Daniel Cid and the Sucuri Malware Labs team do a great job at providing lists of IP addresses that can cause trouble.

Just today they shared a List of IP addresses scanning for vulnerable timthumb which at the time of this article has 975 IP addresses listed.

Let me share with you a method to turn what they provide into a software firewall block list.

In terms of house keeping, here are the assumptions / prerequisites:

  1. You have root level access to the server.
  2. The server is either running APF or CSF for software firewall automation or plain iptables.
  3. You understand this article is mainly about learning a methodology; and that if Sucuri Security changes the page layout or you want to apply this to other types of IP lists, you need to understand what to modify where (see foobar area below the notes lower down on the page).
  4. You agree to review the output of the grep commands prior to copying and pasting of the output to run as a command; and that you are completely responsible for the outcome.

Depending on your screen resolution the wget and grep statements may word wrap; when you run them each should be one line.

First, let’s grab a copy to work with by using wget and saving the output to a file.

wget http://labs.sucuri.net/?note=2012-05-31 -F -O rawiplist.html

The “-F” option tells wget to force HTML. This might be overkill for what I’m sharing; but I prefer to play safe. The “-O” option allows you to control the file name used in the output; this is great when retrieving URL’s like http://labs.sucuri.net/?note=2012-05-31 where the end result can be yucky to remember and use. Continuing on the theme of keep it simple and smile, let’s just list out the IP addresses by themselves from this file.

grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' rawiplist.html | awk '{print $2}'

This grep statement will list out all of the IP addresses on the page. Those of you who have used awk before will know $0 is the entire result of the line being piped in, $1 would be the 1st column (in this case $1 is a count of the number of times Sucuri Malware Labs found the IP address in question), and $2 is the actual IP address.

Now, while this output could be used as a foundation for an IP block list, it weighs in heavy at 975 IP addresses.

What if you wanted to only block the top abusers where you might define top as those IP addresses having a count of greater than or equal to 100?

This is where conditional statements in awk come in handy.

grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' rawiplist.html | awk '{if ($1 >= 100) print $2;}'

Now you have a much more manageable list as shown below:

209.235.136.112
37.59.87.162
212.122.222.32
88.191.116.184
216.69.224.11
184.171.241.132
94.23.230.97
216.75.35.176
209.235.136.116
67.228.195.2
176.31.124.28
46.105.99.187
88.198.164.237
176.31.239.45
200.98.137.215
209.235.136.113
193.34.131.144
64.9.215.134
201.47.74.114
72.32.123.95

If you have APF for your software firewall, edit /etc/apf/deny_hosts.rules and copy and paste that list into the file. If you have CSF as your software firewall, you can copy and paste the list into /etc/csf/csf.deny

When you are done restart your software firewall with service apf restart or service csf restart as applicable.

What if you are running iptables?

Well, let’s first make your life easier by creating something you can copy and paste at the command line to take effect immediately:

grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' rawiplist.html | awk '{if ($1 >= 100) print "iptables -I INPUT -s "$2 " -j DROP";}'

Below is an example of what you should see from the above command:

iptables -I INPUT -s 209.235.136.112 -j DROP
iptables -I INPUT -s 37.59.87.162 -j DROP
iptables -I INPUT -s 212.122.222.32 -j DROP
iptables -I INPUT -s 88.191.116.184 -j DROP
iptables -I INPUT -s 216.69.224.11 -j DROP
iptables -I INPUT -s 184.171.241.132 -j DROP
iptables -I INPUT -s 94.23.230.97 -j DROP
iptables -I INPUT -s 216.75.35.176 -j DROP
iptables -I INPUT -s 209.235.136.116 -j DROP
iptables -I INPUT -s 67.228.195.2 -j DROP
iptables -I INPUT -s 176.31.124.28 -j DROP
iptables -I INPUT -s 46.105.99.187 -j DROP
iptables -I INPUT -s 88.198.164.237 -j DROP
iptables -I INPUT -s 176.31.239.45 -j DROP
iptables -I INPUT -s 200.98.137.215 -j DROP
iptables -I INPUT -s 209.235.136.113 -j DROP
iptables -I INPUT -s 193.34.131.144 -j DROP
iptables -I INPUT -s 64.9.215.134 -j DROP
iptables -I INPUT -s 201.47.74.114 -j DROP
iptables -I INPUT -s 72.32.123.95 -j DROP

Just copy and past the output to the command line to execute.

