Search

Tuesday, April 4, 2017

pfSense pfBlockerNG: The Ultimate List of IP and DNSBL Blocklists for Home Internet Security Firewall and Gateway

Supratim Sanyal's Blog: pfSense Dashboard
pfSense Dashboard

The amazing pfSense Community Edition forms the first of my three-layer home internet security firewall and gateway. I have a dual-WAN setup with subscriptions to both Verizon FiOS and Comcast Xfinity, with the LAN side feeding into a Sophos UTM 9 which is further protected by ClearOS.

I run pfSense in a virtual machine. However, there are excellent dedicated firewall routers with pfSense preinstalled available that you can simply plug in between your WAN and LAN, like this one (includes my Amazon affiliate link):



I am a huge fan of blocklists and over the years settled down to a functional set of IP and DNSBL blocklists used with the wonderful pfBlockerNG package on my installation of pfSense Community open-source router firewall.

I have completely disabled IPv6; all of the following blocklists are for IPv4, and for DNSBL, domain names.

IP BLOCKLISTS


For the IP blocklists, the top-level blocklist groups are Level-1, Level-2, Level-3, Level-4 and SANYALnet.

Supratim Sanyal's Blog: pfBlockerNG on pfSense - top level IP (IPv4) blocklist groups
pfBlockerNG on pfSense - top level IP (IPv4) blocklist groups



Level-1 IP Blocklist

Level-1 Blocklist sources
pfBlockerNG Level-1 IP Blocklist sources
Incoming as well as outgoing connections from / to blocklisted IPs are blocked for these highest risk IP addresses. Of particular concern in modern times are the command-and-control (CNC) botnets particularly infecting digital security and surveillance systems, cameras, routers, televisions, DVD players and all sorts of devices making up the Internet of Things (IoT). The Level-1 IP BL is updated every hour, and the group members are:

  • https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
  • https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt (removed, no longer works)
  • https://rules.emergingthreats.net/blockrules/compromised-ips.txt
  • https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
  • http://www.abuseat.org/iotcc.txt
  • https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cybercrime.ipset


Level-2 IP Blocklist

Supratim Sanyal's Blog: pfSense pfBlockerNG Level-2 IP Blocklist sources
pfBlockerNG Level-2 IP Blocklist sources
In addition to IoT C&C botnets, the other primary threat today is from Ransomware. I only have Firehol Level 2,  Ransomware Tracker IP blacklists from abuse.ch including CryptoWall, Locky, TeslaCrypt, TorrentLocker C&C and Payment, and Zeus tracker and ci badguys IP deny blocklists at my level 2, which is also configured to block all outgoing as well as incoming connections. Level 2 IP blocklists are updated every 2 hours.

  • https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
  • http://cinsscore.com/list/ci-badguys.txt
  • https://ransomwaretracker.abuse.ch/downloads/CW_PS_IPBL.txt
  • https://ransomwaretracker.abuse.ch/downloads/LY_PS_IPBL.txt
  • https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt (removed, no longer works)
  • https://ransomwaretracker.abuse.ch/downloads/TC_PS_IPBL.txt
  • https://ransomwaretracker.abuse.ch/downloads/TL_C2_IPBL.txt
  • https://ransomwaretracker.abuse.ch/downloads/TL_PS_IPBL.txt
  • https://zeustracker.abuse.ch/blocklist.php?download=badips


Level-3 IP Blocklist

Supratim Sanyal's Blog: pfSense pfBlockerNG Level-3 IP BL Blocklist sources
pfBlockerNG Level-3 IP Blocklist sources

IP addresses in my level 3 blocklist are denied on the incoming side only, i.e. I allow connections initiated from inside my home LAN out to these IPs to go through. The level 3 IP blacklist addresses are updated every 4 hours. The sources are:

  • https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
  • http://danger.rulez.sk/projects/bruteforceblocker/blist.php
  • http://www.openbl.org/lists/base_7days.txt
  • https://lists.blocklist.de/lists/all.txt
  • http://malc0de.com/bl/IP_Blacklist.txt
  • https://feodotracker.abuse.ch/blocklist/?download=ipblocklist




Level-4 IP Blocklist

Supratim Sanyal's Blog: pfSense pfBlockerNG Level-3 IP Blocklist sources
pfBlockerNG Level-4 IP Blocklist sources


There are only a couple of blacklist sources for my level 4, including Firehol Level 4, and Malware Domain List IP addresses the equivalent domains of which are also included in my list of DNSBL lists separately. Level 4 is configured to block inbound connections only and updated every 8 hours.
  • https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
  • http://www.malwaredomainlist.com/hostslist/ip.txt



SANYALnet IP Blocklist

Supratim Sanyal's Blog: pfSense pfBlockerNG SANYALnet IP Blocklist sources
pfBlockerNG SANYALnet IP Blocklist sources

The SANYALnet group is a collection of blocklists I maintain myself based on the brute force attacks and intrusion attempts logged by my own servers. This group is updated every hour to minimize on-going attacks. Please note: these are my own servers hosted on a super-cheap VPS service and up-times are not the best :)
  • http://sanyalnet-cloud-vps.freeddns.org/blocklist.txt [status]
  • http://sanyalnet-cloud-vps.freeddns.org/mirai-ips.txt [status]
  • http://sanyalnet-cloud-vps2.freeddns.org/blocklist.txt [status]
  • http://microvax3100-80.duckdns.org/blocklist.txt (experimental) [status]

pfBlockerNG DNSBL Feeds

Supratim Sanyal's Blog: pfBlockerNG DNSBL Feeds DNS Groups
pfBlockerNG DNSBL Feeds DNS Groups
In addition to IP blocklists, I also extensively use pfBlockerNG's domain name blocklisting feature with publicly available domain blocklists.

