The new Firewall blocklist in Core Update 170 looks promising.
Is there a way to include more Blocklists? From a reputable source like Github, Gitlab etc… and are well maintained?
The new Firewall blocklist in Core Update 170 looks promising.
Is there a way to include more Blocklists? From a reputable source like Github, Gitlab etc… and are well maintained?
Just went from zero to 16… Is it not enough?!?
HAHAHA, no I am not complaining, just I like to use blocklists to block services like DoH …
Is there something specific that you had in mind? (something reputable and well maintained?) I am just curious…
The file containing the list of blocklists is /var/ipfire/ipblocklist/sources
. The explanation of the fields in the file is in the file header, so it’s easy enough to add new entries if you want, however the file will be overwritten by any future updates.
If you find any lists which would be useful to other people you could submit a patch to update this file, but before doing this it’s important to check that you’ve got the maximum frequency of checking for updates right, as many lists will block anyone trying to update too often. If you’re going to submit a patch it’s also important to check that the licence for the lists allows the list to be included in the ipfire distribution.
Possibly in a future update we can allow the possibility of a sources.local
file, but I think the feature needs to be left as it is for a while before adding new functionality.
.
Welcome back @Timf
Many thanks for your detailed explanation, I will follow it and post some lists below for discussion before submitting it.
Interesting that Abuse.ch went or is going commercial very soon. so it makes sense to have option.
@jon There used to be plenty of open and well maintained lists, but they either went commercial or abandoned. But here are some I recently found and used in addition to the ones already in the addon:
1- This list contains Common DoH servers and I think it is useful in cases when clients are circumventing IPFire’s DNS server.
It doesn’t mention a Licence. In terms of update checks I think Github is pretty forgiving for update checks if done in a “random” pattern or intervals.
https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt
2- 3CoreSec Blacklist - they share threats from their honeypot projects
https://blacklist.3coresec.net/lists/all.txt
3coresec lists are under GNU Affero General Public License
https://www.gnu.org/licenses/agpl-3.0.en.html
3coresec doesn’t mention update check terms.
The "ALL list "above is combined from these specific lists
3- Hosts involved in SSH brute-force
https://blacklist.3coresec.net/lists/ssh.txt
4-Hosts involved in mass scanning and/or exploitation attempts
https://blacklist.3coresec.net/lists/misc.txt
5-Hosts involved in HTTP brute-force and/or enumeration
https://blacklist.3coresec.net/lists/http.txt
Took the 4 lists once and hits are coming in. I also hope that later you can add your own lists via web interface.
Paul
Honey = All.
It makes no sense, to include the other ones.
Looks like @Pablo78 found my suggestions useful:
Here is another one:
a Phishing Database of Active IP’s: by MitcheKrogza
https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-IPs-ACTIVE.txt
Here is the readme and other lists
License: MIT License
Updated: hourly
Would it be useful to post a FULL DB in tar.gz
I think it contains Domains or Links.
would this still work with tar.gz
‘parser’ => ‘ip-or-net-list’,
let me know if you think it is useful.and I can submit a patch
Hello, old topic, but usefull
=> yes please add to the list (and perhaps allow us to have a section maintained by us to put a lot of more ?)
=> also perhaps you can put more (and at the end we choose through a list as you have done)
anyway thanks it is a great idea
Perhaps, Mitchell stopped supporting the IP-Active lists. about 6 months ago…?
He is still updating the Domains and Links lists so I think I will switch to a DNS based blocked for Phishing protection.
I also wonder if Gerd’s IP list is useful for IPFire IP blocklist:
Threat-intelligence-feeds:
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/ips/tif.txt
Gerd Hagezi’s lists seem to be well maintained in a lot of formats and became popular in last few months
including an an Unbound list which would work for IP Fire, I believe.
Any thoughts?
Might be worth a look here
Thinking about using additional lists
Is that a regional list?
I noticed a lot of .pl domain names
The idea to add own download URLs is a nice thing.
Same for URL Filter…
I manage my lists in “many” ~ 107 categories on DMZ at NAS;
for domains and IPs of different maintainers, either of who are no further active or reachable as ex. badips, shalla, fake domains, etc.
Other custom and reported … received spams and the phishing IPs URL domains.
Thanks Tim for that great job! Many positive hits were blocked and reported over the years.
By the way
Who think about adding blocklists, should either think about own managed.
Also it makes big sense to have (own) managed whitelist … for the case of false positive.
BR
Trash
Old screenshot of modification to Tims code:
I’m still clicking in boxes of the customize rulesets IPS
but bookmarking this topic as peer-block lists sounds great to add in.
Regards
G70P
https://www.iblocklist.com/lists
What is the screenshot from?
How is the URL filter working for URL’s that are using Https?
All phishing links now use https so I am not sure how to block these