Page 1 of 2

Firehol iplists

Posted: 17 Oct 2015, 11:23
by marcele
An interesting project:
http://iplists.firehol.org/

I'm working though processing the lists that are useable by CSF. I will provide the complete list after I complete my work.

Re: Firehol iplists

Posted: 13 Feb 2016, 11:52
by Mick
Can you share how you got these lists working with CSF (and ipset I guess) please?

Thank you.

Re: Firehol iplists

Posted: 18 Feb 2016, 10:47
by marcele
Mick wrote:Can you share how you got these lists working with CSF (and ipset I guess) please? Thank you.
In our Juggernaut Firewall addon for Plesk I wrote a new management interface for managing block lists. I'll include the lists here so that users not running Juggernaut can benefit also.

Special thanks go out to Costa Tsaousis from Firehol for his help and of course Chirpy for raising the character limit in CSF blocklist names so that the list names can match (mostly).

After parsing the Firehol lists about 100 of them were usable. Currently CSF can't parse some of the lists as it doesn't support compressed source URLs and CSF can't parse IP lists that strip newlines.

You can just replace the default /etc/csf/csf.blocklists with the code below and uncomment the ones you want to use. The list has been merged with the default blocklists from CSF and is in alphabetical order.

Let me know what you think. Cheers!

Code: Select all

# Name: ALIENVAULT_REPUTATION
# Category: reputation
# Maintainer: Alien Vault
# Maintainer URL: https://www.alienvault.com/
# Information: IP reputation database
#ALIENVAULT_REPUTATION|86400|0|https://reputation.alienvault.com/reputation.generic

# Name: ALTTOR
# Category: anonymizers
# Maintainer: Tor Network Status
# Maintainer URL: http://torstatus.blutmagie.de/
# Information: TOR Exit Nodes List
#ALTTOR|86400|0|http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv

# Name: AUTOSHUN
# Category: attacks
# Maintainer: Autoshun.org
# Maintainer URL: http://www.autoshun.org/
# Information: Autoshun Shun List
#AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv

# Name: BAMBENEK_C2
# Category: malware
# Maintainer: Bambenek Consulting
# Maintainer URL: http://osint.bambenekconsulting.com/feeds/
# Information: Master feed of known, active and non-sinkholed C&Cs IP addresses
#BAMBENEK_C2|86400|0|http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

# Name: BDE
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de
# Information: Blocklist.de attacking IP addresses (last hour)
#BDE|86400|0|https://api.blocklist.de/getlast.php?time=3600

# Name: BDEALL
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de
# Information: Blocklist.de attacking IP addresses (all)
#BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

# Name: BDS_ATIF
# Category: reputation
# Maintainer: Binary Defense Systems
# Maintainer URL: https://www.binarydefense.com/
# Information: Artillery Threat Intelligence Feed and Banlist Feed
#BDS_ATIF|172800|0|https://www.binarydefense.com/banlist.txt

# Name: BFB
# Category: attacks
# Maintainer: Daniel Gerzo
# Maintainer URL: http://danger.rulez.sk/index.php/bruteforceblocker/
# Information: BruteForceBlocker IP List
#BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# Name: BITCOIN_BLOCKCHAIN_INFO
# Category: reputation
# Maintainer: Blockchain.info
# Maintainer URL: https://blockchain.info/en/connected-nodes
# Information: Bitcoin nodes connected to Blockchain.info.
#BITCOIN_BLOCKCHAIN_INFO|86400|0|https://blockchain.info/en/connected-nodes

# Name: BI_ANY_2_1D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category any with score above 2 and age less than 1d
#BI_ANY_2_1D|86400|0|https://www.badips.com/get/list/any/2?age=1d

# Name: BI_ANY_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category any with score above 2 and age less than 30d
#BI_ANY_2_30D|172800|0|https://www.badips.com/get/list/any/2?age=30d

# Name: BI_ANY_2_7D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category any with score above 2 and age less than 7d
#BI_ANY_2_7D|172800|0|https://www.badips.com/get/list/any/2?age=7d

