Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung |
know-how:blacklists [2023/04/25 11:05] – [WEB] cc | know-how:blacklists [2024/02/26 10:31] (aktuell) – cc |
---|
| ~~ODT~~ |
====== Blacklists ====== | ====== Blacklists ====== |
===== WEB ===== | ===== WEB ===== |
| |
^Betreiber^Lizenz^Format^Download^Anmerkungen^ | ^Betreiber^Lizenz^Format^Download^Anmerkungen^ |
| | fabriziosalmi - https://get.domainsblacklists.com/|GPL|Domains|https://get.domainsblacklists.com/blacklist.txt|Aggregiert diverse verfügbare Blacklists Achunt| |
| |https://cert.pl/|unbekannt|Diverse Formate|e.g. Domains https://hole.cert.pl/domains/domains.txt |-| |
| |https://oisd.nl/|unbekannt|Diverse Formate|e.g. https://big.oisd.nl/domainswild2 |Aggregiert diverse Listen| |
| |https://github.com/RPiList/specials/blob/master/Blocklisten.md|unbekannt|Domains|e.g. Domains: https://raw.githubusercontent.com/RPiList/specials/master/Blocklisten/malware| Diverse Listen und Kategorien| |
|https://kadantiscam.netlify.app/|Creative Commons|Hosts File|https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt|-| | |https://kadantiscam.netlify.app/|Creative Commons|Hosts File|https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt|-| |
|https://www.abuseipdb.com/contact|https://www.abuseipdb.com/pricing|API|<code>curl -s -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -d plaintext -H "Key: API_KEY" -H "Accept: text/plain" > /tmp/abuseipdb-ips.acl</code>|-| | |https://www.abuseipdb.com/contact|https://www.abuseipdb.com/pricing|API|<code>curl -s -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=95 -d plaintext -H "Key: API_KEY" -H "Accept: text/plain" > /tmp/abuseipdb-ips.acl</code>|-| |
|https://urlhaus.abuse.ch/|unbekannt|URLs|<code>wget --quiet --timeout=5 --tries=2 https://urlhaus.abuse.ch/downloads/text/ -O /tmp/abuse.ch-urls-malicious</code>|-| | |https://urlhaus.abuse.ch/|unbekannt|URLs|<code>wget --quiet --timeout=5 --tries=2 https://urlhaus.abuse.ch/downloads/text/ -O /tmp/abuse.ch-urls-malicious</code>|-| |
|https://urlhaus.abuse.ch/|unbekannt|Domains|<code> wget --quiet --timeout=5 --tries=2 https://urlhaus.abuse.ch/downloads/hostfile/ -O /tmp/abuse.ch-domains-malicious</code>|pihole kompatibel| | |https://urlhaus.abuse.ch/|unbekannt|Domains|<code> wget --quiet --timeout=5 --tries=2 https://urlhaus.abuse.ch/downloads/hostfile/ -O /tmp/abuse.ch-domains-malicious</code>|pihole kompatibel| |
| |https://abuse.ch|unbekannt|Domains/Hosts|<code>wget -q --timeout=15 https://threatfox.abuse.ch/downloads/hostfile/ -O /tmp/threatfox.acl && grep -v '^#' /tmp/threatfox.acl | awk '{print $2}' | sort | uniq > /usr/local/etc/blacklists/threatfox.acl </code>|pihole kompatibel| |
|https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist|MIT License|Hostname/Domain|<code>wget --quiet --timeout=5 --tries=2 https://hosts.ubuntu101.co.za/domains.list -O /tmp/mitchellkrogza-domain.acl</code> |Achtung >16Mbyte groß/verschiedenste Kategorien zusammen gewürfelt| | |https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist|MIT License|Hostname/Domain|<code>wget --quiet --timeout=5 --tries=2 https://hosts.ubuntu101.co.za/domains.list -O /tmp/mitchellkrogza-domain.acl</code> |Achtung >16Mbyte groß/verschiedenste Kategorien zusammen gewürfelt| |
|https://www.malwarepatrol.net/|kommerziell|Diverse|-|-| | |https://www.malwarepatrol.net/|kommerziell|Diverse|-|-| |
|https://otx.alienvault.com/api|frei für privat|API|-| | |https://otx.alienvault.com/api|frei für privat|API|-| |
|https://bambenekconsulting.com/|kommerziell/researcher|CSV|-|-| | |https://bambenekconsulting.com/|kommerziell/researcher|CSV|-|-| |
