• Categories:

• FreeBSD
• Security
• - Web server security
• - dns security
• - Rootkit Hunter
• - dshield + pf
• - Expiretable
• - Bruteforce attacks
• - Using pfctl
• - Portaudit
• - Packet Filter
• Apache
• Email
• OpenBSD
• PHP
• DNS
• Work




• Home
• login

•  Links:

• Cookbook
• FreeBSD
• OpenBSD
• Property
• French Property
• German Property
• Spanish Property
• Italian Property
• UK Job Search

dshield + pf

Dshield (www.dshield.org) supply a list of the top 20 attacking class C (/24) subnets over a three day period. You can read the info in the block list itself. We can download and parse this file, and add the IP subnets to a pf table which we can block. Typically I do this daily, and then flush the table weekly.

First of all, define a new table, which we'll call dshield in /etc/pf.rules. I've discussed pf tables before so will say no more. Then, add a new rule in /etc/pf.rules to block all traffic from this table. Again, I've explained this elsewhere. Have a look here.

All we need now is a perl script, a shell script, and some additions to root's crontab and we're done. The perl script I use can be downloaded from here. Get the shell script here. Save these as /usr/local/etc/dshield.pl and /usr/local/etc/dshield.sh, repectively.

Having used ipf before turning to pf, I've included code for either firewall in these scripts. If you're using ipf (ipfilter) then in dshield.sh you need to uncomment one line, and comment out one line, but it should be obvious which. Similarly, in dshield.pl, near the end of the file, you'd need to do the same, but this is also obvious. You also need to edit one line in dshield.pl depending on your external interface - mine is fxp0, but yours could be rl0 or whatever (ipf users only, pf users can leave as is). If you're using ipf, I've assumed your filter rules are in /etc/ipf.rules.

A suitable crontab entry would be

# fetch dshield block list, daily
20 1 * * * /usr/local/etc/dshield.sh > /dev/null 2>&1
# flush dshield table, weekly
10 1 * * sun /usr/local/etc/dshield.sh flush > /dev/null 2>&1

Now running the following two commands

/usr/local/etc/dshield.sh
pfctl -t dshield -T show

will display

No ALTQ support in kernel
ALTQ related functions disabled
58.49.103.0/24
59.191.28.0/24
60.8.63.0/24
61.136.186.0/24
61.153.139.0/24
61.153.224.0/24
61.175.252.0/24
80.53.68.0/24
124.74.198.0/24
196.35.64.0/24
202.99.208.0/24
217.110.222.0/24
218.16.152.0/24
218.25.10.0/24
218.26.191.0/24
218.106.91.0/24
219.140.198.0/24
222.38.100.0/24
222.52.118.0/24
222.216.222.0/24

One word of warning though. Use this at your own risk. Glancing at today's blocklist, as most of the IP subnets are in China, best not to use this if you actually live in China - many of your fellow countrymen would then be unable to view your website!