pf-badhost

Stop the evil doers in their tracks!

Version 0.4 Released!

July 1st, 2020

Platform Install Instructions

OpenBSD | FreeBSD | DragonflyBSD | NetBSD | MacOS

Download Link: pf-badhost.sh | Previous Releases: Archives

Changelog: changelog.txt

tl;dr Feature List

  • High performance bi-directional network filtering
  • User configurable lists and rule sets
  • IPv4 and IPv6 support
  • Blocks SSH bruteforcers and botnet scans, including Shodan
  • Blocks the most egregious SMTP spammers, scanners and junk peddlers
  • Geoblocking and region blacklisting
  • Subnet aggregation/list optimization
  • Dynamic ruleset generation based on authlog analysis
  • Script is highly portable and should run on any OS featuring the pf firewall
  • Blocklist automatically updates so you always have the latest badhost data

NOTE: On 2020/07/10 a small tweak was made to the script to cope with a couple bugs, one in the 'find' utility, and another in RipGrep. Please update to a patched version of pf-badhost by running the following command:

# Replace use of 'ftp' with wget/curl/fetch as appropriate
ftp https://geoghegan.ca/pub/pf-badhost/0.4/patches/pf-badhost_p0.patch
patch <pf-badhost_p0.patch /usr/local/bin/pf-badhost.sh

If using RipGrep:

# Replace use of 'ftp' with wget/curl/fetch as appropriate
ftp https://geoghegan.ca/pub/pf-badhost/0.4/patches/rg_p0.patch
patch <rg_p0.patch /usr/local/bin/pf-badhost.sh

If using GNU grep:

# Replace use of 'ftp' with wget/curl/fetch as appropriate
ftp https://geoghegan.ca/pub/pf-badhost/0.4/patches/ggrep_p0.patch
patch <ggrep_p0.patch /usr/local/bin/pf-badhost.sh


About

pf-badhost is a simple, easy to use network filtering utility that uses the power of the pf firewall to block many of the internet's biggest irritants. Annoyances such as SSH and SMTP bruteforcers are largely eliminated. Shodan scans and bots looking for webservers to abuse are stopped dead in their tracks. When used to filter outbound traffic, pf-badhost blocks many seedy, spooky malware containing and/or compromised webhosts.

Filtering performance is exceptional, as the badhost list is stored in a pf table. To quote the OpenBSD FAQ page regarding tables: "the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses."

pf-badhost is simple and powerful. The blocklists are pulled from quality, trusted sources. The 'Spamhause', 'Firehol', 'Emerging Threats' and 'Binary Defense' block lists are used as they are popular, regularly updated lists of the internet's most egregious offenders. The pf-badhost.sh script can easily be expanded to use additional and/or alternate blocklists as well as setting custom rules.

pf-badhost works best when used in conjunction with unbound-adblock for the ultimate badhost blocking.

Download Link: pf-badhost.sh | Previous Releases: Archives