Open Source Threat Intelligence and pf(4)
I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my private setup and quickly cooked up the shell script below in a rough, first try. The funny thing is that I more or less instantantly got hits from the 5346 IP addresses in the table:
@0 block drop log quick from <pf_osint:5346> to any
[ Evaluations: 502 Packets: 20 Bytes: 800 States: 0 ]
[ Inserted: uid 0 pid 68515 State Creations: 0 ]
🧐. The script is currently designed to run every 3 hours and to remove all IP addresses which had been added to the table after a day. I am not too happy about some of the parts right now, first of all: I’d like to seperate download and parsing out to a non-privileged process and feed one large junk of data to pfctl(8).
This will give me the flexibility to replace the table with the new values so I can act fast not only on additions but also on deletions from the list. No need to keep out somebody longer than neccessary.
Not sure on how to attack the first part. A shell script would be easier and faster to create. Privsep could be handled by doas for the part needing higher privileges and allow me to handle everything in a single script.
But as a start I am going to keep the script as is and see how it’s going to work out for me. So without further ado, here’s the script:
printf "zeustracker.abuse.ch badips "
ftp -VMo- https://zeustracker.abuse.ch/blocklist.php?download=badips | \
egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
pfctl -t pf_osint -T add -f -
printf "feodotracker.abuse.ch ipblocklist "
ftp -VMo- https://feodotracker.abuse.ch/blocklist/?download=ipblocklist | \
egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
pfctl -t pf_osint -T add -f -
printf "ransomwaretracker.abuse.ch "
ftp -VMo- https://ransomwaretracker.abuse.ch/feeds/csv/ | \
egrep -o '([1-9]{1,3}\.){3}[1-9]{1,3}[^/"]*' | \
tr '|' '\n' | sort | uniq | \
egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
pfctl -t pf_osint -T add -f -
printf "autoshun.org "
ftp -VMo- 'https://www.autoshun.org/download/?api_key=0&format=csv' | \
cut -f1 -d',' | \
egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
pfctl -t pf_osint -T add -f -
printf "isc.sans.edu sources/attacks/ "
ftp -VMo- https://isc.sans.edu/api/sources/attacks/250/$(date '+%Y-%m-%d')/ | \
xmllint --format - | \
grep '<ip>' | \
egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | \
pfctl -t pf_osint -T add -f -
printf "expire entries that are older than 24hrs "
pfctl -t pf_osint -T expire 86400
Caveat: You need an API key for autoshun.org, so simply copy&pasting the above will not work. To get a key they want an E-Mail address, name and surname.
--EOF