<

Go Premium for a chance to win a PS4. Enter to Win

x

Spamhaus DROP list implementation for Windows Advanced Firewall

Published on
8,719 Points
2,719 Views
Last Modified:
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intentions being that the user of the DROP list will install it within their firewall.

Though I've found a lot of support to compile to drop list into alternative operating systems, I've found support to be lacking on the internet for implementation with Windows servers, without a hardware firewall.

This list is free to most users.  As stated on their web site: "The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage."  

"When implemented at a network or ISP's 'core routers', DROP and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks."

The following instructions will allow a web server using Windows Advanced Firewall to take advantage of Spamhaus DROP lists.  

http://www.spamhaus.org/drop/

This script has been modified from the original code to output netsh commands, replacing the original iptables output.

Create file called "pulldrop.php" with the following code:

<?php

/*
 * SpamHaus DROP Tool v0.1
 * 
 * Written by Rick Hodger <rick@fuzzi.org.uk>
 * http://www.potato-people.com/
 *
 * DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting
 * of stolen 'zombie' netblocks and netblocks controlled entirely by professional
 * spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and
 * routing equipment.
 *
 * http://www.spamhaus.org/drop/
 *
 * This tool will download and parse the Spamhaus DROP list into IPTables rules or 
 * a Cisco compatible access control list.
 *
 * Usage: Execute from the command line.
 *
 * Examples:
 *
 *         php spamhausdrop.php iptables
 *         php spamhausdrop.php cisco 10
 */

function getSubnetMask($cidr) {
    list($network,$mask)=explode('/',$cidr);
    $bin='';
    for($i=1;$i<=32;$i++) {
        $bin .= $mask >= $i ? '1' : '0';
    }
    $subnet=long2ip(bindec($bin));
    return array($network,$subnet);
}

function subnet2wildcard($subnet) {
    $x=ip2long($subnet);
    $z=ip2long("255.255.255.255");
    return long2ip($z-$x);
}

if ($argc==1) {
    die("$argv[0] [iptables|cisco] [extraoptions]\n");
} else {
    $mode=$argv[1];
    switch($mode) {
        case "cisco":
            if ($argc==2) {
                die("$argv[0] cisco [accesslistid]\n");
            } else {
                $aclid=$argv[2];
            }
            break;
    }
}

$drop=file("http://www.spamhaus.org/drop/drop.lasso");

foreach($drop as $line) {
    $line=trim($line);
    if (!empty($line) && substr($line,0,1)!==';') {
        list($cidr,$sbl)=explode(" ; ",$line);
        switch($mode) {
            case "iptables":
                echo "netsh advfirewall firewall add rule name=SpamhausDROP dir=in action=block remoteip=$cidr\n";
                break;
            case "cisco":
                $x=getSubnetMask($cidr);
                if ($aclid <= 99) {
                    echo "access-list $aclid deny $x[0] ".subnet2wildcard($x[1])."\n";
                }
                break;
        }
    }
}

?>

Open in new window


Create file called "SpamhausDROP.bat" with the following code in the same path:

D:
cd D:\PATH-TO-PHP-AND-BAT-FILES\
netsh advfirewall firewall delete rule name="SpamhausDROP"
php pulldrop.php iptables > dropcompiled.bat
call dropcompiled.bat

Open in new window


Create task in Windows Task manager to call "SpamhausDROP.bat" no more than once per hour as of Spamhaus terms.  (Recommended once per day)

First, the SpamhausDROP.bat deletes all of the "old" rules, all named SpamhausDROP.
Second, it compiles the Spamhaus drop file into "netsh advfirewall" commands, inside dropcompiled.bat.
Finally, the new dropcompiled.bat file is run, adding all of the new Microsoft Windows Advanced Firewall rules.


The PHP script can also be called to create Cisco access control lists using the command line: php pulldrop.php cisco 67 > cisco.acl

Prerequisites:
PHP v5.3+
Free or paid access to Spamhaus DROP list
0
Comment
1 Comment
 
LVL 6

Author Comment

by:Shaun Rieman
I'll expand on it as soon as possible.  Thank you!
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Join & Write a Comment

Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month