Addition of Spamhaus extended DROP (EDROP) list

Post Reply
terryr
Junior Member
Posts: 17
Joined: 19 Apr 2011, 14:37

Addition of Spamhaus extended DROP (EDROP) list

Post by terryr »

Hi,

On June 12, 2012, Spamhaus added an extended DROP (EDROP) list to be used along with the DROP list. The EDROP list is located here - http://www.spamhaus.org/drop/edrop.txt. Information about the list is here - http://www.spamhaus.org/drop/.

Currently the list has 12 entries.

Thanks for your consideration.

Terry
smuxbr
Junior Member
Posts: 4
Joined: 18 Sep 2011, 15:56

Re: Addition of Spamhaus extended DROP (EDROP) list

Post by smuxbr »

Hi Terryr,

I created an unofficial patch to your request. Can you be try this patch into your csf 5.59.

Code: Select all

--- csf.conf-ok 2012-07-10 23:22:36.000000000 -0300
+++ csf.conf-spamhause  2012-07-16 15:49:16.000000000 -0300
@@ -185,7 +185,7 @@
 # SMTP_BLOCK is only applied if port 25 is included in TCP6_OUT
 #
 # Not supported:
-# DYNDNS, CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, LF_DSHIELD, LF_SPAMHAUS,
+# DYNDNS, CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, LF_DSHIELD, LF_SPAMHAUS, LF_SPAMHAUS_E
 # SYNFLOOD, PORTFLOOD, DYNDNS, ICMP_IN, ICMP_OUT, LF_NETBLOCK, MESSENGER,
 # CC_IGNORE, CONNLIMIT
 #
@@ -544,6 +544,18 @@
 # is in the same format as the drop list
 LF_SPAMHAUS_URL = "h t t p : / / www . spamhaus . org/drop/drop.lasso"

+# Enable IP range blocking using the Spamhaus Extended DROP List at
+# http:// www . spamhaus . org/drop/edrop.txt
+# To enable this feature, set the following to the interval in seconds that you
+# want the block list updated. The list is reasonably static during the length
+# of a day, so it would be appropriate to only update once every 24 hours, so
+# a value of "86400" is recommended
+LF_SPAMHAUS_E = "86400"
+
+# The Spamhaus Extended DROP List URL. If you change this to something else be sure it
+# is in the same format as the drop list
+LF_SPAMHAUS_E_URL = "h t t p : / / www . spamhaus . org/drop/edrop.txt"
+
 # Enable IP range blocking using the BOGON List at
 # http://www . cymru . com/Bogons/
 # To enable this feature, set the following to the interval in seconds that you


--- csf. pl-ok   2012-03-31 13:03:25.000000000 -0300
+++ csf. pl-spamhause    2012-07-16 15:52:13.000000000 -0300
@@ -457,11 +457,12 @@

