DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,936
Default Using Spamhaus DROP lists on Internet-facing systems

In a thread about mail hosting, I'd written, in part:
Quote:
Originally Posted by jggimi View Post
...I use their Don't Route or Peer (DROP) lists in PF on all internet-facing servers. My PF logs show constant probes from these "evil" netblocks....
The DROP lists consist of 3 text files that do not change frequently. They are served by BGP or by HTTP/HTTPS. Spamhaus.org requires refreshing them at a maximum of once per hour, and at minimum once per day. I use the following script, called by daily.local(5) for a once-per-day refresh. The 3 files are downloaded via HTTPS into a temporary directory, they are concatenated together, semicolons denoting comments are converted to pound signs for compatibility with PF, the combined file is stored in the /root directory, and the PF <spamhaus> table is updated.
Code:
#!/bin/sh
#
# this is normally run once per day via /etc/daily.local.
#
echo updating Spamhaus DROP lists:
TMPDIR=`mktemp -d` || exit 1
( cd $TMPDIR
ftp https://www.spamhaus.org/drop/drop.txt 
ftp https://www.spamhaus.org/drop/edrop.txt 
ftp https://www.spamhaus.org/drop/dropv6.txt 
cat drop.txt edrop.txt dropv6.txt | sed "s/;/#/" > /root/drop.txt
)
rm -r $TMPDIR
pfctl -t spamhaus -T replace -f /root/drop.tx
My pf.conf(5) files on my servers have the following rules included very early in each ruleset, typically immediately following the default block. On any boot, the most recently received and edited combined DROP lists are read from the file in the /root directory.

Code:
# Spamhaus DROP list:
table <spamhaus> persist file "/root/drop.txt"
block drop in log quick from <spamhaus>
Reply With Quote
  #2   (View Single Post)  
Old 3rd June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,936
Default

Yeah, I should probably move the file from /root to /var/db.
Reply With Quote
  #3   (View Single Post)  
Old 4th June 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 623
Default

Quote:
Originally Posted by jggimi View Post
In a thread about mail hosting, I'd written, in part: [URL="https://www.spamhaus.org/drop/"]Spamhaus.org requires refreshing them at a maximum of once per hour, and at minimum once per day.
Actually even less frequently may be fine:

Quote:
Please DO NOT auto-fetch the DROP / EDROP list more than once per hour!

The DROP list changes quite slowly. There is no need to update cached data more than once per hour, in fact once per day is more than enough in most cases. Automated downloads must be at least one hour apart. Excessive downloads may result in your IP being firewalled from the Spamhaus website.
I used Firefox to see DROP list and HTTP header says:
last-modified: Sun, 31 May 2020 15:45:06 GMT
For eDROP:
last-modified: Tue, 12 May 2020 10:42:24 GMT
DropV6 doesn't sent that header, but third line of file says:
; Last-Modified: Thu, 30 Jan 2020 05:16:30 GMT

Anyway I really like that OpenBSD's pf allows to load table directly from file. In Linux's ipset command closest you can get is "ipset restore < file" command, but file must include actual ipset commands instead of only CIDRs.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 4th June 2020 at 12:10 PM. Reason: Remark about ipset
Reply With Quote
  #4   (View Single Post)  
Old 4th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,936
Default

While I could call the script with weekly.local(5) as the lists don't change frequently, even hourly downloads are acceptable use to Spamhaus.

The pfctl(8) -T replace messages are informative. The cron output shows, as examples, "no changes." or "2 addresses added."


---


Edited to add: Spamhaus marks the lists with an expiration, and recommends one-per-day as the minimum refresh rate.

Last edited by jggimi; 4th June 2020 at 01:38 PM.
Reply With Quote
  #5   (View Single Post)  
Old 4th June 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 623
Default

Quote:
Originally Posted by jggimi View Post
The pfctl(8) -T replace messages are informative. The cron output shows, as examples, "no changes." or "2 addresses added."
Another small thing that makes PF shine.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #6   (View Single Post)  
Old 14th June 2020
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 623
Default

Little suggestion for script in post #1
I was experimenting with bash and wget lately, but I think this should going to work for Korn Shell and ftp too. Execute frp commands in a group. Instead of writing to three files make them send output to stdout and pipe directly to sed:
Code:
#!/bin/sh
#
# this is normally run once per day via /etc/daily.local.
#
echo updating Spamhaus DROP lists:
( 
  { ftp -o - https://www.spamhaus.org/drop/drop.txt && \
    ftp -o - https://www.spamhaus.org/drop/edrop.txt && \
    ftp -o - https://www.spamhaus.org/drop/dropv6.txt ; \
  } 2>/dev/null | sed "s/;/#/" > /root/drop.txt
)
pfctl -t spamhaus -T replace -f /root/drop.txt
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 14th June 2020 at 10:48 AM. Reason: Changed script, becuse tmp is not needed
Reply With Quote
  #7   (View Single Post)  
Old 14th June 2020
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,936
Default

Yeah, that's another way to do it, thanks! (And I did move the file to /var/db/ on all my public-facing systems, after years in /root.)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Large-scale DNS DDoS attack on Spamhaus J65nko News 1 28th March 2013 10:54 PM
Awk script to aggregate MyFreeFarm shopping lists J65nko Programming 0 30th January 2011 10:41 PM
Accused spammer demands $135M from Spamhaus; gets $27,002 J65nko News 1 17th June 2010 07:07 PM
Multiple entries in job lists ros2468 OpenBSD General 1 19th February 2010 07:45 AM
troff/nroff Q; how to put a linebreak in a tag labeled lists item TerryP General software and network 8 10th November 2008 07:39 AM


All times are GMT. The time now is 03:34 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2023, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick