Seite 1 von 1

You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 16:03
von ktsaou
Hi,

On Mar 23 2016, you blacklisted yourself !

The downloaded files include IP 185.21.103.31, which is your IP.

Code: Alles auswählen

# host http://www.blocklist.de
http://www.blocklist.de has address 185.21.103.31

 # host lists.blocklist.de
lists.blocklist.de has address 185.21.103.31
The downloaded source files really include this IP:

Code: Alles auswählen

# grep 185.21.103.31 /etc/firehol/ipsets/blocklist_de*.source
/etc/firehol/ipsets/blocklist_de.source:185.21.103.31
/etc/firehol/ipsets/blocklist_de_ssh.source:185.21.103.31
As you can see it is found in ssh and the default (all.txt).

These are the timestamps (GMT+2) of the files (the timestamps are copied from your web server):

Code: Alles auswählen

# ls -l /etc/firehol/ipsets/blocklist_de.source
-rw------- 1 root root 568381 Mar 23 17:28 /etc/firehol/ipsets/blocklist_de.source
# ls -l /etc/firehol/ipsets/blocklist_de_ssh.source
-rw------- 1 root root 20254 Mar 23 17:42 /etc/firehol/ipsets/blocklist_de_ssh.source
As a result, all users that downloaded that blacklists and actually use them on their firewalls, cannot update them anymore!

My guess is that your only solution in order to allow these users download them again, is to swap this blacklisted IP with another one that is not listed.

Also, I see that currently all your IP lists are empty (probably because you have blacklisted yourself) !

Regards,

Costa

Re: You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 16:57
von ktsaou
A screenshot for the zero sized IP lists

Re: You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 17:14
von vbs
I can confirm that, my ipset lists are empty also. But that means that blocklist itself is not banned and I should be able to get further updates, right?

Re: You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 17:38
von ktsaou
It depends. I guess the machine that receives threat intel is using the same blacklist. So the probes cannot send their findings to the concentration point.

Re: You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 19:09
von michelpy
I can see the same, all lists empty.

Re: You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 19:44
von Martin
Hello,

i found the reason, why the site and lists was empty.
I fix it now, i think in a few minutes, it works again.

The IP from the new backup-Webserver is now whitelisted too and on the Reporting-Server, the SSH-Login is fixed too.

Thank you for the report.

Re: You blacklisted YOURSELF !

Verfasst: 26. Mär 2016, 23:31
von ktsaou
Good!
Thanks Martin.

However, if you don't change lists.blocklist.de to a different IP (other than the blacklisted one), several of your users will not be able to download the updated list.

This happens in my case too. Since 185.21.103.31 is now blacklisted on my systems, I cannot talk to lists.blocklist.de to download the fixed IP list and the whole process is locked.

So, my opinion is that you have to point lists.blocklist.de to a new IP, to let your users update.

Re: You blacklisted YOURSELF !

Verfasst: 27. Mär 2016, 07:43
von Martin
Hi,
at our old Server which needs a big upgrade, we have more IPs, but on our Backup-System, we have only one IP :-(
The most Upgrade of the Main-Files are done, but we need more Time, to update the config and Settings, because there was many changes and currently, the Websites does not work on the upgraded system.
But i work on it :-)

Re: You blacklisted YOURSELF !

Verfasst: 27. Mär 2016, 11:05
von vbs
For met the lists are filled again, ~24k lines right now. Thanks!

Re: You blacklisted YOURSELF !

Verfasst: 27. Mär 2016, 11:40
von ktsaou
For anyone having issues to update after using all.txt as a firewall blacklist using ipset, you can do this:

Code: Alles auswählen

ipset del blocklist_de 185.21.103.31
blocklist_de is the name of the ipset you use.

Using the above, you will be able to update again.