        if ($config{LF_DSHIELD}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N DSHIELD")}
        if ($config{LF_SPAMHAUS}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N SPAMHAUS")}
+       if ($config{LF_SPAMHAUS_E}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N SPAMHAUS_E")}
        if ($config{LF_BOGON}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N BOGON")}
        if ($config{CC_ALLOW_FILTER}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CC_ALLOWF")}
        if ($config{CC_ALLOW}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CC_ALLOW")}
        if ($config{CC_DENY}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CC_DENY")}
-       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N BLOCKDROP")}
+       if (($config{LF_SPAMHAUS} or $config{LF_SPAMHAUS_E} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N BLOCKDROP")}
        if (($config{CC_DENY} or $config{CC_ALLOW_FILTER}) and $config{DROP_IP_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N CCDROP")}
        if ($config{GLOBAL_ALLOW}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N GALLOWIN")}
        if ($config{GLOBAL_ALLOW}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -N GALLOWOUT")}
@@ -522,12 +523,12 @@
                        &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOGDROPIN -p icmpv6 -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *ICMP6IN Blocked* '");
                        &syscommand(__LINE__,"$config{IP6TABLES} $verbose -A LOGDROPOUT -p icmpv6 -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *ICMP6OUT Blocked* '");
                }
-               if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *BLOCK_LIST* '");}
+               if (($config{LF_SPAMHAUS} or $config{LF_SPAMHAUS_E} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *BLOCK_LIST* '");}
                if (($config{CC_DENY} or $config{CC_ALLOW_FILTER}) and $config{DROP_IP_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A CCDROP -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *CC_DENY* '");}
                if ($config{PORTFLOOD}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A PORTFLOOD -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *Port Flood* '");}
        }
        if ($config{CONNLIMIT} and $config{CONNLIMIT_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A CONNLIMIT -m limit --limit 30/m --limit-burst 5 -j $logmodule 'Firewall: *ConnLimit* '");}
-       if (($config{LF_SPAMHAUS} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -j $config{DROP}");}
+       if (($config{LF_SPAMHAUS} or $config{LF_SPAMHAUS_E} or $config{LF_DSHIELD} or $config{LF_BOGON}) and ($config{DROP_IP_LOGGING})) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A BLOCKDROP -j $config{DROP}");}
        if (($config{CC_DENY} or $config{CC_ALLOW_FILTER}) and $config{DROP_IP_LOGGING}) {&syscommand(__LINE__,"$config{IPTABLES} $verbose -A CCDROP -j $config{DROP}");}
        &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROPIN -j $config{DROP}");
        &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOGDROPOUT -j $config{DROP}");
@@ -1364,6 +1365,25 @@
                &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALINPUT $ethdevin -j SPAMHAUS");
        }

+       if ($config{LF_SPAMHAUS_E}) {
+               if (-e "/etc/csf/csf.spamhaus_e") {
+                       my $drop = $config{DROP};
+                       if ($config{DROP_IP_LOGGING}) {$drop = "BLOCKDROP"}
+                       open (IN, "</etc/csf/csf.spamhaus_e") or &error(__LINE__,"Could not open /etc/csf/csf.spamhaus_e: $!");
+                       flock (IN, LOCK_SH) or &error(__LINE__,"Could not lock /etc/csf/csf.spamhaus_e: $!");
+                       my @spamhaus_e = <IN>;
+                       close (IN) or &error(__LINE__,"Could not close /etc/csf/csf.spamhaus_e: $!");
+                       chomp @spamhaus_e;
+                       foreach my $line (@spamhaus_e) {
+                               my ($ip,$comment) = split (/\s/,$line,2);
+                               if (&checkip($ip)) {
+                                       &syscommand(__LINE__,"$config{IPTABLES} $verbose -I SPAMHAUS_E -s $ip -j $drop");
+                               }
+                       }
+               }
+               &syscommand(__LINE__,"$config{IPTABLES} $verbose -A LOCALINPUT $ethdevin -j SPAMHAUS_E");
+       }
+
        $config{CC_DENY} =~ s/\s//g;
        if ($config{CC_DENY}) {
                foreach my $cc (split(/\,/,$config{CC_DENY})) {
@@ -2918,6 +2938,7 @@
                my @chains = ("INPUT","LOCALINPUT","LOGDROPIN");
                if ($config{LF_DSHIELD}) {push @chains,"DSHIELD"}
                if ($config{LF_SPAMHAUS}) {push @chains,"SPAMHAUS"}
+               if ($config{LF_SPAMHAUS_E}) {push @chains,"SPAMHAUS_E"}
                if ($config{LF_BOGON}) {push @chains,"BOGON"}
                if ($config{PACKET_FILTER}) {push @chains,"INVALID","INVDROP"}
                if ($config{CC_ALLOW_FILTER}) {push @chains,"CC_ALLOWF"}


