Create hosting ASN database:

For each ASN

1. Look up ASN using ipinfo.io free db
2. Confirm it is "Content" type (means hosting): https://www.peeringdb.com/api/net?asn=63949
3. Set up a database with worldwide hosting ASNs

def check_content_network_type(asn):
    peeringdb_api_url = f"https://peeringdb.com/api/net?asn={asn}"
    response = requests.get(peeringdb_api_url)
    response_json = response.json()
    
    if response_json["data"]:
        network_type = response_json["data"][0]["info_type"]
        return network_type == "Content"
    else:
        return False

Similiar existing datasets:

• https://github.com/brianhama/bad-asn-list/blob/master/bad-asn-list.csv

fds block should block all ASNs ranges by getting their IP sets + block simply as AS63949 on Cloudflare side (it supports specifying in this way)

First off, I really like the program. I'm bad at firewall management and this makes it very easy in concept.

That said, I ran into an issue this AM when I tried to block a subnet on a production server running centOS 8. I installed FDS yesterday so I'm assuming I was using the current version What I think happened (can't review logs because I had to restore the server from backup) is I forgot to add a subnet mask to a subnet. I then got a bunch of json looking stuff puked to screen. I then added the correct subnet mask and re-ran the command, same json stuff, reran the command again and it indicated it worked. Went through the list of subnets I needed to block and got the same json junk the first time and the normal output the second time. Then noticed the server wasn't accepting any incoming connections anymore. Checked the status of firewalld and it had a bunch of red warnings with the JSON looking content FDS had apparently tried to add as firewall rules. Since I don't know where those rules actually are to remove them manually I tried uninstalling firewalld. Still had no incoming connections and couldn't hit any of my services. Firewall seems to have been blocking everything and I couldn't figure out where those rules were to fix them. Was running out of time on my maintenance window so restored from backup to a point before I had installed FDS, which fixed the connection issue. This was on a Linode VPS I was SSHed into from across the country so I know there wasn't any hardware problem that might have overlapped with the weird stuff FDS did to the firewall rules as I never lost my SSH session. I also tried to unblock everything in FDS by going through my CLI log, that didn't work either. Sorry I don't have logs to send you, but I didn't do anything very odd so I imagine this will come up again if you can't replicate.

Really like the program in concept, hope to be able to use it in future. Wanted to let you know about the issue I ran into and to say thanks for your efforts to make firewall management easier.

Trying to do as title says on Centos 7.

Can send the entire output, but the last lines are as follows:
Starting new HTTP connection (1): www.ipdeny.com Downloaded /var/lib/fds/ge.zone: : 16KB [00:00, 30311.14KB/s] Done! Skipped update in Cloudflare as it was not set up. Run fds config? Traceback (most recent call last): File "/usr/bin/fds", line 9, in <module> load_entry_point('fds==0.0.37', 'console_scripts', 'fds')() File "/usr/lib/python2.7/site-packages/fds/fds.py", line 208, in main return action_block(args.value, args.ipset_name, reload=args.reload) File "/usr/lib/python2.7/site-packages/fds/fds.py", line 62, in action_block block_region(ip_or_country_name) File "/usr/lib/python2.7/site-packages/fds/fds.py", line 42, in block_region action_block(country.name, reload=False) File "/usr/lib/python2.7/site-packages/fds/fds.py", line 47, in action_block fw = FirewallWrapper() File "/usr/lib/python2.7/site-packages/fds/FirewallWrapper.py", line 67, in __init__ self.fw = FirewallClient() File "<string>", line 2, in __init__ File "/usr/lib/python2.7/site-packages/firewall/client.py", line 53, in handle_exceptions return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/firewall/client.py", line 2509, in __init__ path_keyword='path') File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 160, in add_signal_receiver self.add_match_string(str(match)) File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 398, in add_match_string BUS_DAEMON_IFACE, 'AddMatch', 's', (rule,)) File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.freedesktop.DBus.Error.LimitsExceeded: Connection ":1.28" is not allowed to add more match rules (increase limits in configuration file if required)

Hi,

as soon as a country has a special Character like Curaçao, blocking gives Unicode Errors.