# Name: BI_BRUTEFORCE_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category bruteforce with score above 2 and age less than 30d
#BI_BRUTEFORCE_2_30D|172800|0|https://www.badips.com/get/list/bruteforce/2?age=30d

# Name: BI_FTP_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category ftp with score above 2 and age less than 30d
#BI_FTP_2_30D|172800|0|https://www.badips.com/get/list/ftp/2?age=30d

# Name: BI_HTTP_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category http with score above 2 and age less than 30d
#BI_HTTP_2_30D|172800|0|https://www.badips.com/get/list/http/2?age=30d

# Name: BI_MAIL_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category mail with score above 2 and age less than 30d
#BI_MAIL_2_30D|172800|0|https://www.badips.com/get/list/mail/2?age=30d

# Name: BI_PROXY_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category proxy with score above 2 and age less than 30d
#BI_PROXY_2_30D|172800|0|https://www.badips.com/get/list/proxy/2?age=30d

# Name: BI_SQL_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category sql with score above 2 and age less than 30d
#BI_SQL_2_30D|172800|0|https://www.badips.com/get/list/sql/2?age=30d

# Name: BI_SSH_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category ssh with score above 2 and age less than 30d
#BI_SSH_2_30D|172800|0|https://www.badips.com/get/list/ssh/2?age=30d

# Name: BI_VOIP_2_30D
# Category: attacks
# Maintainer: BadIPs.com
# Maintainer URL: https://www.badips.com/
# Information: Bad IPs in category voip with score above 2 and age less than 30d
#BI_VOIP_2_30D|172800|0|https://www.badips.com/get/list/voip/2?age=30d

# Name: BLOCKLIST_DE
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: IPs that have been detected by fail2ban in the last 48 hours
#BLOCKLIST_DE|86400|0|http://lists.blocklist.de/lists/all.txt

# Name: BLOCKLIST_DE_APACHE
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache,
# Apache-DDOS, RFI-Attacks.
#BLOCKLIST_DE_APACHE|86400|0|http://lists.blocklist.de/lists/apache.txt

# Name: BLOCKLIST_DE_BOTS
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots,
# IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki) .
#BLOCKLIST_DE_BOTS|86400|0|http://lists.blocklist.de/lists/bots.txt

# Name: BLOCKLIST_DE_BRUTEFORCE
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.
#BLOCKLIST_DE_BRUTEFORCE|86400|0|http://lists.blocklist.de/lists/bruteforcelogin.txt

# Name: BLOCKLIST_DE_FTP
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.
#BLOCKLIST_DE_FTP|86400|0|http://lists.blocklist.de/lists/ftp.txt

# Name: BLOCKLIST_DE_IMAP
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc.
#BLOCKLIST_DE_IMAP|86400|0|http://lists.blocklist.de/lists/imap.txt

# Name: BLOCKLIST_DE_MAIL
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.
#BLOCKLIST_DE_MAIL|86400|0|http://lists.blocklist.de/lists/mail.txt

# Name: BLOCKLIST_DE_SIP
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from
# infiltrated.net
#BLOCKLIST_DE_SIP|86400|0|http://lists.blocklist.de/lists/sip.txt

# Name: BLOCKLIST_DE_SSH
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.
#BLOCKLIST_DE_SSH|86400|0|http://lists.blocklist.de/lists/ssh.txt

# Name: BLOCKLIST_DE_STRONGIPS
# Category: attacks
# Maintainer: Blocklist.de
# Maintainer URL: https://www.blocklist.de/
# Information: All IPs which are older then 2 month and have more then 5.000 attacks.
#BLOCKLIST_DE_STRONGIPS|86400|0|http://lists.blocklist.de/lists/strongips.txt

# Name: BLOCKLIST_NET_UA
# Category: abuse
# Maintainer: blocklist.net.ua
# Maintainer URL: https://blocklist.net.ua
# Information: The BlockList project was created to become protection against negative influence of the harmful and potentially
# dangerous events on the Internet. First of all this service will help internet and hosting providers to protect
# subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP
# relays or from attempts of brute force passwords to servers and network equipment.
#BLOCKLIST_NET_UA|86400|0|https://blocklist.net.ua/blocklist.csv

# Name: BM_TOR
# Category: anonymizers
# Maintainer: torstatus.blutmagie.de
# Maintainer URL: https://torstatus.blutmagie.de/
# Information: List of all TOR network servers
#BM_TOR|86400|0|https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv

# Name: BOGON
# Category: unroutable
# Maintainer: Team Cymru
# Maintainer URL: http://www.team-cymru.org/Services/Bogons/
# Information: Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to
# a regional internet registry
#BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Name: BOTSCOUT
# Category: abuse
# Maintainer: BotScout.com
# Maintainer URL: http://botscout.com/
# Information: Helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and
# abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them
# as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms
# when they're submitted on your site. This list is composed of the most recently-caught bots.
#BOTSCOUT|86400|0|http://botscout.com/last_caught_cache.htm

# Name: BRUTEFORCEBLOCKER
# Category: attacks
# Maintainer: danger.rulez.sk
# Maintainer URL: http://danger.rulez.sk/index.php/bruteforceblocker/
# Information: (fail2ban alternative for SSH on OpenBSD) . This is an automatically generated list from users reporting failed
# authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days.
#BRUTEFORCEBLOCKER|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# Name: CHAOSREIGNS_IPREP
# Category: spam
# Maintainer: ChaosReigns.com
# Maintainer URL: http://www.chaosreigns.com/iprep
# Information: The iprep0 list includes all IPs that sent only spam emails. This is an automated, free, public email IP reputation
# system.
#CHAOSREIGNS_IPREP|86400|0|http://www.chaosreigns.com/iprep/iprep.txt

# Name: CIARMY
# Category: reputation
# Maintainer: Collective Intelligence Network Security
# Maintainer URL: http://ciarmy.com/
# Information: IPs with poor Rogue Packet score that have not yet been identified as malicious by the community
#CIARMY|86400|0|http://cinsscore.com/list/ci-badguys.txt

# Name: CLEANMX_VIRUSES
# Category: spam
# Maintainer: Clean-MX.de
# Maintainer URL: http://support.clean-mx.de/clean-mx/viruses.php
# Information: IPs with viruses
#CLEANMX_VIRUSES|86400|0|http://support.clean-mx.de/clean-mx/xmlviruses.php?response=alive&fields=ip

# Name: CRUZIT_WEB_ATTACKS
# Category: attacks
# Maintainer: CruzIt.com
# Maintainer URL: http://www.cruzit.com/wbl.php
# Information: IPs of compromised machines scanning for vulnerabilities and DDOS attacks
#CRUZIT_WEB_ATTACKS|86400|0|http://www.cruzit.com/xwbl2txt.php

# Name: CTA_CRYPTOWALL
# Category: malware
# Maintainer: Cyber Threat Alliance
# Maintainer URL: http://www.cyberthreatalliance.org/cryptowall-dashboard.html
# Information: Cyber Threat Alliance CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet
# users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which
# impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide.
#CTA_CRYPTOWALL|86400|0|https://public.tableau.com/views/CTAOnlineViz/DashboardData.csv?:embed=y&:showVizHome=no&:showTabs=y&:display_count=y&:display_static_image=y&:bootstrapWhenNotified=true

# Name: DARKLIST_DE
# Category: attacks
# Maintainer: darklist.de
# Maintainer URL: http://www.darklist.de/
# Information: Ssh fail2ban reporting
#DARKLIST_DE|172800|0|http://www.darklist.de/raw.php