The DNSBL configuration redirects domain name lookups for blocked domains to my own  "httpd410server" DNS sinkhole.

I have grouped the DNSBL feeds into three groups.


Zero-day Threat Domain Blocklist Group

Supratim Sanyal's Blog: pfBlockerNG DNSBL Zero-Day Threat Domain Blocklist
pfBlockerNG DNSBL Zero-Day Threat Domain Blocklist
I use the OpenPhish blocklist to block out emerging zero-day phishing and spear-phishing domains. Following advice from the pfSense forum, I use the "FLEX" as the State to retrieve feeds over https in cases where the usual "ON" state fails to retrieve them citing a peculiar curl error "SSL certificate problem: unable to get local issuer certificate" on pfSense. The feeds in this group are updated every hour.

  • https://openphish.com/feed.txt



General Domain Blocklist Group

pfBlockerNG DNSBL General Domain Blocklist Group

This group contains a collection of malware, ransomware, adware, spyware, tracker and generally undesirable domain blocklists updated once every day. This includes advertising services, thus making my pfSense firewall an effective ad blocker for all devices on my entire home network.

I turned the Eladkarako and Immortal Long Lived Malware Domains blocklists off because they were too generic and were blocking too many websites used by folks in my home. If you wish, you can turn them on for a more secure DNSBL at the cost of filtering out some websites that are otherwise useful.

  • https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
  • http://www.malware-domains.com/files/justdomains.zip
  • https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
  • https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
  • https://isc.sans.edu/feeds/suspiciousdomains_High.txt
  • https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
  • http://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
  • http://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
  • http://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
  • http://raw.githubusercontent.com/quidsup/notrack/master/trackers.txt
  • Use with care: http://raw.githubusercontent.com/eladkarako/hosts.eladkarako.com/master/_raw__hosts.txt
  • Use with care: http://mirror1.malwaredomains.com/files/immortal_domains.txt



Hosts File Format Blocklists

Supratim Sanyal's Blog: pfBlockerNG DNSBL General hosts File Format Blocklist Group
pfBlockerNG DNSBL General hosts File Format Blocklist Group
This group contains another long list of advertising domains, malware, ransomware, adware, spyware, tracker and generally undesirable domain blocklists updated daily. I like to keep blocklists formatted like the /etc/hosts file in a separate group.

  • https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts
  • http://avant.it-mate.co.uk/dl/Tools/hpHosts/HOSTS.zip
  • https://adaway.org/hosts.txt
  • https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&startdate%5Bday%5D=&startdate%5Bmonth%5D=&startdate%5Byear%5D=&mimetype=plaintext
  • http://someonewhocares.org/hosts/hosts
  • http://sysctl.org/cameleon/hosts
  • http://winhelp2002.mvps.org/hosts.txt
  • http://www.malekal.com/HOSTS_filtre/HOSTS.txt
  • http://www.malwaredomainlist.com/hostslist/hosts.txt
  • https://zeustracker.abuse.ch/blocklist.php?download=hostfile
  • http://www.hostsfile.org/Downloads/hosts.txt
  • http://www.securemecca.com/Downloads/hosts.txt
  • http://hosts-file.net/exp.txt
  • http://hosts-file.net/ad_servers.txt
  • http://hosts-file.net/emd.txt
  • http://hosts-file.net/hjk.txt
  • http://hosts-file.net/fsa.txt
  • http://hosts-file.net/grm.txt
  • http://hosts-file.net/psh.txt
  • http://hosts-file.net/mmt.txt
  • http://hosts-file.net/hfs.txt
  • http://hosts-file.net/pha.txt
  • http://hosts-file.net/wrz.txt
  • http://raw.githubusercontent.com/michaeltrimm/hosts-blocking/master/_hosts.txt


pfBlockerNG DNSBL Custom Domain Whitelist

Supratim Sanyal's Blog: pfSense pfBlockerNG DNSBL Custom Domain Whitelist
pfSense pfBlockerNG DNSBL Custom Domain Whitelist


Sometimes a domain blocklist included in pfSense pfBlockerNG DNSBL configuration will block URLs that you find useful and want to visit. Instead of digging through the logs to figure out which list is blocking your desired domain and disabling the entire list, you can simply add the domains that should not be blocked in the nifty Custom Domain Whitelist feature included as part of the DNSBL configuration.

Consolidated IP and DNSBL Blocklists

I make consolidated IP address and Domain Name blocklists available for free public use from my VPS at the following links; feel free to use them.

pfSense pfBlockerNG in Action

With the pfBlockerNG setup for IP and DNS Blocklists described above, I do see domains and IPs blocked all the time - here is a typical example of pfBlockerNG's "Alert" screen that shows the last 25 IP addresses and domains blocked at the time of writing:

Supratim Sanyal's Blog: pfSense pfBlockerNG Active Blocked IP Addresses and Domains
pfSense pfBlockerNG Active Blocked IP Addresses and Domains


A pfBlockerNG force reload log looks like this:




Hope you find this useful and please share the IP and domain blocklists you have found and use in comments below.




No comments:

Post a Comment

"SEO" link builders: move on, your spam link will not get posted.

Note: Only a member of this blog may post a comment.

Recommended Products from Amazon