ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Addition of Spamhaus extended DROP (EDROP) list

https://mail.forum.configserver.com/viewtopic.php?t=5624

Page 1 of 1

Addition of Spamhaus extended DROP (EDROP) list

Posted: 15 Jul 2012, 18:08
by terryr
Hi,

On June 12, 2012, Spamhaus added an extended DROP (EDROP) list to be used along with the DROP list. The EDROP list is located here - http://www.spamhaus.org/drop/edrop.txt. Information about the list is here - http://www.spamhaus.org/drop/.

Currently the list has 12 entries.

Thanks for your consideration.

Terry

Re: Addition of Spamhaus extended DROP (EDROP) list

Posted: 16 Jul 2012, 20:24
by smuxbr
Hi Terryr,

I created an unofficial patch to your request. Can you be try this patch into your csf 5.59.

Code: Select all

--- csf.conf-ok 2012-07-10 23:22:36.000000000 -0300
+++ csf.conf-spamhause  2012-07-16 15:49:16.000000000 -0300
@@ -185,7 +185,7 @@
 # SMTP_BLOCK is only applied if port 25 is included in TCP6_OUT
 #
 # Not supported:
-# DYNDNS, CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, LF_DSHIELD, LF_SPAMHAUS,
+# DYNDNS, CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, LF_DSHIELD, LF_SPAMHAUS, LF_SPAMHAUS_E
 # SYNFLOOD, PORTFLOOD, DYNDNS, ICMP_IN, ICMP_OUT, LF_NETBLOCK, MESSENGER,
 # CC_IGNORE, CONNLIMIT
 #
@@ -544,6 +544,18 @@
 # is in the same format as the drop list
 LF_SPAMHAUS_URL = "h t t p : / / www . spamhaus . org/drop/drop.lasso"

+# Enable IP range blocking using the Spamhaus Extended DROP List at
+# http:// www . spamhaus . org/drop/edrop.txt
+# To enable this feature, set the following to the interval in seconds that you
+# want the block list updated. The list is reasonably static during the length
+# of a day, so it would be appropriate to only update once every 24 hours, so
+# a value of "86400" is recommended
+LF_SPAMHAUS_E = "86400"
+
+# The Spamhaus Extended DROP List URL. If you change this to something else be sure it
+# is in the same format as the drop list
+LF_SPAMHAUS_E_URL = "h t t p : / / www . spamhaus . org/drop/edrop.txt"
+
 # Enable IP range blocking using the BOGON List at
 # http://www . cymru . com/Bogons/
 # To enable this feature, set the following to the interval in seconds that you


--- csf. pl-ok   2012-03-31 13:03:25.000000000 -0300
+++ csf. pl-spamhause    2012-07-16 15:52:13.000000000 -0300
@@ -457,11 +457,12 @@

        if ($config{LF_DSHIELD}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N DSHIELD")}
        if ($config{LF_SPAMHAUS}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N SPAMHAUS")}
+       if ($config{LF_SPAMHAUS_E}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N SPAMHAUS_E")}
        if ($config{LF_BOGON}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N BOGON")}
        if ($config{CC_ALLOW_FILTER}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CC_ALLOWF")}
        if ($config{CC_ALLOW}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CC_ALLOW")}
        if ($config{CC_DENY}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CC_DENY")}
-       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N BLOCKDROP")}
+       if (($config{LF_SPAMHAUS} or $config{LF_SPAMHAUS_E} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N BLOCKDROP")}
        if (($config{CC_DENY} or $config{CC_ALLOW_FILTER}) and $config{DROP_IP_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CCDROP")}
        if ($config{GLOBAL_ALLOW}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N GALLOWIN")}
        if ($config{GLOBAL_ALLOW}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N GALLOWOUT")}
@@ -522,12 +523,12 @@
                        &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOGDROPIN -p icmpv6 -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *ICMP6IN Blocked* '");
                        &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOGDROPOUT -p icmpv6 -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *ICMP6OUT Blocked* '");
                }
-               if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *BLOCK_LIST* '");}
+               if (($config{LF_SPAMHAUS} or $config{LF_SPAMHAUS_E} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *BLOCK_LIST* '");}
                if (($config{CC_DENY} or $config{CC_ALLOW_FILTER}) and $config{DROP_IP_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A CCDROP -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *CC_DENY* '");}
                if ($config{PORTFLOOD}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A PORTFLOOD -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *Port Flood* '");}
        }
        if ($config{CONNLIMIT} and $config{CONNLIMIT_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A CONNLIMIT -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *ConnLimit* '");}
-       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -j $config{DROP}");}
+       if (($config{LF_SPAMHAUS} or $config{LF_SPAMHAUS_E} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -j $config{DROP}");}
        if (($config{CC_DENY} or $config{CC_ALLOW_FILTER}) and $config{DROP_IP_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A CCDROP -j $config{DROP}");}
        &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROPIN -j $config{DROP}");
        &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROPOUT -j $config{DROP}");
@@ -1364,6 +1365,25 @@
                &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALINPUT $ethdevin -j SPAMHAUS");
        }