# Name: DRAGON_HTTP
# Category: attacks
# Maintainer: Dragon Research Group (DRG)
# Maintainer URL: http://www.dragonresearchgroup.org/
# Information: IPs that have been seen sending HTTP requests to Dragon Research Pods in the last 7 days. This report lists hosts that
# are highly suspicious and are likely conducting malicious HTTP attacks. LEGITIMATE SEARCH ENGINE BOTS MAY BE IN THIS
# LIST. This report is informational.  It is not a blacklist, but some operators may choose to use it to help protect
# their networks and hosts in the forms of automated reporting and mitigation services.
#DRAGON_HTTP|86400|0|http://www.dragonresearchgroup.org/insight/http-report.txt

# Name: DRAGON_SSHPAUTH
# Category: attacks
# Maintainer: Dragon Research Group (DRG)
# Maintainer URL: http://www.dragonresearchgroup.org/
# Information: IP address that has been seen attempting to remotely login to a host using SSH password authentication, in the last 7
# days. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication
# attacks.
#DRAGON_SSHPAUTH|86400|0|https://www.dragonresearchgroup.org/insight/sshpwauth.txt

# Name: DRAGON_VNCPROBE
# Category: attacks
# Maintainer: Dragon Research Group (DRG)
# Maintainer URL: http://www.dragonresearchgroup.org/
# Information: IP address that has been seen attempting to remotely connect to a host running the VNC application service, in the last
# 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious VNC probes or VNC brute
# force attacks.
#DRAGON_VNCPROBE|86400|0|https://www.dragonresearchgroup.org/insight/vncprobe.txt

# Name: DSHIELD
# Category: attacks
# Maintainer: DShield.org
# Maintainer URL: https://dshield.org/
# Information: Top 20 attacking class C (/24) subnets over the last three days
#DSHIELD|86400|0|http://feeds.dshield.org/block.txt

# Name: ET_BLOCK
# Category: attacks
# Maintainer: Emerging Threats
# Maintainer URL: http://www.emergingthreats.net/
# Information: Default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available
# separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates)
#ET_BLOCK|86400|0|http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

# Name: ET_BOTCC
# Category: reputation
# Maintainer: Emerging Threats
# Maintainer URL: http://www.emergingthreats.net/
# Information: These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is
# communicating with a known and active Bot or Malware command and control server - (although they say this includes
# abuse.ch trackers, it does not - check its overlaps)
#ET_BOTCC|86400|0|http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules

# Name: ET_COMPROMISED
# Category: attacks
# Maintainer: Emerging Threats
# Maintainer URL: http://www.emergingthreats.net/
# Information: Compromised hosts
#ET_COMPROMISED|86400|0|http://rules.emergingthreats.net/blockrules/compromised-ips.txt

# Name: ET_DSHIELD
# Category: attacks
# Maintainer: Emerging Threats
# Maintainer URL: http://www.emergingthreats.net/
# Information: Dshield blocklist
#ET_DSHIELD|86400|0|http://rules.emergingthreats.net/fwrules/emerging-PIX-DSHIELD.rules

# Name: ET_SPAMHAUS
# Category: attacks
# Maintainer: Emerging Threats
# Maintainer URL: http://www.emergingthreats.net/
# Information: Spamhaus blocklist
#ET_SPAMHAUS|86400|0|http://rules.emergingthreats.net/fwrules/emerging-PIX-DROP.rules

# Name: ET_TOR
# Category: anonymizers
# Maintainer: Emerging Threats
# Maintainer URL: http://www.emergingthreats.net/
# Information: Of TOR network IPs
#ET_TOR|86400|0|http://rules.emergingthreats.net/blockrules/emerging-tor.rules

# Name: FEODO
# Category: malware
# Maintainer: Abuse.ch
# Maintainer URL: https://feodotracker.abuse.ch/
# Information: Trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud
#FEODO|86400|0|https://feodotracker.abuse.ch/blocklist/?download=ipblocklist

# Name: GREENSNOW
# Category: attacks
# Maintainer: GreenSnow.co
# Maintainer URL: https://greensnow.co/
# Information: Is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable
# with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at
# any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3,
# mod_security, IMAP, SMTP, SSH, cPanel, etc.
#GREENSNOW|86400|0|http://blocklist.greensnow.co/greensnow.txt

