Threat shield: DNS blacklist

The package has been released!

Anybody wants to give it a try @elleni @pike @pagaille @Carnyx @mrmarkuz @sharpec @capote? :slight_smile:

4 Likes

After a crash on production, I’ve retired the package to further inspect the problem.

The package is still available on testing and feedback is more than welcome!

1 Like

I tested on my Neth home gateway, it’s running since yesterday and it’s working as expected so far.

2 Likes

Released with some more fixes!

2 Likes

hi @giacomo, is it safe to install it on a nethserver enterprise?
should it break something with YOROI Threat Shield?

I woould like to test it…

1 Like

Really nice work, folks. Thank you.

1 Like

Yes, it’s available since today :slight_smile:

Of course not, it’s the same package! :wink: You can than select the blacklist source between YOROI (if you have the subscription for it) or the community blacklist.

I get lots if internal IP adresses in the threadshield log. Is Thread shield really only monitoring external traffic?

What is the sequence of the several plugins like IPS, Thread shield and fail2ban? If IPS filters something does it still get to fail2ban and Threat Shield? Which comes first?

It inspect all traffic. Search for blacklist inside iptables -nvL to see the positioning.
You see internal IPs inside the log as destination or source of the blocked packaged. But the trigger for the block is the the public IP inside the blacklist, not the internal one.

→ Threat shield (iptables) → IPS (suricata) → fail2ban (logs)

1 Like

Thanks for the explanation.

My configuration is

Internet <-> (public ip) provider Router (NAT into to transfer net IP 192.168.xx.1)<-> (192.168.xx.2) Nethserver (192.168.yy.2) <-> internal LAN (192.168.yy.0/24)

Is there a problem that for Nethserver the “internet” begins at the internal transfer net 192.168.xx.1 and thread shields detect “forbidden” traffic from unroutable net 192.168.xx.0 and creates log entries for that?

I updated the list in my own repo. More info here: Modified dns-community-blacklist to add more dns blacklist of several types

1 Like

How do I whitelist an address? Since my domain Registrar is blocked by this list.

There is no such function. If a domain is inside a list, you need to modify the list to remove it.

Too bad, it would have been a useful function. And without it it is impossible to use these lists

1 Like

Therefore

DNS blacklist is implemented as a DNS sinkhole and uses Pi-Hole FTLDNS


it makes more sense for me to use the original within a dedicated PiHole-Server within my LAN

1 Like

The internal network is 192.168.42.0/24. If I check any address from this internal network, ThreadShield says it is blocked Is this correct? Shouldn’t the internal addresses be excluded from blocking? Do I have to add the internal network to the whitelist (or at least the internal servers which have ports forwarded to them)?

The tools just searches the given IP inside the lists.
You should ask the maintainer of the lists why that CIDR is inside the geoblocklist :man_shrugging:

1 Like

@carsten I can’t reproduce your issue.
My test system has FireHOL Level 2 enabled in Threat shield and 192.168.42.3 is not blocked.
This is very strange, let’s check the date of the file:

[root@ns7-ent ~]# ls -l /usr/share/nethserver-blacklist/ipsets/firehol_level2.netset
-rw-r--r-- 1 root root 308610 Oct 22 21:41 /usr/share/nethserver-blacklist/ipsets/firehol_level2.netset

You can also look inside the file and search for 192.168.
To force download, press the Check for updates button in the dashboard.
To debug run: sh -x /usr/share/nethserver-blacklist/download ipsets

2 Likes