Integration with Q-Feeds for Real-Time Threat Intelligence

Hello,

I would like to suggest a possible feature that could further enhance the security capabilities of NethSecurity.

It would be very useful and interesting to integrate protection with Q-Feeds (qfeeds.com).
Q-Feeds is a real-time cyber threat intelligence service that delivers actionable data to help organizations protect themselves from phishing, malware, and other cyber threats.

Integrating these threat intelligence feeds could allow the firewall to automatically block malicious domains, IP addresses, or URLs updated in real time, improving network protection against emerging threats.

I believe this feature would be highly appreciated by NethSecurity users, especially in business environments or MSP scenarios where proactive protection is essential.

Thank you for the great work you are doing on the project.

It seems to be a one man show. I gave them a call, but the call was unanswered. Chamber of commerce confirms it is a single person entity, and the address is a normal residential address, a home.

Maybe this topic is spamm…

Hi,

this is not spam. I just shared a suggestion based on my personal experience.

I currently use the free version of Q-Feeds with OPNsense and Palo Alto firewalls, and in my experience it works well as a threat intelligence source. That’s why I thought it might also be a useful integration for NethSecurity.

I have no affiliation with the service; it was simply an idea or suggestion that the development team might evaluate.

That’s all

Where is it available please?

So not open source?

image850×1566 101 KB

His/Her HQ

image1498×1548 507 KB

CoC

image864×770 52.5 KB

The registration is simply required to access your personal console and generate your API key.

This key must then be configured on your firewall, which uses it to authenticate and automatically download the dynamic threat intelligence lists (IPs, domains, etc.) that are regularly updated.

So the registration is only needed to manage access and the API keys used by the firewall to retrieve the feeds.

Still strange, I called them again, no answer and the TAX number shows that Q-Feeds seems to be company number 53 of this idividual / Stefan Sprenkels.

BTW (Tax Nr): NL004770667B53

Any chance you have the URL to the source code of the community edition?

Noted.

Basically I don’t think it’s a good idea to use different feed block list tools as there could be conflicts.
NethSecurity/OpenWRT is not supported but q feeds installs when adapting the script.
DO NOT use this in production, it’s just for testing and there may be unwanted side effects.

Download the installer locally (not on NethSec)

git clone https://github.com/Q-Feeds/NFtables-IPtables-integration-script.git
cd NFtables-IPtables-integration-script
chmod +x qfeeds-*

Edit qfeeds-installer.sh and change the paths at line 28 and 29 from /usr/local/bin... to /usr/bin...

At line 122 comment out exit 1 like # exit 1

Upload the files via SCP to the firewall (192.168.0.1 in this example)

scp qfeeds-* root@192.168.0.1:~

Now on NethSecurity the install script should run and install q feeds.

./qfeeds-installer.sh

Hi Community,

To start, I’m affiliated with Q-Feeds.

Thanks to this thread, we discovered there was indeed an issue with our SIP trunk. Really appreciate you pointing that out. Feel free to try calling again!

Regarding the company research: yes, we are registered as a sole proprietorship. That’s just how the Dutch Chamber of Commerce structure works and doesn’t reflect the actual size of the team. For transparency, we’re currently working with a team of 5 people, mostly contractors.

Thanks as well for the suggestion to adapt the script. I’ll take a look today to see if we can auto-detect NethSecurity and possibly support it natively.

If you have any questions, feedback or concerns, feel free to ask. We’re happy to help.

Best regards,
David

Hi, and welcome to NethServer Community.

NethSecurity uses banip to block IPs. To avoid conflicts it would be nice if Q-feeds could work with banip, see also ns-threat_shield | NethSecurity

Thank you! Aah I see, guess we could do that but might be better to implement it in a separate script then. On the other hand I guess using the existing ns-threat_shield should work as well. We have this OpenAPI spec available to integrate it with just an URL. Should work for both domains and IPs: Swagger UI

I’m not fully familiar with NethServer but maybe you can confirm that adding custom URLs should work? example would look like this:

https://api.qfeeds.com/api.php?feed_type=malware_ip&api_token=XXXX

Thanks, it’s basically working in my test.

I added it to /etc/banip/banip.feeds:

        "qfeeds":{
                "url_4": "https://api.qfeeds.com/api.php?feed_type=malware_ip&api_token=tip_<SECRET_API_TOKEN>",
                "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
                "chain": "out",
                "descr": "q-feeds IP list"
        }

So it can be enabled in the UI:

image2606×1838 402 KB

And containing IPs are found:

image1092×726 49 KB

It doesn’t block the IPs yet, seems I’m still missing something…to be continued…

Looks good! Bit strange though that it doesn’t block Will try to find some time to setup a NethServer and go test this as well.

Great! I’m also going to continue the tests…

Just for info: NethServer is the application server, NethSecurity is the firewall based on OpenWRT.

EDIT:

I retested and now the blocking works. Maybe I was too impatient and it takes some time until the IPs are blocked…

Aah great! Glad it worked out!

Hi everyone,

I wanted to sincerely thank both the NethSecurity team (especially @mrmarkuz for the swift technical implementation) and the Q-Feeds team for their support and collaboration.

It’s truly exciting to see a community proposal turned into a live, working feature so quickly. The synergy between a robust firewall like NethSecurity and high-quality threat intelligence from Q-Feeds significantly elevates the security of our systems.

Great teamwork, keep it up

You’re more than welcome, and I couldn’t agree more!