FireHOL Block List ( Botnets, Attacks, Malware....)

Started by yeraycito, June 08, 2020, 06:46:36 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
June 09, 2020, 05:53:12 PM #15 Last Edit: June 09, 2020, 05:54:59 PM by hushcoden
June 10, 2020, 12:50:07 AM #16
Quote from: hushcoden on June 09, 2020, 05:53:12 PM
And apparently there is also a FireHOL Level4 here: https://iplists.firehol.org/?ipset=firehol_level4

And the list is here: https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level4.netset

The list is very good but they warn that it has a good amount of false positives. You have to be careful.
June 10, 2020, 12:53:35 AM #17
FireHol Web Server List:

A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous) . (includes: maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)

Info: https://iplists.firehol.org/?ipset=firehol_webserver

Installation in Opnsense:

1 - Firewall-Aliases-New:

2 - Name: FireHOLserver
     Type: URL Table (IPs)
     Expiration Days: 1
     Content:    https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset
     Description: FireHOLserver

3 - Save

4 - System-Settings-Cron-New:
     Create a job with the command Update and reload firewall aliases

5 - Create firewall rules in Wan and Lan
June 10, 2020, 01:19:41 AM #18
Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.
June 10, 2020, 03:25:28 AM #19
Quote from: lattera on June 10, 2020, 01:19:41 AM
Completely random thought: checking the list against existing ET Open rules, pruning duplicates.

Another thought: integration with Suricata to not only block on those IPs, but also alert.

These are ips to block with the input-output firewall. Suricata blocks behavior.

Example: https://docs.opnsense.org/manual/how-tos/edrop.html
June 10, 2020, 01:44:28 PM #20
Quote from: hushcoden on June 09, 2020, 10:39:45 AM
Quote from: mimugmail on June 09, 2020, 07:26:25 AM
Quote from: hushcoden on June 08, 2020, 11:14:22 PM
Expiration Days: 1  --> with this you shouldn't need a cron job, is that right ?

On LAN you create a rule with protocol any, source LAN, destination you FireHOL alias and condition drop. On WAN the same rule but source is your Alias and destination ANY (to match port forward and connections to firewall itself)
That's great thanks: there is no 'drop' in the drop-down menu, I can chose between 'block' or 'reject', which one is the best approach?

Also, as for the LAN rule, do I have to chose 'LAN' in the interface section only or for both interface and source ?
Tia.

Can someone please clarify the following points:

1) Better to use 'block' or 'reject' ? - 'drop' is not an option

2) As I said in my previous post, for the LAN rule, do I have to chose 'LAN' (actually it's called LAN net) in the interface section only or for both interface and source ?

3) As for 'direction', is it IN or OUT ?

I've still a lot to learn and any advice is much appreciated !
June 10, 2020, 02:01:21 PM #21
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..
June 28, 2020, 11:59:55 AM #22 Last Edit: June 28, 2020, 02:46:25 PM by hushcoden
Could someone point me to where - a log file? - I can check if those alias lists are actually updated ?

Tia.
June 28, 2020, 02:26:20 PM #23
system.log or configd.log
June 28, 2020, 02:55:21 PM #24
Many thanks, found it in System --> Log Files --> General

I've attached a screenshot: does fetch mean it's been updated ?
June 28, 2020, 04:05:19 PM #25
Yep  8)
July 01, 2020, 06:53:43 PM #26
Quote from: hushcoden on June 28, 2020, 02:55:21 PM
Many thanks, found it in System --> Log Files --> General

I've attached a screenshot: does fetch mean it's been updated ?

They're up to date. Look at the number of lines between updates:

/updates_tables.py..........www.spamhaus.org.......lines:791

When you update, the number of lines changes.
July 26, 2020, 03:14:54 PM #27 Last Edit: July 26, 2020, 04:44:17 PM by hushcoden
Quote from: mimugmail on June 10, 2020, 02:01:21 PM
1) block is better since with reject the Firewall has to generate a packet (cost cpu cycle)
2)+3) Interface LAN, Source LAN net, direction ALWAYS *IN*, never use out ..
I have another question: if I use float rules, I can select both my two LAN interfaces rather than duplicate rules from LAN to LAN2  :o but in 'Source' I can't select bot 'LAN net' and LAN2 net', only one, so should I select 'any' or 'This Firewall' ?

Thanks.
July 26, 2020, 04:01:43 PM #28
2 rules source any, destination firehol and vice versa. No Interface selected
July 26, 2020, 04:56:36 PM #29
Quote from: mimugmail on July 26, 2020, 04:01:43 PM
2 rules source any, destination firehol and vice versa. No Interface selected

Do you mean I delete the rules in 'LAN' and 'LAN2' and I consolidate them into 1 in 'Floating' but without selecting the two LAN interfaces ?? Sorry, I'm confused  :o Can you be more specific ?  :-\
Print
Go Up Pages 1 2 3 4
User actions