Massive IP import to be added in black list


#1

Hi everyone,
is there a way to “bulk” (automatically) import a list of IPs to be blacklisted, instead of having to add an IP or a subnet by hand?

The alternative is to implement it by myself, at the moment, I don’t see anything other than creating a bash script that simulates the use of the graphical interface.

Also, I can’t figure out where to keep the list of addresses placed in the backlist.

Thank you all


(Lorne Gaetz) #2
# fwconsole firewall add blacklist 5.5.5.5 3.3.3.3
Attempting to add '5.5.5.5' to Blacklist ... Success!
Attempting to add '3.3.3.3' to Blacklist ... Success!
# fwconsole firewall list blacklist
All blacklisted entries.
        3.3.3.3
        5.5.5.5

you may have to restart firewall for the blocks to be active.


Importazione massiva IP da mettere in blacklist
(Itzik) #3

Seems like you could use something like API Ban

https://community.freepbx.org/t/integrating-apiban-org-with-freepbx/69422?u=pitzkey


(Dave Burgess) #4

If you decide to do the “fwconsole firewall” method, you can write a script that loops through your data file and adds them one at a time in the loop, followed by a ‘fwconsole firewall restart’ command at the end. This could be a simple five line script, looping on a text file of IP addresses.


#5

A lot depends on what @codabat means by “massive.”

If we’re talking hundreds of IPs, then @lgaetz method is acceptable. If thousands of IPs, then a custom rule using ipset would be best.


#6

IMO blacklists are useless for nearly all systems. All they do is block most random attacks from automated tools that scan every IPv4 address on the internet. An easier way to block all random attacks from these tools is to set up your system so it only responds to requests for your domain name.

But what is important to realize is that blacklists offer no protection against an attack targeting your system specifically, because the attacker knows to use a host that is not blacklisted. Unfortunately, filtering by domain name is also ineffective against a targeted attack.

A reasonably effective defense requires whitelists, VPNs, client certificates or similar methods that only allow access to those specifically authorized. And, if sufficiently skilled or well funded, the attacker will succeed anyway.


#7

Depends on what you expect them to do. I drop blacklists and geoblocking immediately and silently. Not so much for security - but for log and load management. No need to waste cycles for more nuanced security measures for known bad traffic.


#8

I agree with you, but in my scenario, it’s not possible to use a VPN.
I’m conscious that total protection is “fantasy”. I have in my system some scripts that monitor the log and detect any suspicious access. For each of them, I retrieve the whole subnet and I add it to the firewall.
The scripts monitor the log with high frequency. Thanks a lot for your interesting consideration.


#9

Thanks a lot I will do a script following your suggestions.
Thanks again!


#10

Hi,
thank you!


#11

Hi @lgaetz,
I have some scripts in my system that monitor the registry and detect any suspicious logins. For each of them, I recover the entire subnet and add it to the firewall. The list of networks is added in a file. I’ll go through the file and use the commands you gave me to add unwanted networks to the firewall.
The scripts monitor the registry very frequently.
Thank you very much for your help.