Greetings

Joe

The command should check all blocked countries/lists for update and refresh entries.
Package should install the cron task by default.

Useful for transfer configs/management with ansible.

• implement "fds reload" action that will read the config and apply blocking from the config, wiping out any existing entries

/etc/fds.conf in YML format

Instead of passing a ton of options (and knowing them), the easiest way to set up anything is going through a series of questions. E.g.

1. Do you run http server (Y, default to that if detected NGINX install), otherwise default to N
2. Do you want to block some countries (default to cn, sorry China)
3. Running behind Cloudflare?, if yes then prompt for an API key, etc.

Hey,
is there a way to change the Cloudflare API token? I accidentally entered a wrong one and can't find a way to change it anywhere.
I tried running the config command again and uninstalling FDS including all files but nothing helped.

Make Firewalld optional

I am receiving an error when trying to run FDS Config on RHEL 8.3.

[root@mail ~]# fds config
Traceback (most recent call last):
File "/usr/bin/fds", line 11, in
load_entry_point('fds==0.0.19', 'console_scripts', 'fds')()
File "/usr/lib/python3.6/site-packages/fds/fds.py", line 191, in main
return action_config()
File "/usr/lib/python3.6/site-packages/fds/config.py", line 24, in action_config
open_web_if_webserver_running()
File "/usr/lib/python3.6/site-packages/fds/config.py", line 8, in open_web_if_webserver_running
from .utils import is_process_running, query_yes_no
File "/usr/lib/python3.6/site-packages/fds/utils.py", line 1, in
import psutil
ModuleNotFoundError: No module named 'psutil'

[root@mail ~]# fds --version
fds 0.0.19

I just tested it on my server/gateway at home, works very well on blocking entire countries. To well.

It sure do block access from a specific country, but it also block outgoing connections to that country. If I block fx. US, I can not access anything coming from there (DuckDuckGo, GitHub etc). Option to accept RELATED ESTABLISHED connections should be allowed when initialized from "the inside", and only block access from new connections made from the outside.

Hi,

I would love to have an option to block complete continents. And also a deny-all option, meaning to block all and specifically unblock countries would be nice.

Greetings

Joe

In an attempt to get fds updated so I can use the new TOR blocking I tried
yum -y update fds
nothing to update
So, I figured I'd uninstall and reinstall
yum -y remove fds
yum -y install fds
no package found
I also did
yum -y reinstall https://extras.getpagespeed.com/release-latest.rpm
which it did, but still
yum install fds
results in no package found
Any ideas on how to get fds package to be found and install again?

Add a sample fail2ban action so that fds can be used as a block backend
fds as block action fail2ban

E.g. the ones installed via firewalld-ipset-braintree package.

fds whitelist braintree # if known IP set, ensure it is in respective zone source, + add to Cloudflare 

https://developers.cloudflare.com/firewall/cf-dashboard/rules-lists/manage-items

This will save me tons of time - thanks for that.
One request - I find many hackers come in via TOR - would be nice if you could include a set for this IP list also.
Thanks, Wes

Is there a way to list existing block entries?
Is there a way to choose some of them for removal?

It doesn't allow certain masks but they can be split into smaller ones using

https://netaddr.readthedocs.io/en/latest/tutorial_01.html#supernets-and-subnets

Feature Request:

Since the country block is only available for certain plans, and not everyone may be subscribed to those, it would be nice to add the ability to set the configuration for fds to use the challenge option or js-challenge option for the country, or, add it as a CLI option (e.g. fds block Country1 challenge)

Maybe a future option will give the ability to add/update firewall rules with the country block, but, that's probably going to take a little more coding to make happen...