Would anyone want to help me with assessing my ip blocklist?

[allebone]

I have been working on a blocklist of malicious IPs that I detect by having services/ports open to VM's that can be destroyed and rebuilt if/when compromised. This allows me to capture IP's that attack these servers and I make a blocklist from this information I collect.

I would like to know of anyone would be able to help by assessing the usefulness of the list, and if it assists in reducing the amount of Malicious IP's trying to connect to services you may be currently forced to have open for whatever reason but protected by fail2ban or some other service that is not foolproof and would like an additional layer of prevention.

The list is here: https://github.com/pallebone/StrictBlockPAllebone

Thanks in advance if anyone would like to help test and provide any feedback :)

P

[mikeb78]

I am interest ed in working with you. Please tell me what you need

[allebone]

I am interest ed in working with you. Please tell me what you need

Hi Mike,

Thank you for your reply.
The address is a blocklist for incoming traffic to block malicious IP's from probing any services you have behind your firewall.

For example, if you ran an FTP server, and require it accessible from anywhere, but want to add an additional layer of protection by blocking known malicious IP's then this would be appropriate for you.

The instructions are here: https://github.com/pallebone/StrictBlockPAllebone

In short you would be adding an alias on your server that includes these 4 blocklists:

https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

Then you would add a rule to block incoming traffic from these IP's in the alias you created (the list is not suitable for egress traffic as i believe firehol includes private IP addresses in their ip blocklist for some strange reason so dont block traffic outbound from firewall - only inbound from internet to the firewall if that makes sense).

You can then ensure that you are logging traffic blocked by the rule, and permitted traffic so you can get a rough idea how much traffic accessing services behind your firewall is passed and how much is blocked. Ideally you should see most malicious IP's blocked while valid IP's that legitimately want to use your services behind your firewall are not blocked.

You can assess the service and let me know if it helps, or if you dont like it then that feedback is fine also.

Let me know if you require any further info.

Kind regards
Pete

[Vilhonator]

Nice idea, but sadly IP blocklists can be easily bypassed by changing your public IP address either via VPN, or just checking the remaining TTL value on your public IP address and disconnecting the device from internet for the remaining time. Unless you block whole IP range, they can always attempt again once their IP address changes (and by doing that, you might actually block some VPN providers, amazon etc. since that's what hackers and pentesters do, hide themselves behind another public IP which they can change at their own will)

If you are hosting FTP server and it NEEDS to be open to public networks, then you just have to use strong password and use Proxy to encrypt the traffic or better yet, use FTP server which accepts connections if you have right certificate. (FTP is VERY insecure and should never be open to public and share anything worth keeping safe from unauthorized clients).

IP blocking mechanism is good way to block IPs like google dns etc. but most hackers etc. use TOR, VPN and botnets, so they can always just change their public IP to bypass the block.

[allebone]

This is true. However its not about completely preventing 100% of attacks, as that would always be impossible regardless of what you employ. More, it works like an AV product, we dont expect all viruses to be stopped 100% of the time by an av product but it does lower your attack profile and thus your risk is mitigated by some %. The more things you do, and the more differing methods you have employed, the smaller your attack surface. In practice I notice it reduces brute force attacks by 95% or so, which is better than not employing such a solution in addition to your other hardening methods. Thats just my opinion.

[Vilhonator]

This is true. However its not about completely preventing 100% of attacks, as that would always be impossible regardless of what you employ. More, it works like an AV product, we dont expect all viruses to be stopped 100% of the time by an av product but it does lower your attack profile and thus your risk is mitigated by some %. The more things you do, and the more differing methods you have employed, the smaller your attack surface. In practice I notice it reduces brute force attacks by 95% or so, which is better than not employing such a solution in addition to your other hardening methods. Thats just my opinion.

I see your point, but that is something IDS/IPS is for (in fact it works exactly like AV and blocks not only known malicious IPs, but also IPs which are trying to exploit certain well and less well known vulnreabilities, something that IP blocking does not do.)

If you insist on having IP block list and are hosting your servers on LINUX, you can install Fail2ban which does exactly that, blocks IPs which try too many times to login, you just have to configure it right, in fact I think there is a way to install Fail2Ban on OpnSense itself.

[allebone]

I see your point, but that is something IDS/IPS is for (in fact it works exactly like AV and blocks not only known malicious IPs, but also IPs which are trying to exploit certain well and less well known vulnreabilities, something that IP blocking does not do.)

If you insist on having IP block list and are hosting your servers on LINUX, you can install Fail2ban which does exactly that, blocks IPs which try too many times to login, you just have to configure it right, in fact I think there is a way to install Fail2Ban on OpnSense itself.

Indeed this is also true however I found that with only IDS (Suricata) and Fail2ban which I was already using too little was being caught and quite a bit was slipping through. I tried many things to improve it but ultimately what I was finding is that the bots/automated attacks used seperate IP's to scan your network, then used this information to target what they found with different IP's based on what their results found. This meant that the setup with fail2ban and IDS was only 80% or so effective, in some cases less. As I want 99% effectiveness this was not acceptable to me and this method of blocklist as an additional layer is the only thing I have so far that is getting me close to the 99% I desire. The other 1% I am able to review the logs manually each day (as there are not thousands of IP's passing in the logs anymore - ie they are not flooded with attacks) and assess easily in a matter of minutes. Keeping the logs mostly clear in this way makes this task quite manageable.