/Recommended blocklists for pfBlocker (pfSense)

Recommended blocklists for pfBlocker (pfSense)

It’s no secret that I am a big fan of pfSense. pfSense is a truly amazing product, it gives everyone access to a high-quality firewall product for free. With the right packages and the right configuration, pfSense is able to secure your internet connection like any other UTM product on the market. One of the must have packages is pfBlocker, but it’s useless without a good set of blocklists.

pfBlocker is a package for pfSense version that allows you to add IP block list and country block functions to a pfSense firewall or router. After installation pfBlocker is useless, you will have to supply it with some blocklists so it knows what IP addresses are bad and should be blocked.

Here is a list of blocklists I recommend using.
Please note that while there might be some overlap in these blocklists, I have chosen these because they compliment each other. pfBlocker will automatically remove all duplicates when processing these lists.

Blocklists:

ET fwip

Emerging Threats logo

What is it?

This is the combined blocklist from Emerging Threats.
Emerging Threats is a collection point for a number of security projects, mostly related to Intrusion Detection and Network Traffic Analysis. Their primary project is the Emerging Threats Snort Ruleset contributed and maintained by the security community. This is just one of many projects. You can get information about many others on their AllProjects Page.
DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service.

What does it contain?

This is combines several lists. At the moment of writing the blocklist contains the following:

Several malware C&C servers (Feodo, Zeus, Spyeye, Palevo).

Spamhaus drop list:
The Spamhaus DROP (Don’t Route Or Peer) lists are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

DShield top 20 attackers.
DShield provides a platform for users of firewalls to share intrusion information

Why should I use it?

This list covers the basics of what you should block. It blocks known bad addresses and new highly suspicious addresses.

Where can I get it?

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

 


ET Compromised

Emerging Threats logo

What is it?

Emerging Threats is a collection point for a number of security projects, mostly related to Intrusion Detection and network Traffic Analysis. Their primary project is the Emerging Threats Snort Ruleset contributed and maintained by the security community. This is just one of many projects. You can get information about many others on their AllProjects Page.
This blocklist is compiled from a number of sources. It’s contents are hosts that are known to be compromised by bots, phishing sites, etc, or known to be spewing hostile traffic. These are not your everyday infected and sending a few spam hosts, these are significantly infected and hostile hosts.

What does it contain?

This is a list of hosts that are known to be compromised. These addresses are a significant threat to your network.

Why should I use it?

The hosts on this list are compromised. There is no reason your network should be allowing traffic from and to these hosts.

Where can I get it?

https://rules.emergingthreats.net/blockrules/compromised-ips.txt

CI Army

Sentinel logo

What is it?

CIArmy is a blocklist based on the CINS score of IP addresses created by the company behind the Sentinel IPS. Leveraging data from their network of Sentinel devices and other trusted InfoSec sources, CINS is an IP reputation database that provides an accurate and timely score for any IP address in the world.

What does it contain?

The CI Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that meet two basic criteria:

  1. The IP’s recent Rogue Packet score factor is very poor.
  2. The InfoSec community has not yet identified the IP as malicious.

The second factor is important. This list should not contain any IPs that have already been placed on other reputation lists. This list is meant to supplement and enhance pfBlocker by providing IPs that haven’t been identified yet.

Why should I use it?

In my tests, I have seen that 80% of all attacks on my firewalls are blocked by this blocklist. It’s a very comprehensive list of bad hosts. Because it’s based on “behavior” analysis, it blocks bad hosts in the first stages of the attack. Make sure you update this list regularly.

Where can I get it?

http://cinsscore.com/list/ci-badguys.txt

DShield

Internet Storm Center logo

What is it?

DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers worldwide and uses them to analyze attack trends. It is used as the data collection engine behind the SANS Internet Storm Center (ISC). DShield was officially launched end of November 2000 by Johannes Ullrich. Since then, it has grown to be a dominating attack correlation engine with worldwide coverage. DShield data is regularly used by researchers to analyze attack patterns.

