Re: [m0n0wall] Looking for Script/Way to Import DShield Blacklist

From:	mtnbkr <waa dash m0n0wall at revpol dot com>
To:	Baity F <holycarp00 at hotmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Looking for Script/Way to Import DShield Blacklist
Date:	Thu, 19 Apr 2007 09:49:23 -0400
Baity F wrote:
> I'm not wise in the ways of *nix or scripting but I'm sure there's a
> relatively easy way to get this done.  I've manually input 10-20
> firewall rules based on DShield.org's old top global offenders list but
> it's VERY time consuming, one at a time.
> 
> DShield.org has just announced their new Highly Predictive Blacklisting
> which is customized per submitter and updated once a day.  It's much
> more lengthy so there's absolutely no way I'm manually inputting this one.
> 
> More info:
> http://www.dshield.org/hpbinfo.html
> 
> Block list example:
> http://www.dshield.org/hpb.html?key=oiUTq74ue5KvKQXfZYxsXw==
> 
> If anybody has suggestions then I'm all ears.

Hi Baity... At the risk of sounding like I am self-promoting I'd have to
say that this type of thing could probably be easily implemented by
making a couple modifications to "PoorMansTimeBasedRules" HOW-To to
add/remove these rules.

First see:
http://wiki.m0n0.ch/wikka.php?wakka=PoorMansTimeBasedRules

Now that you have a basic understanding of the hows and whys, assume
that you get that example list in a simple text file and you call it
ipblocklist.txt


So, from the server chosen to update the firewall rules, the following
command will:

- Pull out only the lines that start with a number (in this case they
  are all IP addresses)
- Strip off any leading zeros from any octet in the the IP addresses
  (It seems that the ipfw command accepts an address like
  24.100.057.200, but changes it to 24.100.47.200 or something when
  actually applying it - So we strip the zeros...
- Build and run the wget command that will send the ipfw rules to
  your m0n0wall via the exec.php script on it.

grep ^[0-9] ipblocklist.txt | cut -f1,2 | sed -e 's/^0\+//g'     \
-e 's/\.\(0\{1,2\}\)/\./g' | while read ipstart ipstop; do wget  \
-qO /dev/null https://192.168.1.1/exec_raw.php?cmd="ipfw add 5   \
deny src $ipstart{0-` echo  $ipstop | cut -d'.' -f4`'}"; done

so the actual ipfw commands being sent to m0n0wall are something like:

ipfw add 5 deny src x.x.x.x{0-255}

Strange that all those lists are /24 address blocks (eg:x.x.x.[0-255]).
I am assuming that this list is an example, rather than a sample. But if
you knew that the blocks were always /24, ipfw syntax allows you to
simplify the last line above like so:

deny src $ipstart; done

since /24 is assumed by ipfw.

And one last comment... You need to consider that since these blocks
from Dshield will change from time to time and address blocks will be
added while others are removed, you may want to do one of two things:

1. Diff the new list with the old and run a remove command for the
blocks that were removed since the last list came out

or

2. Delete the entire rule set #5 just before running the command to
apply all the blocks in the new list. This is the easy option, but it
opens you up for a few seconds/minutes though while the rules are being
applied.


Hope this helps a little more than it confuses.   :)

--
Bill Arlofski
Reverse Polarity