--- lfd. pl-orig 2012-07-09 13:15:53.000000000 -0300
+++ lfd. pl-spamahause   2012-07-16 15:57:03.000000000 -0300
@@ -27,7 +27,7 @@
      $count, %config, %logfiles, $childpid, $childcnt, %logintimeout, $cidr,
         %loginproto, $cttimeout, %ips, %ifaces, $scriptline, @cidrs, %pskip,
         %scripts, $scripttimeout, %blockedips, $pttimeout, %skip, $csftimeout,
-        $dshieldtimeout, $spamhaustimeout, $dirwatchtimeout, @suspicious,
+        $dshieldtimeout, $spamhaustimeout, $spamhaus_e_timeout, $dirwatchtimeout, @suspicious,
         %skipfile, %sfile, %nofiles, @matchfile, $toomanymatches, $pidino,
         %dirwatchfile, $dirwatchfiletimeout, %skipuser, $globaltimeout,
         %skipscript, %ports, $smtptimeout, $dyndnstimeout, @lfsize, $hostshort,
@@ -458,6 +458,15 @@
        &spamhaus;
        $spamhaustimeout = 0;
 }
+if ($config{LF_SPAMHAUS_E}) {
+       &logfile("SPAMHAUS_E Tracking...");
+       if ($config{LF_SPAMHAUS_E} < 3600) {
+               &logfile("LF_SPAMHAUS_E refresh increased to 3600 to prevent blacklisting (csf.conf setting: $config{LF_SPAMHAUS_E})");
+               $config{LF_SPAMHAUS_E} = 3600;
+       }
+       &spamhaus_e;
+       $spamhaus_e_timeout = 0;
+}
 if ($config{CC_DENY} or $config{CC_ALLOW} or $config{CC_ALLOW_FILTER} or $config{CC_IGNORE}) {
        &logfile("Country Code Filters...");
        &countrycode;
@@ -1182,6 +1191,14 @@
                }
        }

+       if ($config{LF_SPAMHAUS_E}) {
+               $spamhaus_e_timeout+=$duration;
+               if ($spamhaus_e_timeout >= $config{LF_SPAMHAUS_E}) {
+                       $spamhaus_e_timeout = 0;
+                       &spamhaus_e;
+               }
+       }
+
        if ($config{CC_DENY} or $config{CC_ALLOW} or $config{CC_ALLOW_FILTER} or $config{CC_IGNORE}) {
                $cctimeout+=$duration;
                if ($cctimeout >= 3600) {
@@ -3879,6 +3896,81 @@
 }
 # end spamhaus
 ###############################################################################
+# start spamhaus_e
+sub spamhaus_e {
+       my $getlist = 0;
+       if (-e "/etc/csf/csf.spamhaus_e") {
+               my $mtime = (stat("/etc/csf/csf.spamhaus_e"))[9];
+               my $listtime = (time - $mtime);
+               if ($listtime >= $config{LF_SPAMHAUS_E}) {$getlist = 1}
+       } else {$getlist = 1}
+
+       if ($getlist) {
+               unless ($config{OLD_REAPER}) {$SIG{CHLD} = 'IGNORE';}
+               unless (defined ($childpid = fork)) {
+                       &cleanup(__LINE__,"*Error* cannot fork: $!");
+               }
+               unless ($childpid) {
+                       my $timer = time;
+                       if ($config{DEBUG} >= 3) {$timer = &timer("start","spamhaus_e",$timer)}
+                       $0 = "lfd - retrieving spamhaus_e blocklist";
+
+                       my $lockstr = "LF_SPAMHAUS_E";
+                       sysopen (THISLOCK, "/etc/csf/lock/$lockstr.lock", O_RDWR | O_CREAT) or &childcleanup("*Error* Unable to open /etc/csf/lock/$lockstr.lock");
+                       flock (THISLOCK, LOCK_EX | LOCK_NB) or &childcleanup("*Lock Error* [$lockstr] still active - section skipped");
+
+                       my ($status, $text) = &urlget($config{LF_SPAMHAUS_E_URL});
+                       if ($status) {
+                               &logfile("SPAMHAUS_E: Unable to retrieve spamhaus_e block list - $text");
+                               exit;
+                       }
+
+                       if (&csflock) {&lockfail("LF_SPAMHAUS_E")}
+                       &logfile("SPAMHAUS_E - retrieved and blocking IP address ranges");
+                       my $drop = $config{DROP};
+                       if ($config{DROP_IP_LOGGING}) {$drop = "BLOCKDROP"}
+
+                       if ($config{SAFECHAINUPDATE}) {
+                               &syscommand(__LINE__,"$config{IPTABLES} -N NEWSPAMHAUS_E");
+                       } else {
+                               &syscommand(__LINE__,"$config{IPTABLES} -F SPAMHAUS_E");
+                       }
+                       sysopen (SPAMHAUS_E, "/etc/csf/csf.spamhaus_e", O_WRONLY | O_CREAT) or &childcleanup(__LINE__,"*Error* Cannot open out file: $!");
+                       flock (SPAMHAUS_E, LOCK_EX);
+                       seek (SPAMHAUS_E, 0, 0);
+                       truncate (SPAMHAUS_E, 0);
+                       foreach my $line (split (/\n/,$text)) {
+                               if ($line =~ /^\#/) {next}
+                               if ($line =~ /^([\d\.\/]+)\s+/) {
+                                       my $iprange = $1;
+                                       if ($iprange) {
+                                               print SPAMHAUS_E "$iprange\n";
+                                               if ($config{SAFECHAINUPDATE}) {
+                                                       &syscommand(__LINE__,"$config{IPTABLES} -I NEWSPAMHAUS_E -s $iprange -j $drop");
+                                               } else {
+                                                       &syscommand(__LINE__,"$config{IPTABLES} -I SPAMHAUS_E -s $iprange -j $drop");
+                                               }
+                                       }
+                               }
+                       }
+                       close (SPAMHAUS_E);
+                       if ($config{SAFECHAINUPDATE}) {
+                               &syscommand(__LINE__,"$config{IPTABLES} -A LOCALINPUT $ethdevin -j NEWSPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -D LOCALINPUT $ethdevin -j SPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -F SPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -X SPAMHAUS_E");
+                               &syscommand(__LINE__,"$config{IPTABLES} -E NEWSPAMHAUS_E SPAMHAUS_E");
+                       }
+
+                       close (THISLOCK);
+                       if ($config{DEBUG} >= 3) {$timer = &timer("stop","spamhaus_e",$timer)}
+                       $0 = "lfd - child closing";
+                       exit;
+               }
+       }
+}
+# end spamhaus_e
+###############################################################################
 # start countrycode
 sub countrycode {
        my $force = shift;
Cheers,
terryr
Junior Member
Posts: 17
Joined: 19 Apr 2011, 14:37

