← Back to context

Comment by Joel_Mckay

5 days ago

Actually, the 140k Tor exit nodes, VPNs, and compromised proxy servers have been indexed.

It takes 24 minutes to compile these firewall rules, but the black-list along with tripwires have proven effective at banning game cheats. Example, dropping connections from TX with a hop-count and latency significantly different from their peers.

Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3

2 comments

Joel_Mckay

Reply
Fnoord  5 days ago

I don't have a filter list for compromised proxy servers and VPNs. Do you have a link? I'd be interested in logging such. For Tor, I use [1] (formats in json, txt, md) on OPNsense, but I've also been able to indeed simply parse ASNs (which I currently use for "Twitter, Inc.").

> Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3

This. There's outbound and inbound, and it is very unlikely your print server requires connections from Russia or China (to name an example). You're probably better off making a whitelist, jumphost, or using a VPN with proper authentication to access your services.

Outbound, now that is more difficult to assess. On a desktop, I like a personal firewall for that purpose. Little Snitch on macOS and Open Snitch on Linux have helped me a lot here, but ultimately your hardware firewall is probably lenient on outgoing connections, when you should ask yourself does my network require this, or are they better off with only a HTTP(S) proxy by default?

[1] https://github.com/7c/torfilter

  • Joel_Mckay  4 days ago

    >I don't have a filter list for compromised proxy servers and VPNs.

    Someone just joined the nuisance forums, and grabs the same Socks/Telegram proxy list they all use (mostly old infected/open servers.) When it comes to firewall rules it is a sensitive matter, and depends on the firewall setup (black-hole bans are generally considered rude, as even handshakes are lost.)

    For fairly recent personal ban lists could try:

    https://github.com/bitwire-it/ipblocklist

    https://www.iblocklist.com/lists

    And a Pi-hole router as a DNS sinkhole:

    https://github.com/pi-hole/pi-hole

    Sanitizing IP lists both before and after parsing is important, and checking for malformed or whitelisted blocks is wise.

    >Outbound, now that is more difficult to assess

    SELinux and firewall rules will handle that just fine for services, but is cumbersome for desktop users. In general, most just try "unshare -r -n /home/$USER/someApp" or a sandbox/VM to prevent some useful user-space program from connecting to the web.

    Dumping local traffic with wireshark or iftop is also rather common practice.

    Best of luck, =3