FireHOL Block List ( Botnets, Attacks, Malware....)

Started by yeraycito, June 08, 2020, 06:46:36 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
November 21, 2021, 05:54:07 PM #45
Quote from: Julien on November 20, 2021, 11:29:59 PM
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
Neither Level 2 nor level 3 contain bogons, it's Level 1
November 21, 2021, 05:57:31 PM #46
Quote from: br0ken.pipe on November 21, 2021, 11:27:50 AM
Yes, lot's of lists contain bogons. I combine all lists into one and remove all bogons afterwards. You can get all bogons (IPv4 and IPv6) with this regex:

Code Select
BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX"


Do you mind to explain how you do that ?

I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.
November 21, 2021, 07:35:50 PM #47
Quote from: hushcoden on November 21, 2021, 05:57:31 PM

Do you mind to explain how you do that ?

I do have an alias with all my lists, but no idea how/where to insert the Regex, thanks.


Unfortunately you can't insert the regex in opnsense. I use a bash script to merge several ipset lists on another server. in opnsense I only set the http address to the processed and clean list.

with this example you can remove the bogons from a larger list:

Code Select
#!/bin/bash

BLOCKLIST="/tmp/ipsets.txt"
BLOCKLIST_TMP="/tmp/ipsets_tmp.txt"
BOGONS="/tmp/bogons.txt"

BOGON_REGEX="\b(127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|0?0\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|::1|[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7})(?:\/([789]|1?[0-9]{2}))?\b"


# Firehol
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset >"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset >>"$BLOCKLIST"

# Spamhaus
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset >>"$BLOCKLIST"
curl -k https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset >>"$BLOCKLIST"

# ...


# Remove BOGON IPs
cat "$BLOCKLIST" | sort | uniq > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"
cat "$BLOCKLIST" | grep -Po "$BOGON_REGEX" | sort | uniq > "$BOGONS"
cat "$BOGONS"
comm -23 "$BLOCKLIST" "$BOGONS" > "$BLOCKLIST_TMP" && mv "$BLOCKLIST_TMP" "$BLOCKLIST"
November 21, 2021, 08:30:26 PM #48
sorry if i missed some but why not to use nesting with exclusions?
https://docs.opnsense.org/manual/aliases.html?highlight=aliases#nesting
November 21, 2021, 08:32:20 PM #49
Quote from: hushcoden on November 21, 2021, 05:54:07 PM
Quote from: Julien on November 20, 2021, 11:29:59 PM
Level 2 contain 192.168.0.0/24 most VPN needs it to allow the tunnel oer.
Neither Level 2 nor level 3 contain bogons, it's Level 1

Are you suggesting to use only level 1?
I also see some class C network on level 1
DEC4240 – OPNsense Owner
November 22, 2021, 10:36:39 AM #50
Quote from: Julien on November 21, 2021, 08:32:20 PM
Are you suggesting to use only level 1?
I also see some class C network on level 1
All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)
November 22, 2021, 11:43:24 AM #51
Quote from: hushcoden on November 22, 2021, 10:36:39 AM
Quote from: Julien on November 21, 2021, 08:32:20 PM
Are you suggesting to use only level 1?
I also see some class C network on level 1
All I'm saying is that bogon IP addresses are definitely in Level 1 - I don't see them in Level 2 & 3 (but I'll double-check again)
i remember me having  issues with Level 1 and 2. i am using only Level 3 now with Dshield
DEC4240 – OPNsense Owner
December 03, 2021, 09:03:10 AM #52
Are there also filehol ipv6 lists? or how to configure those?
Deciso DEC850v2
December 03, 2021, 09:25:00 AM #53
February 09, 2023, 05:20:58 PM #54
This set blocked twitch from working =(

Quote from: yeraycito on June 10, 2020, 12:53:35 AM
FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan
May 30, 2024, 08:45:28 AM #55
Quote from: br0ken.pipe on November 01, 2021, 12:01:43 PM
Quote from: mimugmail on November 01, 2021, 10:26:33 AM
But the Firewall see the packet first at LAN inbound direction

thanks, that makes sense.

Here are the rules:

On LAN:
Action: Block
Interface LAN
Direction: in
Protocol: any
Source LAN net
Destination: My Firewall Alias


On WAN:
Action: Block
Interface: WAN
Direction: in
Protocol: Any
Source: My Firewall Alias
Destination: Any

it is ok to make "floating rules" for multiple interfaces?
something like this:

Action: Block
Interface LAN1, LAN2, LAN3, VPN1, VPN2
Direction: in
Protocol: any
Source any
Destination: My Firewall Alias exclude LAN1, LAN2, LAN3, VPN1, VPN2
May 30, 2024, 12:09:06 PM #56
Direction in, interface LAN and destination LAN doesnt makes sense, source should be LAN
Print
Go Up Pages 1 2 3 4
User actions