat, 12 Feb 2022 16:27:21 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Jwwqs0BTTz2xPJ for ; Sat, 12 Feb 2022 16:27:21 +0000 (UTC) Received: from tuscan3.grantura.co.uk (mail.grantura.uk [217.169.17.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4Jwwqp2W9Wz2N6 for ; Sat, 12 Feb 2022 16:27:18 +0000 (UTC) Received: from tuscan3.grantura.co.uk (localhost [127.0.0.1]) by tuscan3.grantura.co.uk (8.15.2/8.15.2/Debian-22) with ESMTP id 21CGRG5M028543 for ; Sat, 12 Feb 2022 16:27:16 GMT Received: (from news@localhost) by tuscan3.grantura.co.uk (8.15.2/8.15.2/Submit) id 21CGRFgh028542 for development@lists.ipfire.org; Sat, 12 Feb 2022 16:27:15 GMT To: development@lists.ipfire.org From: Rob Brewer Newsgroups: grantura.local.ipfire-devel Subject: [PATCH] Ipblacklist.v3 Ancillary files Date: Sat, 12 Feb 2022 16:27:15 +0000 Organization: Megadodo Publications Lines: 293 Message-ID: Mime-Version: 1.0 User-Agent: KNode/4.14.10 ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1644683238; a=rsa-sha256; cv=none; b=fDk2T262XvYFHg+uZ56BbgBMFQ7WHeZlfi3iaTuDmD8eMULuIofGeJ79QtKilorExTzL0U uZWTzZHtpiYeFxmGN1beAB6JTIffnzM+MW0IUjNYjregTChzUkRuX/YQyp791wJU2+UE5H W1+muq4GoCNRzYImhne7Eu2L4UwhX5ispDa00BJbgUqqnU554R95fmf3dWxIjq0H1voZiu Dad1RVsi/i7De28M0g/hLk4wqW3W16kPkd0wf1+/1hkYKP3sQ+CQlU4sGlvcJ43/e8Is/4 pKskJXKn9Uv3fJ+oYIKz4y2z5IpCL5GxHyXcaxsctQ6EWqJvqFWkaguYXV9ERw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=none; spf=none (mail01.ipfire.org: domain of news@tuscan3.grantura.co.uk has no SPF policy when checking 217.169.17.29) smtp.mailfrom=news@tuscan3.grantura.co.uk; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1644683238; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=VTd+ObxJbYI1Lj/gY/u1AJpLw9a4w8v1/VCNVy/aBOs=; b=fC7tpcqK10PuRcEiiCD/QjZcreJDQ5RuprTEKz13uJ3Wxf3KQzdXPHe4lq09FBvnWE0raN gedhpa+wpXlj65VXGFgEHdLXPKrxrcPXdlAbPHUnGnDq/MFOamJE3iaJ8FjncAdPe+zf4u +hGQ+67DzhqAdLESgFIdummo5O9PUfsARLUmAPtOA2oRX0OBh5oBzaPmlmXJOiALvlD5jh X7MsPzIHdszXSGWs1GJcxmY/owgQxd5corF06w7MOPoZwzXoBiOJ3SFPoxO7jU4TgjYPlx akBurBWe4Hewhx29n4huV1iZDjRgeYT2r3Rt8yWD7tsPBt4QoBo8pojugw8Gjg== Authentication-Results: mail01.ipfire.org; dkim=none; spf=none (mail01.ipfire.org: domain of news@tuscan3.grantura.co.uk has no SPF policy when checking 217.169.17.29) smtp.mailfrom=news@tuscan3.grantura.co.uk; dmarc=none X-Rspamd-Server: mail01.haj.ipfire.org X-Spamd-Result: default: False [-1.55 / 11.00]; BAYES_HAM(-2.99)[99.96%]; AUTH_NA(1.00)[]; NEURAL_HAM(-0.54)[-0.543]; CTE_CASE(0.50)[]; MV_CASE(0.50)[]; FORGED_SENDER(0.30)[ipfire-devel@grantura.co.uk,news@tuscan3.grantura.co.uk]; RCVD_IN_DNSWL_MED(-0.20)[217.169.17.29:from]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 20712(0.00), country: GB(-0.01), ip: 217.169.17.29(0.00)]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; FROM_HAS_DN(0.00)[]; DMARC_NA(0.00)[grantura.co.uk]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_NEQ_ENVFROM(0.00)[ipfire-devel@grantura.co.uk,news@tuscan3.grantura.co.uk]; HAS_ORG_HEADER(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; TO_DN_NONE(0.00)[]; ASN(0.00)[asn:20712, ipnet:217.169.0.0/19, country:GB]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_DKIM_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record] X-Rspamd-Queue-Id: 4Jwwqp2W9Wz2N6 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Hi Michael and Adolf, This is my first patch to test that I am using git correctly to generate the V3 patches. It should be almost identical Tim's original Ancillary files patch. Can you please check that the format is correct and if this is OK I'll proceed to generate the remaining patches. Rob From a11e598f9d686ee7010eea89a441bfcc0dd565da Mon Sep 17 00:00:00 2001 From: Rob Date: Sat, 12 Feb 2022 15:34:01 +0000 Subject: [PATCH] Ipblacklist.v3 Ancillary files --- config/ipblacklist/sources | 138 +++++++++++++++++++++++++++++++ src/misc-progs/getipsetstat.c | 25 ++++++ src/misc-progs/ipblacklistctrl.c | 48 +++++++++++ 3 files changed, 211 insertions(+) create mode 100644 config/ipblacklist/sources create mode 100644 src/misc-progs/getipsetstat.c create mode 100644 src/misc-progs/ipblacklistctrl.c diff --git a/config/ipblacklist/sources b/config/ipblacklist/sources new file mode 100644 index 000000000..3cfa7f7d4 --- /dev/null +++ b/config/ipblacklist/sources @@ -0,0 +1,138 @@ +############################################################################ +# # +# IP Address blacklists for IPFire # +# # +# This file contains a list of blacklist sources that will replace the one # +# internal to the updated if it is found at /var/ipfire/blacklist/sources. # +# The intention is to provide a common source of information for both the # +# updater and WUI. # +# # +# The chains created in the packet filter will be named by the top level # +# key and this will also be used in the log message to identify the reason # +# for the dropped packet. # +# # +# The fields are: # +# # +# name The blacklist's full name # +# url URL of the file containing the list # +# info URL giving information about the source # +# parser The parser function used to extract IP addresses from the # +# downloaded list # +# rate Minimum period between checks for updates. Can be specified in # +# days (d), hours (h) or minutes (m) # +# category Used for documentation on the WUI. Can be one of the following # +# 'application' Potentially unwanted applications # +# 'attacker' Generic source of malicious packets # +# 'c and c' Malware Command and Control source # +# 'composite' Composite of other lists # +# 'invalid' Invalid addresses on the public internet # +# 'scanner' Port scanner that is not initself malicious # +# disable Name of another list to disable if this one is enabled. Used # +# when the other list is a subset of this one. # +# # +# The info and category fields are purely for documentation. # +# # +############################################################################ + +%sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklist', + 'url' => 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt', + 'info' => 'https://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules', + 'parser' => 'ip-or-net-list', + 'rate' => '1h', + 'category' => 'composite', + 'disable' => ['FEODO_RECOMMENDED', 'FEODO_IP', 'FEODO_AGGRESIVE', 'SPAMHAUS_DROP', 'DSHIELD'] }, + 'EMERGING_COMPROMISED' => { 'name' => 'Emerging Threats Compromised IPs', + 'url' => 'https://rules.emergingthreats.net/blockrules/compromised-ips.txt', + 'info' => 'https://doc.emergingthreats.net/bin/view/Main/CompromisedHost', + 'parser' => 'ip-or-net-list', + 'rate' => '1h', + 'category' => 'attacker' }, + 'SPAMHAUS_DROP' => { 'name' => "Spamhaus Don't Route or Peer List", + 'url' => 'https://www.spamhaus.org/drop/drop.txt', + 'info' => 'https://www.spamhaus.org/drop/', + 'parser' => 'ip-or-net-list', + 'rate' => '12h', + 'category' => 'reputation' }, + 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't Route or Peer List", + 'url' => 'https://www.spamhaus.org/drop/edrop.txt', + 'info' => 'https://www.spamhaus.org/drop/', + 'parser' => 'ip-or-net-list', + 'rate' => '1h', + 'category' => 'reputation' }, + 'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List', + 'url' => 'https://www.dshield.org/block.txt', + 'info' => 'https://dshield.org/', + 'parser' => 'dshield', + 'rate' => '1h', + 'category' => 'attacker' }, + 'FEODO_RECOMMENDED'=> {'name' => 'Feodo Trojan IP Blocklist (Recommended)', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'c and c' }, + 'FEODO_IP' => { 'name' => 'Feodo Trojan IP Blocklist', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'c and c', + 'disable' => 'FEODO_RECOMMENDED' }, + 'FEODO_AGGRESIVE' => { 'name' => 'Feodo Trojan IP Blocklist (Aggresive)', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'c and c', + 'disable' => ['FEODO_IP', 'FEODO_RECOMMENDED'] }, + 'CIARMY' => { 'name' => 'The CINS Army List', + 'url' => 'https://cinsscore.com/list/ci-badguys.txt', + 'info' => 'https://cinsscore.com/#list', + 'parser' => 'ip-or-net-list', + 'rate' => '15m', + 'category' => 'reputation' }, + 'TOR_ALL' => { 'name' => 'Known TOR Nodes', + 'url' => 'https://www.dan.me.uk/torlist', + 'info' => 'https://www.dan.me.uk/tornodes', + 'parser' => 'ip-or-net-list', + 'rate' => '1h', + 'category' => 'application', + 'disable' => 'TOR_EXIT' }, + 'TOR_EXIT' => { 'name' => 'Known TOR Exit Nodes', + 'url' => 'https://www.dan.me.uk/torlist/?exit', + 'info' => 'https://www.dan.me.uk/tornodes', + 'parser' => 'ip-or-net-list',, + 'rate' => '1h', + 'category' => 'application' }, + 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation database', + 'url' => 'https://reputation.alienvault.com/reputation.generic', + 'info' => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputation', + 'parser' => 'ip-or-net-list', + 'rate' => '1h', + 'category' => 'reputation' }, + 'BOGON' => { 'name' => 'Bogus address list (Martian)', + 'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt', + 'info' => 'https://www.team-cymru.com/bogon-reference.html', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'invalid' }, + 'BOGON_FULL' => { 'name' => 'Full Bogus Address List', + 'url' => 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt', + 'info' => 'https://www.team-cymru.com/bogon-reference.html', + 'parser' => 'ip-or-net-list', + 'rate' => '4h', + 'category' => 'invalid', + 'disable' => 'BOGON' }, + 'SHODAN' => { 'name' => 'ISC Shodan scanner blacklist', + 'url' => 'https://isc.sans.edu/api/threatlist/shodan?tab', + 'info' => 'https://isc.sans.edu', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'scanner' }, + 'BLOCKLIST_DE' => { 'name' => 'Blocklist.de all attacks list', + 'url' => 'https://lists.blocklist.de/lists/all.txt', + 'info' => 'https://www.blocklist.de', + 'parser' => 'ip-or-net-list', + 'rate' => '30m', + 'category' => 'attacker' } + ); diff --git a/src/misc-progs/getipsetstat.c b/src/misc-progs/getipsetstat.c new file mode 100644 index 000000000..781bfc55b --- /dev/null +++ b/src/misc-progs/getipsetstat.c @@ -0,0 +1,25 @@ +/* IPFire helper program - GetIPSetStat + * + * Get the list from IPSET LIST + * + */ + +#include +#include +#include +#include +#include +#include +#include "setuid.h" + + +int main(void) +{ + if (!(initsetuid())) + exit(1); + + safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt"); + safe_system("chown nobody:nobody /var/tmp/ipsets.txt"); + + return 0; +} diff --git a/src/misc-progs/ipblacklistctrl.c b/src/misc-progs/ipblacklistctrl.c new file mode 100644 index 000000000..7536b1e97 --- /dev/null +++ b/src/misc-progs/ipblacklistctrl.c @@ -0,0 +1,48 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include +#include +#include +#include +#include +#include +#include "setuid.h" + +int main(int argc, char *argv[]) { + + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n" + "ipblacklistctrl (update|restore|log-on|log-off|" + "enable|disable)\n\n"); + exit(1); + } + + if (strcmp(argv[1], "update") == 0) { + safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "restore") == 0) { + safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "log-on") == 0) { + safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "log-off") == 0) { + safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "enable") == 0) { + safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &"); + } else if (strcmp(argv[1], "disable") == 0) { + safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &"); + } else { + fprintf(stderr, "\nBad argument given.\n" + "ipblacklistctrl (update|restore|log-on|log-off|" + "enable|disable)\n\n"); + exit(1); + } + + return 0; +}