Ipblocklist => adding a new section

mrelfire · 29 December 2022 13:24

Hello,
I have received an attacked on my server from an IP whivh I have found in a list
I try to add it to the ipblocklist by “just” adding a section inside the file “sources” :

             'MALWAREWORLD'    => { 'name'     => 'MalwareWorld',
                                    'url'      => 'https://www.malwareworld.com/textlists/suspiciousIPs.txt',
                                    'info'     => 'https://www.malwareworld.com',
                                    'parser'   => 'ip-or-net-list',
                                    'rate'     => '1h',
                                    'category' => 'reputation' },

but it can not load it and also make some errors at the loading through IPtable
Please
1/ is it possible to do this ?
2/ what is my mistake ?

thanks in advance for your help

EDIT: I’ve set the blocklist definition to preformated text, maybe it can be copied with the right apostrophes now. Bernhard

bonnietwin · 29 December 2022 15:12

Yes it is, see this post from the originator of the code.
https://community.ipfire.org/t/add-additional-sources-to-ipfire-blocklist-feature/8416/5

Not totally sure and not able to try and duplicate on my vm testbed at the moment, but if your entry was at the end of the sources list then you should not finish the line with a comma as in the line below.

If you put it after the ‘BLOCKLIST_DE’ list then you need to add a comma after the bracket at the end of the last line of that entry, just before where I presume you added your list.

'category' => 'attacker' }

If your list was added somewhere in the middle of the existing sources then you would need to show us the section involved plus some lines before and after the insertion.

mrelfire · 29 December 2022 15:28

thanks,
to answer I put it in the middle so this is why I have the “comma”
I have read the post to do this exercise, but something is weired:

it doesn’t download
I have an error in the “boot” with IPtable so I suspect I miss something else

bbitsch · 29 December 2022 21:30

Some more investigations show, that malwareworld.com responds with an ‘403 Forbidden’ answer.
Don’t know why this happens.

cbrown · 30 December 2022 01:20

Hi @bbitsch
How did you glean the ‘403 Forbidden’ return status information?

Edit: I have verified I can fetch https://malwareworld.com/textlists/suspiciousIPs.txt’ using wget and curl without any error.

mrelfire · 30 December 2022 06:25

I can download it through explorer so the txt seems good
But also I suspect “it is put” also as an exception in IPtable, if not I will not have an error at the loading when I managed to do once (before the upgrade yestderay to latest version of the core)

bbitsch · 30 December 2022 10:14

I’ve modified the code a bit. The download function just returns the status of the request also.
For a deeper inspection it would be necessary to look at other info returned by the Perl LWP::get function.