Https://github.com/firehol/blocklist-ipsets is a bit dead

saitobenkei · April 21, 2023, 9:04am

It seems that GitHub - firehol/blocklist-ipsets: ipsets dynamically updated with firehol's update-ipsets.sh script has been about a month since the site has been updated so the ip blocking lists used in threat shield are becoming increasingly ineffective.
Ideas, alternatives?

LayLow · April 22, 2023, 5:56am

I guess you are not the only one with this question:

github.com/firehol/blocklist-ipsets

BlackHole IP list

opened 06:25AM - 21 Apr 23 UTC

BlackHoleMonster

Hello :) as these lists wasnt updated 1 month, i want you offer our IP lists. … "IP blacklist that uses multiple sensors to identify network attacks (e.g. SSH brute force) and spam incidents. All reports are evaluated and in case of too many incidents the responsible IP holder is informed to solve the problem." https://ip.blackhole.monster/ https://github.com/BlackHoleMonster/IP-BlackHole/ ``` 🚫 ALL IPs: https://ip.blackhole.monster/blackhole 🚫 TODAY IPs: https://ip.blackhole.monster/blackhole-today 🚫 15-DAYS IPs: https://ip.blackhole.monster/blackhole-15days 🚫 30-DAYS IPs: https://ip.blackhole.monster/blackhole-30days ```

FIB_Denmark · April 22, 2023, 10:45am

True. On the other hand FireHOL IP Lists | IP Blacklists | IP Blocklists | IP Reputation looks alive!?

LayLow · April 22, 2023, 10:56am

Hi @FIB_Denmark and welcome!

That raises the question with me how to validate the trustworthiness of such lists and all related measures.

Just food for thought.

dnutan · April 22, 2023, 11:27am

saitobenkei · May 2, 2023, 3:36pm

That list is not uploaded to Nethsecurity.
If you put the link in the threat shield, you get a warning that it’s not a valid git repository.

spiridon · May 10, 2023, 6:10pm

Lists are updated at iplists.firehol.org
You can fetch them individually by
iplists.firehol.org/files/firehol_level1.netset
or any filename.
Otherwise
Install firehol-tools.
Run update-scripts (–enable-all)

saitobenkei · May 10, 2023, 6:32pm

I would say that script and the site you point me to has major management problems: a lot of lists fail or are outdated, so I wouldn’t rely on it much.

On top of that, Nethserver’s Threat Shield only works with a git repository, from what I can see.

So I ended up making my own gir repo, with some lists updating themselves by taking them from various sources, formatting them properly, and cleaning them up from the private ip classes they many times contain.

spiridon · May 10, 2023, 7:16pm

Most of these lists fail because their original maintainers either stopped the updates or moved on paid services. So in my case I just check the file’s date, find the newly added IPs and that’s all.

Sorry, I never saw that it was related to Nethserver.

Great work! I’m doing similar work on OSINT feeds, specifically on IPs. Do you plan to make your work public?

geekguy · August 1, 2023, 11:46am

This is really sad, I was very reliant on this feature. Any chance we can have the downloads come directly from the firehol website or someone find a new attacker IP complete feed to incorporate into the threatshield feature?

saitobenkei · August 1, 2023, 12:52pm

There are two forks of blocklist-ipsets that are currently maintained, but they do not manage the full lists (partly because many of the original lists either didn’t work or were no longer maintained or publicly accessible).

The lists of the two forks are updated quite frequently but are maintained amateurishly so they are taken “as is” without having to claim anything.

Please put an appreciation on the two repositories (click on the “star” button at the top right of the fork page )

geekguy · August 7, 2023, 10:07pm

This rocks, thanks so much!