Emotet is back again

dnutan · November 16, 2021, 10:02pm

They should be there (but they aren’t) when using the firehol blocklists but currently the urls are wrong and the contents of abuse.ch related files is empty.
There are some open bugs on firehol issue tracker but seems an unresolved problem from time ago:

m.traeumner · November 18, 2021, 8:25am

At the link @capote posted are the IP’s at a textfile

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

Aren’t we able to create an own blacklist and import this one by a cronjob?

An additional question, where can I find the block-lists of threadshield?

dnutan · November 18, 2021, 9:18pm

Stored under /usr/share/nethserver-blacklist/ipsets/, if I’m not mistaken.

m.traeumner · November 19, 2021, 9:28am

No, you aren’t. Thanks for the answer.
I’ve done some testing, activating Feodo as Category and adding IP addresses manually to feodo.ipset works after restarting shorewall till next renewing of the file. At the feodo.ipset file is a comment

# List source URL : https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
but the address of the list is

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

Now I’m searching for the configuration file to set the right download address for the list.
@giacomo Can you help?

giacomo · November 19, 2021, 2:05pm

You need to have those IPs inside the git repository. You can hope Firehole will fix it or create a new git repository, see nethserver-blacklist — NethServer 7 documentation

m.traeumner · November 22, 2021, 12:24pm

Thanks for your answer.
I’ve also seen I’ve gotten a system mail with a fetch error:

Cron root@groupware sleep $(( ( RANDOM % 60 ) )); /usr/share/nethserver-blacklist/download ipsets

[ERROR] Can’t update blacklist repository: fetch failed

Now I tried to install an own git repository, but the installation described at the documentation doesn’t work for me, because the ius repository is not found.
I did the following steps:

yum install -y https://github.com/firehol/packages/releases/download/2020-02-18-0552/firehol-3.1.6-12.el7.noarch.rpm https://github.com/firehol/packages/releases/download/2020-02-18-0552/iprange-1.0.4-2.el7.x86_64.rpm unzip https://centos7.iuscommunity.org/ius-release.rpm

This step works fine.

yum install -y git216-core --enablerepo=ius

This gives the following error:

Error getting repository data for ius, repository not found
[root@project ~]# Error getting repository data for ius, repository not found

Has somebody an idea?

mrmarkuz · November 22, 2021, 7:32pm

The ius repo seems to have changed:

yum install https://repo.ius.io/ius-release-el7.rpm

git216-core isn’t available anymore but git224-core is provided:

yum install -y git224-core --enablerepo=ius

m.traeumner · November 23, 2021, 9:19am

Thanks Markus,
this works and I have done a pullrequest for the documentation.

capote · November 23, 2021, 10:54am

I got an error:
yum install -y git224-core --enablerepo=ius


Loaded plugins: changelog, fastestmirror, nethserver_events

Loading mirror speeds from cached hostfile


nethforge: mirror.alpix.eu
remi-safe: mirror.23m.com
sb-base: u3.nethserver.com
sb-centos-sclo-rh: u3.nethserver.com
sb-centos-sclo-sclo: u3.nethserver.com
sb-epel: u3.nethserver.com
sb-extras: u3.nethserver.com
sb-nethserver-base: u3.nethserver.com
sb-nethserver-updates: u3.nethserver.com
sb-updates: u3.nethserver.com

stephdl: stephdl.dargels.de Resolving Dependencies → Running transaction check —> Package git224-core.x86_64 0:2.24.4-1.el7.ius will be installed → Processing Conflict: git224-core-2.24.4-1.el7.ius.x86_64 conflicts git-core < 2.24.4-1.el7.ius → Finished Dependency Resolution Error: git224-core conflicts with git-1.8.3.1-23.el7_8.x86_64

it doesn’t help:
You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest

mrmarkuz · November 23, 2021, 11:08am

You already installed git so it conflicts with git224-core. Please remove it and try again:

yum remove git

capote · November 23, 2021, 1:01pm

yes, that works, but removed Tread Shield completely. I reinstalled and all is fine.
Thank you!

m.traeumner · November 23, 2021, 1:20pm

You can’t install the git repository and Threadshield at the same server.

capote · November 23, 2021, 1:22pm

m.traeumner · November 24, 2021, 9:27am

Hi again,
I’ve setup the git server now and updated the ipset, but also at my own server I’m not able to find out how to get feodo updates from the right file. Can somebody help?

mrmarkuz · November 24, 2021, 10:29pm

The wrong list URL is in the update script /usr/sbin/update-ipsets.

I updated firehol and iprange to check if a newer version works, don’t know if this is really needed.

yum install https://github.com/firehol/packages/releases/download/2021-01-01-1948/firehol-3.1.7-11.el7.noarch.rpm https://github.com/firehol/packages/releases/download/2021-01-01-1948/iprange-1.0.4-2.el7.x86_64.rpm

Edit /usr/sbin/update-ipsets line 5103 to the right URL:

"https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt" \

After downloading the feodo ipset with

/usr/sbin/update-ipsets -s -i -r run feodo

the file /var/www/html/git/ipsets/feodo.source has the correct IP addresses instead of the HTML content from the wrong download and /var/www/html/git/ipsets/feodo.setinfo shows 369 unique IPs.

EDIT:

There’s already a PR correcting the feodo URL, so future versions of firehol will include it:

m.traeumner · November 25, 2021, 10:18am

Thanks Markus,

the new firehol version is not needed, it also works with the old version.

Am I right, that I have to create a virtual host additional to the doc? If so it should be part of the docs too.

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-blacklist.html#setup-a-blacklist-server

mrmarkuz · November 25, 2021, 10:46am

I think a virtualhost isn’t needed, the correct url should be like

https://yourserver.domain.org/git/ipsets

m.traeumner · November 25, 2021, 12:12pm

Thanks again, this works fine,
I tried before, but I have forgotten /ipsets.

Something else is wrong at the documentation, the cron job only works with the full path to update-ipsets.

cat << EOF >> /etc/cron.d/update-ipsets
*/19 * * * * root /usr/sbin/update-ipsets
EOF

I’ll do a pull request for it.

capote · November 27, 2021, 11:51pm

No real, I got some update errors Can't update blacklist repository: fetch failed
I repeated the steps

# yum autoremove nethserver-blacklist
--> Running transaction check
---> Package nethserver-blacklist.noarch 0:1.2.5-1.ns7 will be erased
--> Finished Dependency Resolution
--> Finding unneeded leftover dependencies
---> Marking git224 to be removed - no longer needed by nethserver-blacklist
---> Marking pihole-ftl to be removed - no longer needed by nethserver-blacklist
---> Marking git224-perl-Git to be removed - no longer needed by git224
---> Marking libsecret to be removed - no longer needed by git224
---> Marking git224-core-doc to be removed - no longer needed by git224
---> Marking perl-Error to be removed - no longer needed by git224-perl-Git
Found and removing 6 unneeded dependencies
--> Running transaction check
---> Package git224.x86_64 0:2.24.4-1.el7.ius will be erased
---> Package git224-core-doc.noarch 0:2.24.4-1.el7.ius will be erased
---> Package git224-perl-Git.noarch 0:2.24.4-1.el7.ius will be erased
---> Package libsecret.x86_64 0:0.18.6-1.el7 will be erased
---> Package perl-Error.noarch 1:0.17020-2.el7 will be erased
---> Package pihole-ftl.x86_64 0:5.0-3.ns7 will be erased
--> Finished Dependency Resolution
# rm -rf /usr/share/nethserver-blacklist/
# yum install nethserver-blacklist
 --> Processing Conflict: git224-core-2.24.4-1.el7.ius.x86_64 conflicts git-core < 2.24.4-1.el7.ius
# yum remove git
No Match for argument: git
No Packages marked for removal

Now there is a paroxical situation
I can no longer install Thrad shield because of a git conflict
But I also can not remove Git anymore

capote · November 28, 2021, 12:06am

Additionally, I removed git224-core.

Now I can reinstall thread shield