The goal of the DShield project is to allow access to its correlated information to the public at no charge to raise awareness and provide accurate and current snapshots of internet attacks. Several data feeds are provided to users to either include in their own websites or to use as an aide to analyze events.

What does it contain?

This list summarizes the top 20 attacking class C (/24) subnets over the last three days. The number of ‘attacks’ indicates the number of targets reporting scans from this subnet.

Why should I use it?

DShield is a reliable way to block hosts that have been attacking other systems for last tree days.

Where can I get it?

http://feeds.dshield.org/block.txt

Tor Nodes

dan.me.uk logo

What is it?

Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Router”. Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Daniel Austin offers a full TOR nodelist.

What does it contain?

This list contains a full list of all TOR nodes.

Why should you use it?

You should ask yourself. Do you want to allow connections from and to an anonymous network? Using this blocklist you are able to block all traffic to and from TOR nodes. This enables you to block access to the TOR network form your own hosts and blocks hosts from connecting to your network when using the TOR network.

In recent malware attacks, the C&C servers are located on the TOR network. When connecting to the C&C the malware will try to establish a connection with a TOR node and connect to their C&C. If this fails, the malware doesn’t run, rendering it “harmless”.

In my opinion, someone using the TOR network shouldn’t be able to connect to your (company) network. Blocking TOR nodes increases security and also blocks SPAM coming from the TOR network. And personally, I don’t like it when something anonymous is connecting to my network.

Where can I get it?

https://www.dan.me.uk/torlist/

Ransomware

Ransomware tracker logo

What is it?

Ransomware is a real threat these days. Attackers are exploiting known and unknown vulnerabilities and using social engineering tactics like phishing to encrypt your files and demand a ransom to get your files back. Ransomware Tracker tracks and monitors the status of domain names, IP addresses, and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites, and payment sites. These blocklists allows enterprises to block malicious traffic towards known Ransomware infrastructure

What does it contain?

This blocklist contains the IP address of Ransomware botnets and C&C servers. The blocklist might not catch everything, but the false positive rate should be low. However, false positives are possible. IP addresses associated with Ransomware Payment Sites botnet C&Cs stay listed on blocklist for a time of 30 days after the last appearance. This means that an IP address stays listed on the blocklist even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days

Why should I use it?

Blocking Ransomware is difficult and requires a multilayered approach. One of the obvious steps is to block connections from and to the infrastructure of known ransomware. This blocklist allows you to do exactly that.

Where can I get it?

https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

Talos

Cisco Talos logo

What is it?

The Talos Security Intelligence and Research Group (Talos) is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products that detects, analyzes and protects against both known and emerging threats. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop.

What does it contain?

This list contains the IP addresses of hosts that have been identified as malicious by Talos.

Why should I use it?

Talos does a fantastic job of analyzing and identifying threats at an early level. Using their blocklist you can take advantage of their research and block malicious hosts.

Where can I get it?

http://talosintel.com/feeds/ip-filter.blf

Alienvault

Alienvault logo

What is it?

AlienVault provides open access to a global community of threat researchers and security professionals. It now has more than 53,000 participants in 140 countries, who contribute over 10 million threat indicators daily. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.

What does it contain?

This list mainly contains the IP addresses of malicious hosts and spammers.

Why should I use it?

This list mainly contains (verified) malicious hosts. In my experience, the Alienvault list is updated very frequently and often includes the IP address of malicious hosts within the first hour of an attack.

Where can I get it?

https://reputation.alienvault.com/reputation.generic

 

Summary:

ET fwip
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
ET Compromised
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
CI Army
http://cinsscore.com/list/ci-badguys.txt
DShield
http://feeds.dshield.org/block.txt
Tor Nodes
https://www.dan.me.uk/torlist/
Ransomware Tracker
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
Talos
http://talosintel.com/feeds/ip-filter.blf
Alienvault
https://reputation.alienvault.com/reputation.generic