# Name: HONEYPOT
# Category: attacks
# Maintainer: Project Honeypot
# Maintainer URL: http://www.projecthoneypot.org
# Information: Project Honey Pot Directory of Dictionary Attacker IPs
#HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# Name: IW_SPAMLIST
# Category: spam
# Maintainer: ImproWare Antispam
# Maintainer URL: http://antispam.imp.ch/
# Information: IPs sending spam, in the last 3 days
#IW_SPAMLIST|86400|0|http://antispam.imp.ch/spamlist

# Name: IW_WORMLIST
# Category: spam
# Maintainer: ImproWare Antispam
# Maintainer URL: http://antispam.imp.ch/
# Information: IPs sending emails with viruses or worms, in the last 3 days
#IW_WORMLIST|86400|0|http://antispam.imp.ch/wormlist

# Name: LASHBACK_UBL
# Category: spam
# Maintainer: The LashBack Unsubscribe Blacklist
# Maintainer URL: http://blacklist.lashback.com/
# Information: The Unsubscribe Blacklist (UBL)  is a real-time blacklist of IP addresses which are sending email to names harvested
# from suppression files (this is a big list, more than 500.000 IPs)
#LASHBACK_UBL|172800|0|http://www.unsubscore.com/blacklist.txt

# Name: MALC0DE
# Category: malware
# Maintainer: malc0de.com
# Maintainer URL: http://malc0de.com/
# Information: Malicious IPs of the last 30 days
#MALC0DE|172800|0|http://malc0de.com/bl/IP_Blacklist.txt

# Name: MALWAREDOMAINLIST
# Category: malware
# Maintainer: MalwareDomainList.com
# Maintainer URL: http://www.malwaredomainlist.com/
# Information: List of malware active ip addresses
#MALWAREDOMAINLIST|86400|0|http://www.malwaredomainlist.com/hostslist/ip.txt

# Name: MAXMIND
# Category: anonymizers
# Maintainer: Maxmind
# Maintainer URL: https://www.maxmind.com/en/anonymous_proxies
# Information: MaxMind GeoIP Anonymous Proxies
#MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

# Name: MYIP
# Category: abuse
# Maintainer: MyIP.ms
# Maintainer URL: http://myip.ms/
# Information: IPs identified as web bots in the last 10 days, using several sites that require human action
#MYIP|172800|0|http://www.myip.ms/files/blacklist/csf/latest_blacklist.txt

# Name: NT_MALWARE_DNS
# Category: attacks
# Maintainer: NoThink.org
# Maintainer URL: http://www.nothink.org/
# Information: Malware DNS (the original list includes hostnames and domains, which are ignored)
#NT_MALWARE_DNS|86400|0|http://www.nothink.org/blacklist/blacklist_malware_dns.txt

# Name: NT_MALWARE_HTTP
# Category: attacks
# Maintainer: NoThink.org
# Maintainer URL: http://www.nothink.org/
# Information: Malware HTTP
#NT_MALWARE_HTTP|86400|0|http://www.nothink.org/blacklist/blacklist_malware_http.txt

# Name: NT_MALWARE_IRC
# Category: attacks
# Maintainer: NoThink.org
# Maintainer URL: http://www.nothink.org/
# Information: Malware IRC
#NT_MALWARE_IRC|86400|0|http://www.nothink.org/blacklist/blacklist_malware_irc.txt

# Name: NT_SSH_7D
# Category: attacks
# Maintainer: NoThink.org
# Maintainer URL: http://www.nothink.org/
# Information: Last 7 days SSH attacks
#NT_SSH_7D|86400|0|http://www.nothink.org/blacklist/blacklist_ssh_week.txt

# Name: OPENBL
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: https://www.openbl.org
# Information: OpenBL.org 30 day List
#OPENBL|86400|0|https://www.openbl.org/lists/base_30days.txt