Re: Addition of Spamhaus extended DROP (EDROP) list

Post by terryr »

My apologies for not responding sooner. Was on vacation.

Applied the patch and restarted CSF and LFD. All seems to be working fine.

Output from CSF restart with regards to Spamhaus EDROP:
SPAMHAUS_E all opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0
DROP all opt -- in * out * 0.0.0.0/8 -> 0.0.0.0/0
DROP all opt -- in * out * 10.0.0.0/8 -> 0.0.0.0/0
DROP all opt -- in * out * 100.64.0.0/10 -> 0.0.0.0/0
DROP all opt -- in * out * 127.0.0.0/8 -> 0.0.0.0/0
DROP all opt -- in * out * 169.254.0.0/16 -> 0.0.0.0/0
DROP all opt -- in * out * 172.16.0.0/12 -> 0.0.0.0/0
DROP all opt -- in * out * 192.0.0.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 192.0.2.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 192.168.0.0/16 -> 0.0.0.0/0
DROP all opt -- in * out * 198.18.0.0/15 -> 0.0.0.0/0
DROP all opt -- in * out * 198.51.100.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 203.0.113.0/24 -> 0.0.0.0/0
DROP all opt -- in * out * 224.0.0.0/3 -> 0.0.0.0/0

Thanks so much for your help.

Terry
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: Addition of Spamhaus extended DROP (EDROP) list

Post by chirpy »

A variation on this will be included in the next csf release.
terryr
Junior Member
Posts: 17
Joined: 19 Apr 2011, 14:37

Re: Addition of Spamhaus extended DROP (EDROP) list

Post by terryr »

Great. Thanks.

Terry
ForumAdmin
Moderator
Posts: 1502
Joined: 01 Oct 2008, 09:24

Re: Addition of Spamhaus extended DROP (EDROP) list

Post by ForumAdmin »

Support for this was added to v5.60:
http://blog.configserver.com/index.php?itemid=667
Post Reply