<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Spamhaus DROP list implementation for Windows Advanced Firewall

Published on
8,670 Points
2,670 Views
Last Modified:
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intentions being that the user of the DROP list will install it within their firewall.

Though I've found a lot of support to compile to drop list into alternative operating systems, I've found support to be lacking on the internet for implementation with Windows servers, without a hardware firewall.

This list is free to most users.  As stated on their web site: "The DROP list contains network ranges which can cause so much damage to internet users that Spamhaus provides it to all, free-of-charge, to help mitigate this damage."  

"When implemented at a network or ISP's 'core routers', DROP and EDROP will help protect the network's users from spamming, scanning, harvesting, DNS-hijacking and DDoS attacks originating on rogue netblocks."

The following instructions will allow a web server using Windows Advanced Firewall to take advantage of Spamhaus DROP lists.  

http://www.spamhaus.org/drop/

This script has been modified from the original code to output netsh commands, replacing the original iptables output.

Create file called "pulldrop.php" with the following code:

<?php

/*
 * SpamHaus DROP Tool v0.1
 * 
 * Written by Rick Hodger <rick@fuzzi.org.uk>
 * http://www.potato-people.com/
 *
 * DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting
 * of stolen 'zombie' netblocks and netblocks controlled entirely by professional
 * spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and
 * routing equipment.
 *
 * http://www.spamhaus.org/drop/
 *
 * This tool will download and parse the Spamhaus DROP list into IPTables rules or 
 * a Cisco compatible access control list.
 *
 * Usage: Execute from the command line.
 *
 * Examples:
 *
 *         php spamhausdrop.php iptables
 *         php spamhausdrop.php cisco 10
 */

function getSubnetMask($cidr) {
    list($network,$mask)=explode('/',$cidr);
    $bin='';
    for($i=1;$i<=32;$i++) {
        $bin .= $mask >= $i ? '1' : '0';
    }
    $subnet=long2ip(bindec($bin));
    return array($network,$subnet);
}

function subnet2wildcard($subnet) {
    $x=ip2long($subnet);
    $z=ip2long("255.255.255.255");
    return long2ip($z-$x);
}

if ($argc==1) {
    die("$argv[0] [iptables|cisco] [extraoptions]\n");
} else {
    $mode=$argv[1];
    switch($mode) {
        case "cisco":
            if ($argc==2) {
                die("$argv[0] cisco [accesslistid]\n");
            } else {
                $aclid=$argv[2];
            }
            break;
    }
}

$drop=file("http://www.spamhaus.org/drop/drop.lasso");

foreach($drop as $line) {
    $line=trim($line);
    if (!empty($line) && substr($line,0,1)!==';') {
        list($cidr,$sbl)=explode(" ; ",$line);
        switch($mode) {
            case "iptables":
                echo "netsh advfirewall firewall add rule name=SpamhausDROP dir=in action=block remoteip=$cidr\n";
                break;
            case "cisco":
                $x=getSubnetMask($cidr);
                if ($aclid <= 99) {
                    echo "access-list $aclid deny $x[0] ".subnet2wildcard($x[1])."\n";
                }
                break;
        }
    }
}

?>

Open in new window


Create file called "SpamhausDROP.bat" with the following code in the same path:

D:
cd D:\PATH-TO-PHP-AND-BAT-FILES\
netsh advfirewall firewall delete rule name="SpamhausDROP"
php pulldrop.php iptables > dropcompiled.bat
call dropcompiled.bat

Open in new window


Create task in Windows Task manager to call "SpamhausDROP.bat" no more than once per hour as of Spamhaus terms.  (Recommended once per day)

First, the SpamhausDROP.bat deletes all of the "old" rules, all named SpamhausDROP.
Second, it compiles the Spamhaus drop file into "netsh advfirewall" commands, inside dropcompiled.bat.
Finally, the new dropcompiled.bat file is run, adding all of the new Microsoft Windows Advanced Firewall rules.


The PHP script can also be called to create Cisco access control lists using the command line: php pulldrop.php cisco 67 > cisco.acl

Prerequisites:
PHP v5.3+
Free or paid access to Spamhaus DROP list
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 6

Author Comment

by:Shaun Rieman
I'll expand on it as soon as possible.  Thank you!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Join & Write a Comment

Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month