Very welcome I personally run it daily and output it to a text file on my website. I have several clients running pfSense with pfBlockerNG and those consult that URL daily and adds them to the blocklist on the firewall.
Also been thinking of implementing a botnet which outputs it's hits to an exaBGP instance which servers all the border routers I own and maintain and adds those to the nullroute tables. But that one is still in concept phase ;)
73,
Ruben - ON3RVH
-----Original Message----- From: 44Net 44net-bounces+on3rvh=on3rvh.be@mailman.ampr.org On Behalf Of Brian Kantor Sent: vrijdag 25 mei 2018 10:52 To: AMPRNet working group 44net@mailman.ampr.org Subject: Re: [44net] VPNFilter Router Malware
Thanks Ruben. I ran that and we already had something like 90% of those addresses in the blocking table. I added the rest. That may help a little. We'll have to run it periodically. - Brian
On Fri, May 25, 2018 at 08:31:55AM +0000, Ruben ON3RVH wrote:
Opt-out forms are indeed a gigantic waste of time. That's been proven a lot. For a list of Shodan IP's that is maintained, you can check out https://isc.sans.edu/api/threatlist/shodan?json , they update that list daily The list is in json format, a simple script can translate that into a text file, like the below line -- curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"' --
Also check out https://isc.sans.edu/forums/diary/Using+Our+API+To+Adjust+iptables+Rules/231... for some info on how to incorporate that into iptables. A simple script can also be made for mikrotik, or you can use a central BGP router on linux (like exabgp/quagga/frr/...) which sends those IP's to it's peers which can then blackhole that traffic from those IP's
73,
Ruben - ON3RVH
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net