If you are using iptables “as is” be sure to save your rules.

By the way, using the above as the foundation, if you wanted to take advantage of APF or CSF’s commenting feature, you could use the following (no manual editing of the deny files and no need to restart the software firewall service):

grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' rawiplist.html | awk '{if ($1 >= 100) print "csf -d "$2 " on http://labs.sucuri.net/?note=2012-05-31 with count of " $1;}'

Below is an example of what you should see from the above command:

csf -d 209.235.136.112 on http://labs.sucuri.net/?note=2012-05-31 with count of 507
csf -d 37.59.87.162 on http://labs.sucuri.net/?note=2012-05-31 with count of 467
csf -d 212.122.222.32 on http://labs.sucuri.net/?note=2012-05-31 with count of 312
csf -d 88.191.116.184 on http://labs.sucuri.net/?note=2012-05-31 with count of 268
csf -d 216.69.224.11 on http://labs.sucuri.net/?note=2012-05-31 with count of 245
csf -d 184.171.241.132 on http://labs.sucuri.net/?note=2012-05-31 with count of 236
csf -d 94.23.230.97 on http://labs.sucuri.net/?note=2012-05-31 with count of 225
csf -d 216.75.35.176 on http://labs.sucuri.net/?note=2012-05-31 with count of 207
csf -d 209.235.136.116 on http://labs.sucuri.net/?note=2012-05-31 with count of 207
csf -d 67.228.195.2 on http://labs.sucuri.net/?note=2012-05-31 with count of 196
csf -d 176.31.124.28 on http://labs.sucuri.net/?note=2012-05-31 with count of 178
csf -d 46.105.99.187 on http://labs.sucuri.net/?note=2012-05-31 with count of 142
csf -d 88.198.164.237 on http://labs.sucuri.net/?note=2012-05-31 with count of 133
csf -d 176.31.239.45 on http://labs.sucuri.net/?note=2012-05-31 with count of 128
csf -d 200.98.137.215 on http://labs.sucuri.net/?note=2012-05-31 with count of 126
csf -d 209.235.136.113 on http://labs.sucuri.net/?note=2012-05-31 with count of 112
csf -d 193.34.131.144 on http://labs.sucuri.net/?note=2012-05-31 with count of 108
csf -d 64.9.215.134 on http://labs.sucuri.net/?note=2012-05-31 with count of 107
csf -d 201.47.74.114 on http://labs.sucuri.net/?note=2012-05-31 with count of 102
csf -d 72.32.123.95 on http://labs.sucuri.net/?note=2012-05-31 with count of 101

Then copy and paste the result to the command line / console.

Just remember to change the “csf” above to “apf” if you are using APF.

NOTES:

If you are set up to permanently block IP addresses using APF or CSF the deny rules area can get messy over time even though both systems can automate the trimming (how many rules are in the file).

You should have a policy for how often these files are reviewed and cleaned up.

If you use APF or CSF you should also be aware of the maximum number of rules you can have in your deny file before any automated trimming.

For APF, the setting is in /etc/apf/conf.apf as SET_TRIM

For CSF, the setting is in /etc/csf/csf.conf as DENY_IP_LIMIT

If you make any changes, restart apf / csf.

FOOBAR:

Why’s almost always matter. One of the reasons to get to know your common Linux tools like wget, grep, awk, sed (not used in this article) is they are time savers; and should things change, you can adapt.

Let’s state Sucuri changed the formatting for the page so that they just included 795 IP addresses? Now, you don’t have a count, and you don’t want to grab all 795. What can you do?

grep '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' rawiplist.html | awk 'NR < 11 {print $1;}'

Where you are just having awk print the first 10 lines (if you wanted 20 lines, then change 11 to be 21)

If the page has the IP address, then the count, knowing what goes into each variable means just switching the $1 and $2 around.

Or nothing at all changes on the Sucuri page, but now you’ve found other sources you would like to use as a foundation for a block list; the same principals apply — adapt.

If you are on our APF and CSF Global Trust Service, we’ve taken the measure of adding the most abusive of the IP addresses found by Sucuri Malware Labs to our global deny list.

Please contact us if you have any questions.