# Name: OPENBL_180D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 180 days IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_180D|86400|0|http://www.openbl.org/lists/base_180days.txt

# Name: OPENBL_1D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 24 hours IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_1D|86400|0|http://www.openbl.org/lists/base_1days.txt

# Name: OPENBL_30D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 30 days IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_30D|86400|0|http://www.openbl.org/lists/base_30days.txt

# Name: OPENBL_360D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 360 days IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_360D|86400|0|http://www.openbl.org/lists/base_360days.txt

# Name: OPENBL_60D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 60 days IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_60D|86400|0|http://www.openbl.org/lists/base_60days.txt

# Name: OPENBL_7D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 7 days IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_7D|86400|0|http://www.openbl.org/lists/base_7days.txt

# Name: OPENBL_90D
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last 90 days IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_90D|86400|0|http://www.openbl.org/lists/base_90days.txt

# Name: OPENBL_ALL
# Category: attacks
# Maintainer: OpenBL.org
# Maintainer URL: http://www.openbl.org/
# Information: Last all IPs.  OpenBL.org is detecting, logging and reporting various types of internet abuse.
#OPENBL_ALL|86400|0|http://www.openbl.org/lists/base_all.txt

# Name: PACKETMAIL
# Category: reputation
# Maintainer: PacketMail.net
# Maintainer URL: https://www.packetmail.net/iprep.txt
# Information: IP addresses have been detected performing TCP SYN to 206.82.85.196/30 to a non-listening service or daemon. No
# assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged
# in nefarious acts. Use this list at your own risk.
#PACKETMAIL|86400|0|https://www.packetmail.net/iprep.txt

# Name: PHP_COMMENTERS
# Category: spam
# Maintainer: ProjectHoneypot.org
# Maintainer URL: http://www.projecthoneypot.org/
# Information: Comment spammers (this list is composed using an RSS feed)
#PHP_COMMENTERS|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=c&rss=1

# Name: PHP_DICTIONARY
# Category: spam
# Maintainer: ProjectHoneypot.org
# Maintainer URL: http://www.projecthoneypot.org/
# Information: Directory attackers (this list is composed using an RSS feed)
#PHP_DICTIONARY|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# Name: PHP_HARVESTERS
# Category: spam
# Maintainer: ProjectHoneypot.org
# Maintainer URL: http://www.projecthoneypot.org/
# Information: Harvesters (IPs that surf the internet looking for email addresses)  (this list is composed using an RSS feed)
#PHP_HARVESTERS|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=h&rss=1

# Name: PHP_SPAMMERS
# Category: spam
# Maintainer: ProjectHoneypot.org
# Maintainer URL: http://www.projecthoneypot.org/
# Information: Spam servers (IPs used by spammers to send messages)  (this list is composed using an RSS feed)
#PHP_SPAMMERS|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=s&rss=1

# Name: PROXYLISTS
# Category: anonymizers
# Maintainer: ProxyLists.net
# Maintainer URL: http://www.proxylists.net/
# Information: Open proxies (this list is composed using an RSS feed)
#PROXYLISTS|86400|0|http://www.proxylists.net/proxylists.xml

# Name: PROXYSPY
# Category: anonymizers
# Maintainer: ProxySpy (spys.ru)
# Maintainer URL: http://spys.ru/en/
# Information: Open proxies (updated hourly)
#PROXYSPY|86400|0|http://txt.proxyspy.net/proxy.txt

# Name: SBLAM
# Category: abuse
# Maintainer: sblam.com
# Maintainer URL: http://sblam.com/
# Information: IPs used by web form spammers, during the last month
#SBLAM|172800|0|http://sblam.com/blacklist.txt

# Name: SHUNLIST
# Category: attacks
# Maintainer: AutoShun.org
# Maintainer URL: http://autoshun.org/
# Information: IPs identified as hostile by correlating logs from distributed snort installations running the autoshun plugin
#SHUNLIST|86400|0|http://www.autoshun.org/files/shunlist.csv