+       if ($config{LF_SPAMHAUS_E}) {
+               if (-e "/etc/csf/csf.spamhaus_e") {
+                       my $drop = $config{DROP};
+                       if ($config{DROP_IP_LOGGING}) {$drop = "BLOCKDROP"}
+                       open (IN, "</etc/csf/csf.spamhaus_e") or &error(__LINE__,"Could not open /etc/csf/csf.spamhaus_e: $!");
+                       flock (IN, LOCK_SH) or &error(__LINE__,"Could not lock /etc/csf/csf.spamhaus_e: $!");
+                       my @spamhaus_e = <IN>;
+                       close (IN) or &error(__LINE__,"Could not close /etc/csf/csf.spamhaus_e: $!");
+                       chomp @spamhaus_e;
+                       foreach my $line (@spamhaus_e) {
+                               my ($ip,$comment) = split (/\s/,$line,2);
+                               if (&checkip($ip)) {
+                                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -I SPAMHAUS_E -s $ip -j $drop");
+                               }
+                       }
+               }
+               &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALINPUT $ethdevin -j SPAMHAUS_E");
+       }
+
        $config{CC_DENY} =~ s/\s//g;
        if ($config{CC_DENY}) {
                foreach my $cc (split(/\,/,$config{CC_DENY})) {
@@ -2918,6 +2938,7 @@
                my @chains = ("INPUT","LOCALINPUT","LOGDROPIN");
                if ($config{LF_DSHIELD}) {push @chains,"DSHIELD"}
                if ($config{LF_SPAMHAUS}) {push @chains,"SPAMHAUS"}
+               if ($config{LF_SPAMHAUS_E}) {push @chains,"SPAMHAUS_E"}
                if ($config{LF_BOGON}) {push @chains,"BOGON"}
                if ($config{PACKET_FILTER}) {push @chains,"INVALID","INVDROP"}
                if ($config{CC_ALLOW_FILTER}) {push @chains,"CC_ALLOWF"}


--- lfd. pl-orig 2012-07-09 13:15:53.000000000 -0300
+++ lfd. pl-spamahause   2012-07-16 15:57:03.000000000 -0300
@@ -27,7 +27,7 @@
      $count, %config, %logfiles, $childpid, $childcnt, %logintimeout, $cidr,
         %loginproto, $cttimeout, %ips, %ifaces, $scriptline, @cidrs, %pskip,
         %scripts, $scripttimeout, %blockedips, $pttimeout, %skip, $csftimeout,
-        $dshieldtimeout, $spamhaustimeout, $dirwatchtimeout, @suspicious,
+        $dshieldtimeout, $spamhaustimeout, $spamhaus_e_timeout, $dirwatchtimeout, @suspicious,
         %skipfile, %sfile, %nofiles, @matchfile, $toomanymatches, $pidino,
         %dirwatchfile, $dirwatchfiletimeout, %skipuser, $globaltimeout,
         %skipscript, %ports, $smtptimeout, $dyndnstimeout, @lfsize, $hostshort,
@@ -458,6 +458,15 @@
        &spamhaus;
        $spamhaustimeout = 0;
 }
+if ($config{LF_SPAMHAUS_E}) {
+       &logfile("SPAMHAUS_E Tracking...");
+       if ($config{LF_SPAMHAUS_E} < 3600) {
+               &logfile("LF_SPAMHAUS_E refresh increased to 3600 to prevent blacklisting (csf.conf setting: $config{LF_SPAMHAUS_E})");
+               $config{LF_SPAMHAUS_E} = 3600;
+       }
+       &spamhaus_e;
+       $spamhaus_e_timeout = 0;
+}
 if ($config{CC_DENY} or $config{CC_ALLOW} or $config{CC_ALLOW_FILTER} or $config{CC_IGNORE}) {
        &logfile("Country Code Filters...");
        &countrycode;
@@ -1182,6 +1191,14 @@
                }
        }

