Automated Blacklist Creation

[gigawatz]

Can someone please advise as to where the blacklist information is stored within the NAS? I would like to be able to modify this file directly because the list of IPs I wish to add to the list is much larger than I would like to undertake manually. If I am unable to modify the configuration file directly, I would love to write a bash script to execute the update instead (assuming I am pointed to the file to execute against). Regardless of the means in which to update the file, a manual, web based process is unacceptable.

Suffice it to say, I want to blacklist all IP blocks that are not assigned to the United States. I have no doubt that the only remote users that I want to service will be US based.

As you can imagine, the list of IPs to be added to this blacklist will be huge.

For those that are going to recommend that a white list would be better, I disagree.
Firstly, I am not about to white list the entire set of US IP ranges. they are not all trusted. White lists are designed to be used explicitly with trusted people/companies.
Secondly, when a white list is used, the attack logic (automatic blacklisting) is disabled.
Thirdly, using a white list does not simplify my situation because to manually enter all of the US IP blocks would still be a large manual effort. Even if I were to take this route (and I'm not), I would want another automated method to make the configuration updates.

Please advise.

[forkless]

You should be able to find what you want here;

/etc/config/ipsec_allow.conf (whitelist)
/etc/config/ipsec_deny.conf (blacklist)

I don't think this implementation of white/blacklisting support net blocks though.

Hope that helps,
fork

[gigawatz]

I had previously added some entries via the web interface and can see that it is possible to block an network range. At this time I am not sure what the fourth value represents.

I have figured out what most of the variables represent.

First variable: Definition Type

• 0: Specific IP
• 1: Network
• 2: IP Range

Second Variable:

• (Type 0) Specific IP address
• (Type 1) Network IP
• (Type 2) IP Address start range

Third Variable:

• (Type 0) Blank
• (Type 1) Subnet mask
• (Type 2) IP Address stop range

Fourth Variable: Unknown
Fifth Variable: Duration to block, in seconds. 13177444815 = indefinitely

Sample net range block from my ipsec_deny.conf file.
2:0.0.0.0:2.255.255.255:0:1317444815

[LarsBetak]

Nice finding, I have a few additions

Fourth Variable: Unknown

Number of minute to block, 0 = for ever

Fifth Variable: Duration to block, in seconds. 13177444815 = indefinitely

That one you got wrong, it is the system time when the block started. As from a ssh shell

Code: Select all

[~] # date +%s

Kind regards
Lars Betak

[KillerDAN]

Why are ipsec_allow.conf and ipsec_deny.conf equal ?!

[sebastienbo]

i was wondering the same.

I'm also wndering if you fill in the blacklist and the white list both at the same time, which list will superceed the other ?

Will a witelist valuue override a blacklist or is it the way arround?

[schumaku]

QNAP does either allow to enable the white list or the black list ... never both (hm, prolly a white list and a fail2ban updated one - don't know, never used...). Pretty crappy specs.