We have written some scripts that you can use to get your ThreatSTOP block lists.
The script queries the ThreatSTOP DNS server and stores the results in a file that PF can use to build a table. The resulting file is a list of IP addresses in CIDR format. You can then create a rule that will block access to and from the table.
If this is a new device, please allow up to 15 minutes for our systems to be updated.
Setting up ThreatSTOP for OpenBSD systems requires a connection to the internet from your OpenBSD device, and a pair of Perl libraries and their dependencies. These are available as binary packages for OpenBSD.
Pinging www.threatstop.com with the following command:
will verify if you are able to reach the Internet from your OpenBSD device. If you are able to reach the Internet, then the following setups will help meet the ThreatSTOP prerequisites and then install the ThreatSTOP scripts.
To install the modules run the following as root:
This will install the LWP Perl module and any dependencies it defines, as well as wget and its dependencies.
Before running the script it needs to be downloaded and installed. The following command will download the file and install it for you:
This will download the ThreatSTOP configuration files, extract them, create a clean copy of the threatstop.conf file, and run the installation script automatically. The script copies the files threatstop-pf.sh, sendlog.sh, loguploadclient.pl, ptr.sed, and apl.sed to /usr/local/sbin. It also copies the file threatstop.conf file to /usr/local/etc.
After the installation some modifications to the /usr/etc/threatstop.conf file will be required. Change over to the directory and open the configuration file using the following command:
Modify the file to match the example below.
ThreatSTOP Configuration file
This will set the proper configuration data so that your device can pull policy lists from your ThreatSTOP account.
Before running the main script to get your block lists and create the files, we need to make sure that your block lists are ready. We have included the test.sh script that you can run to make sure everything is ready. If the test does not work within an hour of creating your device, please contact support for assistance.
Check Crontab for the added jobs
Verify that two ThreatSTOP jobs have been added to cron (threatstop-pf.sh and sendlog.sh). The command to do this is:
This will list the contents of crontab, and should contain the following entries:
If these entries are present we're set to add tables and rules.
After making sure the test script works, you can now run the main script, threatstop-pf.sh. The script gets your block lists and creates the files that PF can use to populate a table. The files are saved to /var/db.
In order for PF to load any updates to the ThreatSTOP lists, PF needs to flush and reload the table. In the configuration file, there is an option to reload PF after the block lists have been downloaded. The commands that are run to do this are:
This will create the files tsblock.txt and tsallow.txt in the /var/db directory.
Once the files containing the addresses to block are created, you will need to configure PF to use the file as a table. The base of these instructions provide OpenBSD PF as a router, the sidebar to the right explains how to configure OpenBSD as a bridge. In either case in the /etc/pf.conf file, add the table definition:
With the table defined, you can create the rules to block traffic to and from the addresses in the table. We recommend that the rules to block the ThreatSTOP table be placed before any rules that allow incoming or outgoing traffic. The "quick" directive tells PF to treat the rule as the last matching rule. Any rules after it are not evaluated.
After you make the changes to the /etc/pf.conf file, PF will need to be reloaded to read the updated configuration:
To update the the policy immediately:
To view the addresses in the table, run the command:
To view the updated rules, run the command:
Automating Block List Updates
In order to have the block lists updated hourly the sendlog.sh script we will need to modify the /etc/newsyslog.conf file so that the /var/log/pflog is rotated every night at 12:00 AM. In the newsyslog.conf file, to do this we will need to change:
This will maintain backup logs for the previous 24 hours, as well as rotate the logs hourly and then upload the most recent log to ThreatSTOP for processing and analysis.
Sending Your Logs
We have a log parsing feature where we can take your firewall log, parse it and compare the source and destination IP addresses to what is in our database. You can then login to our website and see the results. This allows you, and us, to see how effective we are in protecting your network infrastructure.
The log file written by PF is in binary format and must be converted before it is sent to ThreatSTOP. We have included a script that converts the log to plain text and uploads the file to the secure ThreatSTOP website.
The installation script has already configured your system to run the sendlog.sh script every night at 1:00 AM.
If you would like to upload a log now, run the following command as root:
Testing and Validation
As a last step, we'll test that threats are actively being blocked. To do this you'll need to place a device behind your OpenBSD PF firewall, and attempt to browse out to our testing page. To do this:
On the OpenBSD firewall verify that the validation record is loaded using the following command:
- Place a network device behind the firewall.
- Open a web browser and attempt to visit: bad.threatstop.com from the secured device.
If blocking is working the page will time out, if it is not happening the ThreatSTOP logo will appear.
Confirm that the blocked communication attempt was written to pflog using the following command:
Restore to Previous State
If you decide to return to your pre-ThreatSTOP configuration, you will need to perform the following actions to disable and remove ThreatSTOP from your system:
Stop the VM from updating the firewall by deleting the user crontab:
Remove the ThreatSTOP address groups from the policies using them (or delete the policies completely). This can be done by removing the entries from the /etc/pf.conf file. In the example to the right removing the lines containing pass, block, and ThreatSTOP will remove the policies. While deleting the lines with table, and ThreatSTOP will delete the address groups.
After making the changes to the .pf.conf file you will need to sync the firewall back into place with the command:
- threatstop-pf.sh: The main script. It downloads the block lists and creates the files PF uses to populate a table.
- loguploadclient.pl: Perl script that uploads the log file
- sendlog.sh: Converts the PF log file to plain text and calls loguploadclient.pl to upload the script.
- install.sh: Installation script.
test.sh: Script to run a quick test to make sure the block lists are ready to be downloaded.
- apl.sed: Supporting sed script to parse DNS APL query results.
- prt.sed: Supporting sed script to parse DNS PTR query results.
- threatstop.conf.example: Example configuration file.