25 May
2018
25 May
'18
4:05 a.m.
Very welcome
I personally run it daily and output it to a text file on my website.
I have several clients running pfSense with pfBlockerNG and those consult that URL daily
and adds them to the blocklist on the firewall.
Also been thinking of implementing a botnet which outputs it's hits to an exaBGP
instance which servers all the border routers I own and maintain and adds those to the
nullroute tables. But that one is still in concept phase ;)
73,
Ruben - ON3RVH
-----Original Message-----
From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Brian
Kantor
Sent: vrijdag 25 mei 2018 10:52
To: AMPRNet working group <44net(a)mailman.ampr.org>
Subject: Re: [44net] VPNFilter Router Malware
Thanks Ruben. I ran that and we already had something like 90% of those addresses in the
blocking table. I added the rest.
That may help a little. We'll have to run it periodically.
- Brian
On Fri, May 25, 2018 at 08:31:55AM +0000, Ruben ON3RVH wrote:
Opt-out forms are indeed a gigantic waste of time.
That's been proven a lot.
For a list of Shodan IP's that is maintained, you can check out
https://isc.sans.edu/api/threatlist/shodan?json , they update that
list daily The list is in json format, a simple script can translate
that into a text file, like the below line
--
curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' |
grep ':' | awk '{ print $2 }' | tr -d '"'
--
Also check out
https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/23… for some
info on how to incorporate that into iptables.
A simple script can also be made for mikrotik, or you can use a
central BGP router on linux (like exabgp/quagga/frr/...) which sends
those IP's to it's peers which can then blackhole that traffic from
those IP's
73,
Ruben - ON3RVH
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net