# Name: SNORT_IPFILTER
# Category: attacks
# Maintainer: Snort.org Labs
# Maintainer URL: https://labs.snort.org/
# Information: Supplied IP blacklist (this list seems to be updated frequently, but we found no information about it)
#SNORT_IPFILTER|86400|0|http://labs.snort.org/feeds/ip-filter.blf

# Name: SPAMDROP
# Category: spam
# Maintainer: Spamhaus
# Maintainer URL: http://www.spamhaus.org/drop/
# Information: Do not Route Or Peer List (DROP)
#SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

# Name: SPAMEDROP
# Category: spam
# Maintainer: Spamhaus
# Maintainer URL: http://www.spamhaus.org/drop/
# Information: Spamhaus Extended DROP List (EDROP)
#SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

# Name: SSLBL
# Category: malware
# Maintainer: Abuse.ch
# Maintainer URL: https://sslbl.abuse.ch/
# Information: Bad SSL traffic related to malware or botnet activities
#SSLBL|86400|0|https://sslbl.abuse.ch/blacklist/sslipblacklist.csv

# Name: SSLBL_AGGRESSIVE
# Category: malware
# Maintainer: Abuse.ch
# Maintainer URL: https://sslbl.abuse.ch/
# Information: The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a
# malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes) , this blacklist may cause
# false positives.
#SSLBL_AGGRESSIVE|86400|0|https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv

# Name: TALOSINTEL_IPFILTER
# Category: attacks
# Maintainer: TalosIntel.com
# Maintainer URL: http://talosintel.com/
# Information: List of known malicious network threats
#TALOSINTEL_IPFILTER|86400|0|http://talosintel.com/feeds/ip-filter.blf

# Name: TOR
# Category: anonymizers
# Maintainer: Torproject
# Maintainer URL: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
# Information: TOR Exit Nodes List
#TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

# Name: TOR_EXITS
# Category: anonymizers
# Maintainer: TorProject.org
# Maintainer URL: https://www.torproject.org/
# Information: List of all current TOR exit points (TorDNSEL)
#TOR_EXITS|86400|0|https://check.torproject.org/exit-addresses

# Name: TRUSTEDSEC_ATIF
# Category: reputation
# Maintainer: TrustedSec
# Maintainer URL: https://www.trustedsec.com/
# Information: Artillery Threat Intelligence Feed and Banlist Feed
#TRUSTEDSEC_ATIF|172800|0|https://www.trustedsec.com/banlist.txt

# Name: VIRBL
# Category: spam
# Maintainer: VirBL.bit.nl
# Maintainer URL: http://virbl.bit.nl/
# Information: Is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning
# mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.
#VIRBL|86400|0|http://virbl.bit.nl/download/virbl.dnsbl.bit.nl.txt

# Name: VOIPBL
# Category: attacks
# Maintainer: VoIPBL.org
# Maintainer URL: http://www.voipbl.org/
# Information: A distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have
# publicly accessible PBX's. Several algorithms, external sources and manual confirmation are used before they categorize
# something as an attack and determine the threat level.
#VOIPBL|86400|0|http://www.voipbl.org/update/

# Name: XROXY
# Category: anonymizers
# Maintainer: Xroxy.com
# Maintainer URL: http://www.xroxy.com/
# Information: Open proxies (this list is composed using an RSS feed)
#XROXY|86400|0|http://www.xroxy.com/proxyrss.xml

# Name: ZEUS
# Category: malware
# Maintainer: Abuse.ch
# Maintainer URL: https://zeustracker.abuse.ch/
# Information: Standard, contains the same data as the ZeuS IP blocklist (zeus_badips)  but with the slight difference that it do not
# exclude hijacked websites (level 2)  and free web hosting providers (level 3) . This means that this blocklist contains
# all IPv4 addresses associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist
# will likely cause some false positives.
#ZEUS|86400|0|https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

# Name: ZEUS_BADIPS
# Category: malware
# Maintainer: Abuse.ch
# Maintainer URL: https://zeustracker.abuse.ch/
# Information: Badips includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block
# only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2)  or belong to a free web
# hosting provider (level 3) . Hence the false postive rate should be much lower compared to the standard ZeuS IP
# blocklist.
#ZEUS_BADIPS|86400|0|https://zeustracker.abuse.ch/blocklist.php?download=badips

Re: Firehol iplists

Posted: 21 Feb 2016, 17:15
by Mick
Hi Marcele,

Sorry for the delay in replying and thank you so much for taking the time to write up such a useful post.

I will be going through each one and implementing them as necessary.

I'm very keen to block a lot of the known scrapers, bots, bad spiders etc. from my site as they are really hitting my servers hard, and repeatably so. I think some of them are scraping for 'SEO' purposes, which is annoying too.

A couple of the firehol lists I would be interested in are the pushing_inertia_blocklists and the iblocklist_webexploits for this reason. Is there a way to make these lists compatible, or there no easy solution to do so?

Thanks for any insight into this,

Cheers.

Re: Firehol iplists

Posted: 21 Feb 2016, 17:32
by marcele
We have custom login failure triggers to handle bad scrapers. Here is a custom trigger we use that will ban bad useragents we deem as having little value. Just make sure to point the CUSTOM4_LOG to your apache access_logs and add the code below to /usr/local/csf/bin/regex.custom.pm

Code: Select all

if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+) \S+ \S+ \[[^:]+:\d+:\d+:\d+ [^\]]+\] \"\S+ .*? \S+\" \S+ \S+ ".*" "(?i)(.*(?:360Spider|80legs|Acunetix|AhrefsBot|aiHitBot|BackDoorBot|Bandit|Baiduspider|DotBot|Exabot|FHscan|Havij|HTTrack|MJ12bot|moget|Nutch|ichiro|RedBot|SemrushBot|SeznamBot|Sogou|Sosospider|spbot|WebZIP|XoviBot|Xenu|Yandex|Yeti|YisouSpider|Zeus).*)"$/)) {
    return ("Failed apache-useragents trigger with match [$2] from",$1,"apache-useragents","1","80,443","1");
}
Normally I enable this with LF_NETBLOCK enabled. After multiple blocks from the same subnet CSF will block the search engine (aiHitBot,Baiduspider,Yandex) subnet pretty quickly.

I hope this helps.

Edit: March 2016: Fixed bug and updated user-agents

Re: Firehol iplists

Posted: 21 Feb 2016, 17:38
by Mick
Perfect, thanks again. I'll try the above and see whether this gets the result I'm looking for...

Re: Firehol iplists

Posted: 21 Feb 2016, 19:30
by Mick
Would enabling LF_NETBLOCK cause problems with the IPSET lists above?

Thanks.

Re: Firehol iplists

Posted: 24 Feb 2016, 16:50
by marcele
Mick wrote:Would enabling LF_NETBLOCK cause problems with the IPSET lists above?
No LF_NETBLOCK will block a subnet after multiple login failure daemon blocks (It's not tied to blocklists). When first using it I would recommend enabling LF_NETBLOCK_ALERT so you get an email alert if a subnet does get blocked.

Re: Firehol iplists

Posted: 24 Feb 2016, 17:54
by Mick
marcele wrote:
Mick wrote:Would enabling LF_NETBLOCK cause problems with the IPSET lists above?
No LF_NETBLOCK will block a subnet after multiple login failure daemon blocks (It's not tied to blocklists). When first using it I would recommend enabling LF_NETBLOCK_ALERT so you get an email alert if a subnet does get blocked.
Thank you - I'm getting there slowly.

Re: Firehol iplists

Posted: 24 Feb 2016, 22:30
by Mick
Regarding your 'custom login failure triggers to handle bad scrapers', if I wanted to add further user agents, is there anything I should be aware of?

There is quite an extensive list here:

https://github.com/JayBizzle/Crawler-De ... ct.php#L73

and although I don't want to add them all, there are some that are hitting my sites I would like to add.

Thanks for any help.