|mailsilo.gitlab.io|unbekannt|urls|<code>wget --quiet --timeout=15 --tries=2 https://malsilo.gitlab.io/feeds/dumps/url_list.txt -O /tmp/malsilo_urls.acl && cat /tmp/malsilo_urls.acl | cut -d"," -f 3 | grep -o -P "(https://|http://).*/" | cut -d/ -f 3 | sort | uniq | grep -v -P "([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d ":" -f 1 > //tmp/malsilo_urls-clean.acl </code>|-| | |mailsilo.gitlab.io|unbekannt|urls|<code>wget --quiet --timeout=15 --tries=2 https://malsilo.gitlab.io/feeds/dumps/url_list.txt -O /tmp/malsilo_urls.acl && cat /tmp/malsilo_urls.acl | cut -d"," -f 3 | grep -o -P "(https://|http://).*/" | cut -d/ -f 3 | sort | uniq | grep -v -P "([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d ":" -f 1 > //tmp/malsilo_urls-clean.acl </code>|FIXME noch aktiv ?| |
|https://www.joewein.net|frei für privat|domains/hostnames|<code>wget --quiet --timeout=15 --tries=2 https://www.joewein.net/dl/bl/dom-bl.txt -O /tmp/joewein-bl.acl && cat /tmp/joewein-bl.acl | cut -d";" -f 1 > /tmp/joewein-bl-clean.acl </code>|-| | |https://www.joewein.net|frei für privat|domains/hostnames|<code>wget --quiet --timeout=15 --tries=2 https://www.joewein.net/dl/bl/dom-bl.txt -O /tmp/joewein-bl.acl && cat /tmp/joewein-bl.acl | cut -d";" -f 1 > /tmp/joewein-bl-clean.acl </code>|FIXME noch aktiv ?| |
|http://netlab.360.com/|kommerziell|domains|<code>wget --quiet "https://data.netlab.360.com/feeds/dga/dga.txt" -O /tmp/netlab360-dga.acl && grep ^[^#] /tmp/netlab360-dga.acl | awk '{ print $2 }' > /tmp/netlab360-dga-clean.acl</code>|Umgestellt auf paid| | |http://netlab.360.com/|kommerziell|domains|<code>wget --quiet "https://data.netlab.360.com/feeds/dga/dga.txt" -O /tmp/netlab360-dga.acl && grep ^[^#] /tmp/netlab360-dga.acl | awk '{ print $2 }' > /tmp/netlab360-dga-clean.acl</code>|Umgestellt auf paid| |
|https://www.misp-project.org/feeds/|unbekannt|diverse|-|EU gefördert diverse Feeds| | |https://www.misp-project.org/feeds/|unbekannt|diverse|-|EU gefördert diverse Feeds| |
===== IP Reputation ===== | ===== IP Reputation ===== |
* IP Reputation Check Listen | * IP Reputation Check Listen |
* FIXME | |
<code> | <code> |
https://check.spamhaus.org/ | https://check.spamhaus.org/ |
<code> | <code> |
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash | curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash |
| </code> |
| * Bouncer über iptables - **/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml** - befülle ipsets |
| |
| <code> |
| mode: iptables |
| pid_dir: /var/run/ |
| update_frequency: 10s |
| daemonize: true |
| log_mode: file |
| log_dir: /var/log/ |
| log_level: info |
| log_compression: true |
| log_max_size: 100 |
| log_max_backups: 3 |
| log_max_age: 30 |
| api_url: http://127.0.0.1:8080/ |
| api_key: API_KEY |
| insecure_skip_verify: false |
| disable_ipv6: false |
| deny_action: DROP |
| deny_log: false |
| supported_decisions_types: |
| - ban |
| #to change log prefix |
| #deny_log_prefix: "crowdsec: " |
| #to change the blacklists name |
| blacklists_ipv4: crowdsec4 |
| blacklists_ipv6: crowdsec6 |
| #if present, insert rule in those chains |
| iptables_chains: |
| # - INPUT |
| # - FORWARD |
| # - DOCKER-USER |
| |
| ## nftables |
| nftables: |
| ipv4: |
| enabled: true |
| set-only: true |
| table: crowdsec |
| chain: crowdsec-chain |
| ipv6: |
| enabled: true |
| set-only: false |
| table: crowdsec6 |
| chain: crowdsec6-chain |
| # packet filter |
| pf: |
| # an empty string disables the anchor |
| anchor_name: "" |
| |
</code> | </code> |
===== DNSBL ===== | ===== DNSBL ===== |
|https://www.rfxn.com/projects/linux-malware-detect/|GNU GPLv2 |Eigene Skripten oder CLAMAV rules: https://cdn.rfxn.com/downloads/maldet-sigpack.tgz| | |https://www.rfxn.com/projects/linux-malware-detect/|GNU GPLv2 |Eigene Skripten oder CLAMAV rules: https://cdn.rfxn.com/downloads/maldet-sigpack.tgz| |
|https://github.com/Cisco-Talos/clamav-safebrowsing|GNU GPLv2|getestet auf Debian Buster/für Google Safebrowsing mit Google API / Test mit **http://malware.wicar.org/** | | |https://github.com/Cisco-Talos/clamav-safebrowsing|GNU GPLv2|getestet auf Debian Buster/für Google Safebrowsing mit Google API / Test mit **http://malware.wicar.org/** | |
| |http://sigs.interserver.net|unbekannt|Last Modified Sept. 2022| |