netsecurity database

Today, Courier MTA blacklist were needed - first alpha outputs were generated the next hour.

We started autogenerating

• MS XP Workstation ipseccmd.exe batch-job for MS builtin firewall
• MS 2003 Server ipseccmd.exe batch-job for MS builtin firewall
• Windows 7/Vista/MS 2008 Server netsh advfirewall batch-job for MS builtin firewall to use with powershell 1.0/2.0PRE
• pfsense alias and ruleset
• cisco IOS ruleset

to block any communication to known Destinations from MS08-067 Worm, Downadup/Conflicker and make them availailable to public.

Please check scripts for nets you should not drop connection to, because your customers might need them.

See here and here for more info.

ipseccmd.exe to be found on your system CD->Support->Tools.
Powershell 1.0 and 2.0PRE CTP can be downloaded from Microsoft.

2010/01/12 - Windows 7 integrates netsh - with PowerGui script processing and firewall-control gets easy.
2009/04/25 - currently auto-tagging networks
2009/04/25 - checked 2.9 Mio generic domains from Conficker A,B,C and attached results to this article
2009/02/16 - added today's IPs
2009/02/17 - Neue Medien Munnich requested removing 85.13.136.31 - done.
2009/02/21 - added yesterday's IPs
2009/04/22 - added destination list with counter

We covered iptables on Linux and Windows-Firewall. Now we are doing the same for MacOS X:

• macosx_spammer.ipf
• macosx_hacker.ipf
• macosx_webspammer.ipf
• macosx_torexit.ipf
• macosx_proxies.ipf
• macosx_bothosts.ipf
• macosx_spamlinkdest.ipf

The rules come unnumbered and will be placed after 20.000 in steps of 100 if you run the scripts unmodified.

Last entry with ipfw list is 65.535 - so it makes no sense to use the firewall rulesets to block these >50.000 spammer-nets. Better use the configs for MTA's instead.

More Info about MacOSX ipfw-based firewalling to be found on Universität Innsbruck and www.chaos-net.de in german and Novajo.ca in english.

Vista and 2008-Server

Generating policies for WindowsFirewall based on netsh advfirewall from Power-Shell:

• msnetshcmd_bothosts.ps1
• msnetshcmd_hacker.ps1
• msnetshcmd_proxies.ps1
• msnetshcmd_spamlinkdest.ps1
• msnetshcmd_spammer.ps1
• msnetshcmd_torexit.ps1
• msnetshcmd_webspammer.ps1

Tested with PowerShellV1.0 and PowerShellV2.0 PreRelease (CTP/Graphical). You might check out PowerGUI from powergui.org.

XP and 2003-Server

For XP/2003-Server there is no advfirewall option available - we have to use ipseccmd.exe from commandline:

"The netsh advfirewall context is only available on computers that are running Microsoft® Windows Vista® or Windows Server® 2008. IPsec or firewall policies created by using this context cannot be used to configure computers that are running earlier versions of Windows. To use a command line to configure Windows Firewall or IPsec on computers that are running earlier versions of Windows, you must use a utility that is designed for the appropriate operating system. For example, to use the command line to configure IPsec policies on computers that are running Windows XP, use IPsecCmd.exe, which is provided on the Windows XP CD, in the \Support\Tools folder. To use the command line to configure IPsec policies on computers that are running Windows 2000, use IPsecPol.exe, which is provided with the Windows 2000 Server Resource Kit. Run these commands only on the operating systems for which they were designed. Running them on Windows Vista or Windows Server 2008 is not supported."

See TechNet for reference.

Therefore we generate batch-jobs that affect one global filter-rule 'netsecdb filters' anding policies to it.
We have chosen old fashioned batch-format because it's easier to combine with wget(win32) and 7zip for automation.

• ms2003ipseccmd
• msxpipseccmd (without smtp-blocking)

version of

• hacker_aliases.xml [all countries]
• webspammer_aliases.xml [all countries]
• pf_alias_torexit.xml
• pf_alias_proxies.xml
• pf_alias_bothosts.xml

for use in combination with pfsense firewalls

version of

• IOS_hacker [all countries]
• IOS_webspammer [all countries]
• IOS_torexits
• IOS_proxies
• IOS_bothosts

for use in combination with cisco routers

2009/08/01 Update: shop is active and files are available.

We are still implementing shop functionalities into page and only listed tryout section to public. After registering, you will find more articles, but - SHOP IS NOT ACTIVE YET. It's a work in progress and just viewable to give you an idea.

After login, every registered user will find the tryout files in his/her my-acount->files-section ready for direct download.

thousands of tickets with abuse reports to ISP's regarding bot-infected workstations or hacked servers

version of

• cmdlet MSEXCHANGE7 IPBlockList [permanent rules]
• cmdlet MSEXCHANGE7 IPBlockList [time-limited rules]

for use with MS Exchange Server 7

version of

• htaccess
• htaccess with netsecdb Boomerang-config [mod-rewrite]

for use with apache webserver

version of

• iptables shell-script [SuSE]
• iptables shell-script [debian]

for use on linux based servers with iptables support