Alienvault and EDROP Blocklists are gone

peppetech · 18 April 2024 20:43

Alienvault blocklist is confirmed dead since 2022

Suddenly, I have been seeing too many strange messages about EDROP


 ipblocklist:  <ERROR> Could not update SPAMHAUS_EDROP blocklist - Unexpected error! 
 ipblocklist:  <INFO> Skipping SPAMHAUS_EDROP blocklist - It has not been modified!

And I can confirm by looking at the SPAMHAUS_EDROP.conf flle that there were no updates since 2024 April 09

This announcement also confirms my suspicion

From April 10th, 2024, Spamhaus eDROP (Extended Don’t Route Or Peer) data will be consolidated into the DROP lists, meaning eDROP will no longer be published separately.

peppetech · 18 April 2024 23:20

Another confirmation , newest EDROP file

; This list has been merged into https://www.spamhaus.org/drop/drop.txt
; Spamhaus EDROP List 2024/04/18 - (c) 2024 The Spamhaus Project
; https://www.spamhaus.org/drop/edrop.txt
; Last-Modified: Thu, 18 Apr 2024 13:00:14 GMT
; Expires: Fri, 19 Apr 2024 13:00:14 GMT
; EOF

bonnietwin · 19 April 2024 07:42

I am currently working on a patch to remove alienvault for cu186.

I will also add the removal of edrop to the patch.

peppetech · 19 April 2024 16:12

Fantastic,

Perhaps you could consider adding these:

**SSLBL Botnet C2 IP Blacklist (IPs only) **

https://sslbl.abuse.ch/blacklist/sslipblacklist.txt

3CoreSec Blacklist - ALL -
https://blacklist.3coresec.net/lists/all.txt

The "All" list could be fine tuned with these lists, in case anyone is interested
2a. - 3Coresec Hosts involved in **SSH brute-force**
[https://blacklist.3coresec.net/lists/ssh.txt ](https://blacklist.3coresec.net/lists/ssh.txt)

2b. -Hosts involved in **mass scanning** and/or exploitation attempts
[https://blacklist.3coresec.net/lists/misc.txt ](https://blacklist.3coresec.net/lists/misc.txt)

2c. -Hosts involved in **HTTP brute-force** and/or enumeration
[https://blacklist.3coresec.net/lists/http.txt ](https://blacklist.3coresec.net/lists/http.txt)

markadewet · 21 April 2024 12:21

@bonnietwin May I ask, when your patch is released, does it then show up in the pakfire list? Or how does one apply such a patch, please?

bonnietwin · 21 April 2024 12:30

The patch set (it consists of three separate patches) has been merged into the IPFire git repository next branch. This means that the patch will be part of Core Update 186 when it is released.

https://git.ipfire.org/?p=ipfire-2.x.git;a=shortlog;h=refs/heads/next

You don’t have to do anything, it will be applied as part of the upgrade from CU185 to CU186.

markadewet · 21 April 2024 13:05

@bonnietwin Ah I see, thank you so much,sir!

arne_f · 22 April 2024 09:23

If you have enabled the “Hostile” filtering in the firewall options you also not need additional enable “SPAMHAUS DROP” ip list because the IPFire location database also include the data from Spamhaus drop.