As time progresses and the internet becomes an integral part of our lives, cybercrime is evolving into a more sophisticated threat. While various tools like malware detection, virus scans, intrusion detection, and prevention systems have been developed to help identify malicious activities, the landscape of cyberattacks has expanded beyond these traditional methods.
What’s intriguing is that attackers often don’t directly target individuals or their systems. Instead, they exploit others to achieve their goals, which might not be directly related to the victim’s business. Modern attacks are complex, distributed, and originate from numerous IPs worldwide, making them difficult to identify.
To enhance our security measures, it’s crucial to supplement existing solutions with collective knowledge and shared experiences in combating cyber threats. Fortunately, there are dedicated teams working tirelessly to identify these attacks and trace the perpetrators. These teams compile blocklists containing suspicious IPs, domains, and URLs, which can be employed in firewalls and proxies.
Focusing on IPs, utilizing IP blocklists on the internet-facing side of your firewall is a fundamental aspect of internet security. These blocklists facilitate the exchange of crucial information among us, enabling mutual learning and effective isolation of fraudsters and attackers from our services. This collaborative approach is vital in safeguarding our online environment.
This article focuses on the blocklist and GEO-IP block configuration using the OPNSENSE firewall to increase your router security.
The steps below comes from the Youtube guide made by PhasedLogix IT Services and official documentation for the OPNSENSE
Where to find the existing IP Blocklists and check their effectiveness?
A good source of IP Blocklists combined from different vendor sources is a Github repo called Firehol:
https://github.com/firehol/blocklist-ipsets#list-of-ipsets-included
The description and effectiveness of each list is listed under:
Installation of IP Blocklist on OPNSENSE
Explanation on how the Blocklists work
Source: PhasedLogix IT Services
The number of IP blocklists needs to be customized to every environment separately. The list that finds it use for many scenarios regardless if it’s home router or enterprise is list called Emerging Threats that combines the IP sources of the latest threats from IT Security Teams.
BLOCKLIST: et_block
https://iplists.firehol.org/?ipset=et_block
BLOCKLIST DIRECT LINK:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
In order to add the Blocklist, you need to log in to your Opnsense and go to Firewall > Aliases and click on (+) icon to add new alias. Please type in the following:
ALIAS:
- Name: EmergingThreats_combined
- Type: URL Table (Ips)
- Refresh: 12 Hours
- Content: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
- Description: Emerging Threats.net et_block
After this is done, hit Save on the Alias page and move to Firewall > Rules > WAN and create a new rule with the (+) icon in the top right.
Please configure the rule as follows:
The rule is created at the bottom of the list so it’s executed as the last option. We need to change it so it’s executed as first in the queue. Select all the Rules from above and click on “Move selected to the end”.
This way the Emerging Threats rule will be checked for any source IP scanning our WAN IP as the first one.
The rule has it’s use also to minimize the threat for the LAN users that could be already affected with Emerging Threats to prevent any data to be sent to malicious IP hosts.
In order to do that we need to clone existing rule from WAN
Then change the direction of the traffic by changing Interface, Source and Destination. This can be done to any other VLANs the same way if it’s needed.
The rule should be already at the top of the LAN rules. After change is made, hit Save.
In order to see if the rule is preventing the malicious IP hosts from scanning our OPNsense, please go to Firewal > Log files > Live view. Then Select Action > Contains > Block and wait if any scan occurs.
Installation of GeoIP restrictions on OPNSENSE
To add additional layer of security, you can block source IP from different locations in the world.
Please visit the OPNSENSE documentation and create a unique API key for downloading the GEO IP blocklists – https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html
Any steps we do below are explained in the Youtube video:
Source: PhasedLogix IT Services
After you acquire your API Key, please put the key into unique URL from the OPNsense GeoIP documentation and save it in notepad. Then please go to Firewall > Aliases > GeoIP settings and put the url in the following screen:
Please note: maxmind.com domain could be blocked by any AdGuard service running in the network, so if the list is not being updated, therefore a bypass on DNS needs to be made.
After successful download, please go to Firewall > Aliases > Add (+) a rule set the GeoIP as following. Please select the countries that you would like to block from scanning your OPNsense
After hitting Save, you’ll see an Alias on the list and it should update the number of IPs in database.
After that you’ll need to add the Rule for GeoIP block in the Firewall > Rules > WAN.
Please configure the rule as follows:
Make sure that the GeoIP rule is at the top of the list by moving the other list down. If you have Emerging Threats rule already created, this is how the list should look like:
If there’s a need you can also block any send of data to these countries by creating inverted rule to LAN interface as we did in the IP Blocklist above.
Please note: Some of the services which require access to servers that are located in the block countries might not work correctly. Any service IP geo-location can be checked under: https://www.iplocation.net/
In order to see if the rule is preventing the malicious IP hosts from scanning our OPNsense, please go to Firewal > Log files > Live view. Then Select Action > Contains > Block and wait if any scan occurs.
Other useful lists:
# BL_3coresec
https://blacklist.3coresec.net/lists/all.txt
# BL_cins_army
https://cinsscore.com/list/ci-badguys.txt
# BL_cisco_talos
https://talosintelligence.com/documents/ip-blacklist
# Bruteforce blocker
https://opendbl.net/lists/bruteforce.list
# TOR exit nodes
https://opendbl.net/lists/tor-exit.list
# Emerging Threats: Known Compromised Hosts
https://opendbl.net/lists/etknown.list
MORE Lists:
EXAMPLE CONFIG:
Sources:
- Firehol IP Blocklists https://iplists.firehol.org/
- How to set up IP Blocklists in OPNsense- https://youtu.be/R99EZ_YcPiU
- How to set up GeoIP restrictions in OPNsense – https://www.youtube.com/watch?v=ZydXjTt9y2A