Confirm that the appliance can also access/download files from the Internet. In particular you should check that your appliance can connect with ftp.threatstop.com to do this:
The Cisco PIX firewall does not have a DNS resolver so an external script must be used to work with ThreatSTOP. The script we currently have is written in Perl and requires some modules to be installed. The modules needed are:
If this is a new device, please allow up to 15 minutes for our systems to be updated.
The script will only run in a UNIX environment and will not run on Windows.
When setting up your devices on the ThreatSTOP website, do not use the IP address of the PIX, but the public IP address of the computer that will run the script. The DNS query must come from the computer that is running the script or it will not work. If you do not know the public IP address of that computer, go to http://www.threatstop.com/cgi-bin/validip.pl. It will show you what IP address to use.
The way the script works is that it first queries the ThreatSTOP DNS server to get the IP addresses in your block lists. Then it makes an SSH connection to the firewall and gets the current list of IP addresses in the object group. It then compares those addresses to what is in the new list and adds or deletes entries as needed. The first time the script is run, it will take a few minutes depending on how many IP addresses are being added. After this initial setup, future updates will go much faster since it only adds or deletes entries as needed.
This script does not support User-Defined Allow Lists.
Here is the configuration file for this device. Please copy and paste it into the threatstop.conf file.
Previously the DNS server for ThreatSTOP was 220.127.116.11 while still active for legacy customers, this address should not be used by new customers.
You will need to modify the configuration to match your environment.
- PIX IP Address: The line <device 192.168.1.1> will need to be changed with the IP address of the PIX. You will need to make sure that the system running the script can connect to the PIX via SSH.
- username: Username that you use to SSH to the PIX.
- password: Password for the SSH user.
- enable: The enable password for the PIX.
- platform: This tells the script what kind of Cisco device it is connecting to. You do not need to modify this.
- transport: The type of connection to make to the PIX.
- timeout: SSH timeout period, in seconds.
- netgroup: The name of the network object group to use on the PIX.
- netgroupshimip: This is used in case there are no results returned from the DNS queries. When this happens, all the IP addresses in the group could be deleted. If this happens and there is a rule using the group, the PIX could stop forwarding traffic for all connections. To keep this from happening, we add the IP address to the group. You should set this to an IP address that your PIX will never see. We recommend using one of the RFC1918 IP addresses. For example: If your internal network is 192.168.1.0/24, you can set this to 172.16.255.255.
To run the script, execute the following command:
Here is a sample run of the script that has ThreatSTOP enabled, with 20 IP addresses to block and four that are no longer active.
At this point, all we have done is create and populate a object group. We do not create any rules on the PIX. The exact rule would depend on your configuration, but the following rule will block all incoming and outgoing traffic that have a source or destination IP address that is in the "threatstop" object group:
If you have multiple PIX routers you want to setup, create additional "device" sections in the configuration file with the appropriate information. The script will finish configuring the first device before moving on to the next one.
We update the lists every two hours. Here is an example cron job that you can use:
Restore to Previous State
If you decide to return to your pre-ThreatSTOP configuration, you will need to perform the following actions to disable and remove ThreatSTOP from your system:
Stop the VM from updating the firewall by deleting the user crontab:
- Remove the ThreatSTOP address groups from the policies using them (or delete the policies completely).
- Delete the ThreatSTOP address groups (TSBlock-(number) and TSAllow-(number)).
There is no content with the specified labels