From patchwork Mon Jun 24 15:10:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7896 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4W7BHb4PhZz3wxT for ; Mon, 24 Jun 2024 15:11:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4W7BHS1pTXz10l; Mon, 24 Jun 2024 15:11:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4W7BHR2XKlz33Dy; Mon, 24 Jun 2024 15:10:59 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4W7BHN1l9Qz32n3 for ; Mon, 24 Jun 2024 15:10:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4W7BHD5p76z2GP; Mon, 24 Jun 2024 15:10:48 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1719241848; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=WE706DJIv/hkhL6+JzpkkRbjhmBaDU35BkWv9QP4qik=; b=yNLbJu1PWFE6BkWT7A/dGy2KOvllDShriSAFzvLXcJOvmk+2P23Hajr6YThEI/nXx4EwnW ALOlAEmXT+fxZuDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1719241848; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=WE706DJIv/hkhL6+JzpkkRbjhmBaDU35BkWv9QP4qik=; b=lSpFucGQVRQ32eIie34zwDOaUqYeIFKmq1l7A6NEcnGVYbsy2TYkgVbaULJ0I5pwdIjlU5 bbqdJovJYWXAGYvm3Is/uAQsr/SXmYfXoK+pZDonuFWri1GjkzB6JS/Y1gLH23ZrSv8faj daesFoOPdL86Gc4YOliQBQsI898P+FzJ1xK52KrLLt1kNHNkU81l63cDPq0/JjP/OYDtzR DyCOGI7RS7Iqq3k7YutV1o16Szkx2xsBtvUiM5Zw3yhUb3fgs6j5rlrcd1AI38vWQarX1d lWM+uXafa2kgD61bVANLeuza2o4FNc3/Oc9Ap+K1VFI06eRIuE+k4REa0YHxGA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] ipblocklist-sources: Update to include the 3CORESec ip blocklists Date: Mon, 24 Jun 2024 17:10:38 +0200 Message-ID: <20240624151039.51194-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: CIHYWM72KWH5WS7LVPYHM72I63LRLBEF X-Message-ID-Hash: CIHYWM72KWH5WS7LVPYHM72I63LRLBEF X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - The patch for this was created by Stefan Schantl - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. - The combined list was removed because it is just the three others which can be selected in the WUI to give the equivalent result. Created-by: Stefan Schantl Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/ipblocklist/sources | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 0835c0f9c..69f964dd9 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -124,5 +124,23 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://www.blocklist.de', 'parser' => 'ip-or-net-list', 'rate' => '30m', - 'category' => 'attacker' } + 'category' => 'attacker' }, + '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' } ); From patchwork Mon Jun 24 15:10:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7897 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4W7BHc4PcHz3wyD for ; Mon, 24 Jun 2024 15:11:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4W7BHT1xQdz5ny; Mon, 24 Jun 2024 15:11:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4W7BHR47q5z33HT; Mon, 24 Jun 2024 15:10:59 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4W7BHN2FcBz32n3 for ; Mon, 24 Jun 2024 15:10:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4W7BHG2PPkz2WK; Mon, 24 Jun 2024 15:10:50 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1719241850; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iWQhDCR9Ifb9bSdpEDtr36850nEogp6VHfndUfwsHW8=; b=X8pm/qw2Ye5DQxTbW+my0auazHQX7VyUzzOJhID5sclIfw3nZIxs1YNPDfKnLoFD/HoteZ 2x6mTCkqSD8ZyxDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1719241850; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iWQhDCR9Ifb9bSdpEDtr36850nEogp6VHfndUfwsHW8=; b=iMB1p6ONFC1r8RzLisrYI1qVh267BpuYYAuJzFJJRMSyPJzPk/HcKMZei2+Hpjs7hb5aM3 9c/jTIDkPFggkk4na+m65QdADAr78ypYCFfOWReSr2hx3nrf6ryp5GcxWKsalsNvex6zNu B4devNNOSCefd1QcuNtGP4ZvCCGPadOGauJamMKelU2dFfr6yHrUYfE4Pe8b5DiiabBMDM cVKEouaOh0QvzQIFK9MhubZ9v0XB1xMt7sIyQIgOOavPsLoFLbFRh/jeKsXIPDU1Gs1Crf TH/b17UuwiEi1rFnkAdJLt3Q4J/wPaY2I29CI+MqhD1S3eImbTgpecgw/r/hOQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist Date: Mon, 24 Jun 2024 17:10:39 +0200 Message-ID: <20240624151039.51194-2-adolf.belka@ipfire.org> In-Reply-To: <20240624151039.51194-1-adolf.belka@ipfire.org> References: <20240624151039.51194-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: O5WLV7SQO5FB7WLRFAUZZWRVL4Q4V75K X-Message-ID-Hash: O5WLV7SQO5FB7WLRFAUZZWRVL4Q4V75K X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/ipblocklist/sources | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 69f964dd9..1cef06dd1 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -142,5 +142,11 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://blacklist.3coresec.net', 'parser' => 'ip-or-net-list', 'rate' => '1d', - 'category' => 'attacker' } + 'category' => 'attacker' }, + 'ABUSECH_BOTNETC2' => { 'name' => 'ABUSE.ch Botnet C2 IP Blocklist', + 'url' => 'https://sslbl.abuse.ch/blacklist/sslipblacklist.txt', + 'info' => 'https://sslbl.abuse.ch/blacklist#botnet-c2-ips-csv', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'reputation' } );