pf-badhost

Stop the evil doers in their tracks!

Version 0.5 Released!

January 10, 2021

Table of Contents

Platform Install Instructions:

OpenBSD | FreeBSD | DragonflyBSD | NetBSD | MacOS

Download Link: pf-badhost.sh | Previous Releases: Archives

Changelog: changelog.txt

Man Page: man.txt

Errata (instructions are within patch file): 001


tl;dr Feature List

  • High performance bi-directional network filtering
  • User configurable lists and rule sets
  • IPv4 and IPv6 support
  • Blocks SSH bruteforcers and botnet scans, including Shodan
  • Blocks the most egregious SMTP spammers, scanners and junk peddlers
  • Geoblocking and region blacklisting
  • Filter networks by ASN (Autonomous System Number)
  • Tor filtering: block/whitelist Tor relays and/or exit points
  • Subnet aggregation and list optimization
  • Dynamic ruleset generation based on SSH authlog analysis
  • High Portability: Should run on any OS featuring the PF firewall
  • Blocklist automatically updates so you always have the latest blocklist data

About

pf-badhost is a fast, bi-directional network filtering utility powered by the PF firewall. pf-badhost blocks many of the internet's biggest irritants -- annoyances such as SSH and SMTP bruteforcers are largely eliminated. Shodan scans and bots looking for webservers to abuse are stopped dead in their tracks. When used to filter outbound traffic, pf-badhost blocks many seedy, spooky malware containing web hosts.

Filtering performance is exceptional, as the badhost list is stored in a PF table. To quote the OpenBSD FAQ page regarding tables: "the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses."

pf-badhost is simple and powerful. The blocklists are pulled from quality, trusted sources. The 'Spamhause', 'Firehol', 'Blocklist.de', 'Emerging Threats' and 'Binary Defense' block lists are used as they are popular, regularly updated lists of the internet's most egregious offenders. pf-badhost can easily be expanded to use additional and/or alternate blocklists as well as setting custom filter rules.

pf-badhost works best when used in conjunction with unbound-adblock for the ultimate badhost blocking.

To receive notifications for new pf-badhost releases, send an email to announce@geoghegan.ca with this subject line: "subscribe pf-badhost"

If you believe my work has provided value to you, and if you have the means to, please consider donating. I'm fairly poor, so every little bit helps.

If you want to donate, but aren't able to use PayPal, please get in contact with me and we can figure out a more suitable method.


Acknowledgments

I would like to give thanks to the following people for their donations of time, resources and/or money to the project:

  • Pedro Guizeline
  • Paulo Rodriguez
  • Thomas K.
  • Steven Caesare

Thanks to Mischa Peters and OpenBSD Amsterdam for sponsoring the project! They were kind enough to offer the project free computing resources to help facilitate development and testing of pf-badhost.

Thanks to Ethan Ferguson for providing access to MacOS devices to help facilitate pf-badhost development and for testing code and finding bugs!


What Folks Are Saying about pf-badhost

If you've written or created something related to pf-badhost and would like to have your link listed here then please send me an email.

OpenBSD Journal

BSD Now

BSD Weekly

DragonflyBSD Digest

Ozgur.Kazancci.com



Frequently Asked Questions

Q-1: How can I help the project?

A-1: You can find bugs, donate, or tell your friends about pf-badhost.

Q-2: Will this run on Linux?

A-2: Yes and No. pf-badhost can generate blocklists with the '-x' option on nearly any OS (including Windows via WSL). However, to install and manage blocklists on a local machine requires an operating system featuring the PF firewall.

Q-3: Will this run on Solaris?

A-3: It likely will run on newer Solaris versions - if someone wants to give me SSH access to a Solaris test box (or any other OS with PF) I'll happily add support for it.

Q-4: How do I check pf-badhost's status?

A-4: By default, pf-badhost logs to '/var/log/messages' where you can see statistics from previous runs as well as any info/error messages that may have occured. A copy of the two most recently generated blocklists can be found in '/var/log/pf-badhost'.

Additionally, most cron daemons are configured to mail the cron job results/output to the cron job owner. If you have your local mail system configured on your machine, you can configure the status reports to be forwarded to your main email account. Please check the documentation relevant to your system for more info, as this is beyond the scope of pf-badhost's instuctions.

Q-5: Can't I just run this as root?

A-5: I'd tell you to stop being annoying, but you have a right to shoot yourself in the foot. You can use the '-D' option to disable UID checking.


Previous Release Pages