+       if ($config{LF_SPAMHAUS_E}) {
+               $spamhaus_e_timeout+=$duration;
+               if ($spamhaus_e_timeout >= $config{LF_SPAMHAUS_E}) {
+                       $spamhaus_e_timeout = 0;
+                       &spamhaus_e;
+               }
+       }
+
        if ($config{CC_DENY} or $config{CC_ALLOW} or $config{CC_ALLOW_FILTER} or $config{CC_IGNORE}) {
                $cctimeout+=$duration;
                if ($cctimeout >= 3600) {
@@ -3879,6 +3896,81 @@
 }
 # end spamhaus
 ###############################################################################
+# start spamhaus_e
+sub spamhaus_e {
+       my $getlist = 0;
+       if (-e "/etc/csf/csf.spamhaus_e") {
+               my $mtime = (stat("/etc/csf/csf.spamhaus_e"))[9];
+               my $listtime = (time - $mtime);
+               if ($listtime >= $config{LF_SPAMHAUS_E}) {$getlist = 1}
+       } else {$getlist = 1}
+
+       if ($getlist) {
+               unless ($config{OLD_REAPER}) {$SIG{CHLD} = 'IGNORE';}
+               unless (defined ($childpid = fork)) {
+                       &cleanup(__LINE__,"*Error* cannot fork: $!");
+               }
+               unless ($childpid) {
+                       my $timer = time;
+                       if ($config{DEBUG} >= 3) {$timer = &timer("start","spamhaus_e",$timer)}
+                       $0 = "lfd - retrieving spamhaus_e blocklist";
+
+                       my $lockstr = "LF_SPAMHAUS_E";
+                       sysopen (THISLOCK, "/etc/csf/lock/$lockstr.lock", O_RDWR | O_CREAT) or &childcleanup("*Error* Unable to open /etc/csf/lock/$lockstr.lock");
+                       flock (THISLOCK, LOCK_EX | LOCK_NB) or &childcleanup("*Lock Error* [$lockstr] still active - section skipped");
+
+                       my ($status, $text) = &urlget($config{LF_SPAMHAUS_E_URL});
+                       if ($status) {
+                               &logfile("SPAMHAUS_E: Unable to retrieve spamhaus_e block list - $text");
+                               exit;
+                       }
+
+                       if (&csflock) {&lockfail("LF_SPAMHAUS_E")}
+                       &logfile("SPAMHAUS_E - retrieved and blocking IP address ranges");
+                       my $drop = $config{DROP};
+                       if ($config{DROP_IP_LOGGING}) {$drop = "BLOCKDROP"}
+
+                       if ($config{SAFECHAINUPDATE}) {
+                               &syscommand(__LINE__,"$config{IPTABLES} -N NEWSPAMHAUS_E");
+                       } else {
+                               &syscommand(__LINE__,"$config{IPTABLES} -F SPAMHAUS_E");
+                       }
+                       sysopen (SPAMHAUS_E, "/etc/csf/csf.spamhaus_e", O_WRONLY | O_CREAT) or &childcleanup(__LINE__,"*Error* Cannot open out file: $!");
+                       flock (SPAMHAUS_E, LOCK_EX);
+                       seek (SPAMHAUS_E, 0, 0);
+                       truncate (SPAMHAUS_E, 0);
+                       foreach my $line (split (/\n/,$text)) {
+                               if ($line =~ /^\#/) {next}
+                               if ($line =~ /^([\d\.\/]+)\s+/) {
+                                       my $iprange = $1;
+                                       if ($iprange) {
+                                               print SPAMHAUS_E "$iprange\n";
+                                               if ($config{SAFECHAINUPDATE}) {
+                                                       &syscommand(__LINE__,"$config{IPTABLES} -I NEWSPAMHAUS_E -s $iprange -j $drop");
+                                               } else {
+                                                       &syscommand(__LINE__,"$config{IPTABLES} -I SPAMHAUS_E -s $iprange -j $drop");
+                                               }
+                                       }
+                               }
+                       }
+                       close (SPAMHAUS_E);
+                       if ($config{SAFECHAINUPDATE}) {
+                               &syscommand(__LINE__,"$config{IPTABLES} -A LOCALINPUT $ethdevin -j NEWSPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -D LOCALINPUT $ethdevin -j SPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -F SPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -X SPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -E NEWSPAMHAUS_E SPAMHAUS_E");
+                       }
+
+                       close (THISLOCK);
+                       if ($config{DEBUG} >= 3) {$timer = &timer("stop","spamhaus_e",$timer)}
+                       $0 = "lfd - child closing";
+                       exit;
+               }
+       }
+}
+# end spamhaus_e
+###############################################################################
 # start countrycode
 sub countrycode {
        my $force = shift;
Cheers,

Re: Addition of Spamhaus extended DROP (EDROP) list

Posted: 30 Jul 2012, 18:12
by terryr
My apologies for not responding sooner. Was on vacation.

Applied the patch and restarted CSF and LFD. All seems to be working fine.

Output from CSF restart with regards to Spamhaus EDROP:
SPAMHAUS_E all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/8 -> 0.0.0.0/0
DROP all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0
DROP all opt -- in * out * 100.64.0.0/10 -> 0.0.0.0/0
DROP all opt -- in * out * 127.0.0.0/8 -> 0.0.0.0/0
DROP all opt -- in * out * 169.254.0.0/16 -> 0.0.0.0/0
DROP all opt -- in * out * 172.16.0.0/12 -> 0.0.0.0/0
DROP all opt -- in * out * 192.0.0.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 192.0.2.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 192.168.0.0/16 -> 0.0.0.0/0
DROP all opt -- in * out * 198.18.0.0/15 -> 0.0.0.0/0
DROP all opt -- in * out * 198.51.100.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 203.0.113.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 224.0.0.0/3 -> 0.0.0.0/0

Thanks so much for your help.

Terry

Re: Addition of Spamhaus extended DROP (EDROP) list

Posted: 12 Aug 2012, 10:56
by chirpy
A variation on this will be included in the next csf release.

Re: Addition of Spamhaus extended DROP (EDROP) list

Posted: 13 Aug 2012, 16:19
by terryr
Great. Thanks.

Terry

Re: Addition of Spamhaus extended DROP (EDROP) list

Posted: 14 Aug 2012, 11:51
by ForumAdmin
Support for this was added to v5.60:
http://blog.configserver.com/index.php?itemid=667
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited