From patchwork Mon Dec 9 11:42:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8314 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y6Kk2201pz3wxg for ; Mon, 9 Dec 2024 11:43:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6Kjx44dYz12m; Mon, 9 Dec 2024 11:43:01 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y6Kjx1gSKz333Y; Mon, 9 Dec 2024 11:43:01 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y6Kjv49s9z30VM for ; Mon, 9 Dec 2024 11:42:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Y6Kjs64xrzrN; Mon, 9 Dec 2024 11:42:57 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1733744577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2hHY8tgKlnQeOTrYvJHq2AoDgTF9kfZLZtoaM5ti2ls=; b=IUqYPZmO9uf7teDl32Loyxus+HBP73QpaqE12D5nCJ2ZlJAC+zJQa4pXF0SDpFsaO7FC0O ZJZJnMaiBhoT7fDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1733744577; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=2hHY8tgKlnQeOTrYvJHq2AoDgTF9kfZLZtoaM5ti2ls=; b=FC+29KIQ7J7VuepFSnUAwRL6f2HAussAouAwslB1jF51lMH0NHXbiXMy6o8LZI3TZu1l3k vU0PgrBLWzAmfE2Y7GAJA7M2Xtw9H5vYIA2M3lf3OmYPbzyPm0OFAo4gHhet04qKZXBO9O N0b/nZFA5hJTlT4eTdoDBdQLYVx5phWT/xq0c2ubm2jguNGH/Sr2OyyUmiwPT9ESsAyd3y SMTKMlRbk64zHV2auiKFHcuTMhRmpfuDjEW18cHPVU7oxhEgVbclGpvPBqh0m2zdtlCEuu eY926gCFE0v6+xcYjQAACYSZaud9cf7t0S/OO81hFPJ7WZidvdJdHz9+P+owXw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] sources: Replacement of Feodo Recommended Tracker list to ipblocklist sources file Date: Mon, 9 Dec 2024 12:42:50 +0100 Message-ID: <20241209114251.6249-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: UPKBXELZPG6LWCKQB5DMBKJGNVOLGRTP X-Message-ID-Hash: UPKBXELZPG6LWCKQB5DMBKJGNVOLGRTP X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - FEODO_RECOMMENDED list is still being updated but the number of events can be very low. However as it is still active then it has been added back in as discussed in the Dev Conf Call on Nov 4th. - FEODO_IP list covers any IP that has been detected as a botnet in the last 30 days. This could lead to false positives if the botnet has been fixed within one day of being detected. So it was agreed that this list would stay removed. - FEODO_AGGRESSIVE list contains all IP's that havce ever been detected as botnets since the list was started. It is not intended to be used for blocking as it would have a huge false positive effect. This list will also stay removed as it should not have been included originally. - This patch set adds back in the FEODO_RECOMMENDED list into the sources file and in the associated patch for the update.sh file removes the lines that removed the files related to FEODO_RECOMMENDED. Signed-off-by: Adolf Belka --- config/ipblocklist/sources | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index c2fc40d5b..158c8bc20 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -61,6 +61,12 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'parser' => 'dshield', 'rate' => '1h', 'category' => 'attacker' }, + 'FEODO_RECOMMENDED'=> {'name' => 'Feodo Trojan IP Blocklist (Recommended)', + 'url' => 'https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt', + 'info' => 'https://feodotracker.abuse.ch/blocklist', + 'parser' => 'ip-or-net-list', + 'rate' => '5m', + 'category' => 'c and c' }, 'CIARMY' => { 'name' => 'The CINS Army List', 'url' => 'https://cinsscore.com/list/ci-badguys.txt', 'info' => 'https://cinsscore.com/#list', From patchwork Mon Dec 9 11:42:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8315 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Y6Kk83Q3Lz3wxg for ; Mon, 9 Dec 2024 11:43:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Y6Kjy41HTz5Y7; Mon, 9 Dec 2024 11:43:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Y6Kjy3J4cz32rB; Mon, 9 Dec 2024 11:43:02 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Y6Kjv6rN4z32rB for ; Mon, 9 Dec 2024 11:42:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Y6Kjv3ZsSz12m; Mon, 9 Dec 2024 11:42:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1733744579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4ZEr2tLHpcDGCdSeVHQwZGgV9xYRgd/89HDmUbe8ynQ=; b=0BrP+n8It9O5QfFh9t+PVrkgoJ1q/FSCdmbbJHwWEFwqMteFPwjFF/tsx9z1ZFYT81AUe8 0vlx3SwvU+iGWqAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1733744579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4ZEr2tLHpcDGCdSeVHQwZGgV9xYRgd/89HDmUbe8ynQ=; b=MoPiKFyqLTSn3lEezLhVfphmZhpCzjsCRrbZ34UbCHg+hua9IoVEXv1RfFMHvKJfNttusF 12BvEHTLS1UUZGQKClych9vRIx7EwobEamhInM/taTAe6iX6joDLgbsVjhRrgtCboQ6Ucj UFcWxXp7WUNSFZwjI9uv1lNIXmHhwjDnos774AqzgUd/YO3w92b561u9plw+/AUdb7Bha4 aFCzV6Z8I85Ie6c6xM85wj4k9Ty47wxGyHRpOCoLd6jJ69n977VD7sSIsijoEUbu+lu1tH SV/Iv70XF73DtURRb7qWMHs6Fkwt0PgDdT/KAlLvavjbC+0998yXDf2GYEQoPw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] update.sh: Remove the lines related to FEODO_RECOMMENDED Date: Mon, 9 Dec 2024 12:42:51 +0100 Message-ID: <20241209114251.6249-2-adolf.belka@ipfire.org> In-Reply-To: <20241209114251.6249-1-adolf.belka@ipfire.org> References: <20241209114251.6249-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: GPJCQ3GCDC5YOMQ2QJJRIP4TPKOECRQP X-Message-ID-Hash: GPJCQ3GCDC5YOMQ2QJJRIP4TPKOECRQP X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This removes the lines related to removing any time entries in the modified file for FEODO_RECOMMENDED. - This also removes the lines realted to removing the blocklists for the FEODO_RECOMMENDED sources from the /var/lib/ipblocklist directory. - This patch will ensure that FEODO_RECOMMENDED stays in place if it was being used. Signed-off-by: Adolf Belka --- config/rootfiles/core/191/update.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/config/rootfiles/core/191/update.sh b/config/rootfiles/core/191/update.sh index f1c254611..366239bdd 100644 --- a/config/rootfiles/core/191/update.sh +++ b/config/rootfiles/core/191/update.sh @@ -36,14 +36,10 @@ done # Extract files extract_files -# Remove any entry for FEODO_RECOMMENDED, FEODO_IP or FEODO_AGGRESSIVE from the ipblocklist +# Remove any entry for FEODO_IP or FEODO_AGGRESSIVE from the ipblocklist # modified file and the associated ipblocklist files from the /var/lib/ipblocklist directory -sed -i '/FEODO_RECOMMENDED=/d' /var/ipfire/ipblocklist/modified sed -i '/FEODO_IP=/d' /var/ipfire/ipblocklist/modified sed -i '/FEODO_AGGRESSIVE=/d' /var/ipfire/ipblocklist/modified -if [ -e /var/lib/ipblocklist/FEODO_RECOMMENDED.conf ]; then - rm /var/lib/ipblocklist/FEODO_RECOMMENDED.conf -fi if [ -e /var/lib/ipblocklist/FEODO_IP.conf ]; then rm /var/lib/ipblocklist/FEODO_IP.conf fi