July 1st, 2020
NOTE: On 2020/07/10 a small tweak was made to the script to cope with a couple bugs, one in the 'find' utility, and another in RipGrep. Please update to a patched version of pf-badhost by running the following command:
# Replace use of 'ftp' with wget/curl/fetch as appropriate ftp https://geoghegan.ca/pub/pf-badhost/0.4/patches/pf-badhost_p0.patch patch <pf-badhost_p0.patch /usr/local/bin/pf-badhost.sh
If using RipGrep:
# Replace use of 'ftp' with wget/curl/fetch as appropriate ftp https://geoghegan.ca/pub/pf-badhost/0.4/patches/rg_p0.patch patch <rg_p0.patch /usr/local/bin/pf-badhost.sh
If using GNU grep:
# Replace use of 'ftp' with wget/curl/fetch as appropriate ftp https://geoghegan.ca/pub/pf-badhost/0.4/patches/ggrep_p0.patch patch <ggrep_p0.patch /usr/local/bin/pf-badhost.sh
pf-badhost is a simple, easy to use network filtering utility that uses the power of the pf firewall to block many of the internet's biggest irritants. Annoyances such as SSH and SMTP bruteforcers are largely eliminated. Shodan scans and bots looking for webservers to abuse are stopped dead in their tracks. When used to filter outbound traffic, pf-badhost blocks many seedy, spooky malware containing and/or compromised webhosts.
Filtering performance is exceptional, as the badhost list is stored in a pf table. To quote the OpenBSD FAQ page regarding tables: "the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses."
pf-badhost is simple and powerful. The blocklists are pulled from quality, trusted sources. The 'Spamhause', 'Firehol', 'Emerging Threats' and 'Binary Defense' block lists are used as they are popular, regularly updated lists of the internet's most egregious offenders. The pf-badhost.sh script can easily be expanded to use additional and/or alternate blocklists as well as setting custom rules.
pf-badhost works best when used in conjunction with unbound-adblock for the ultimate badhost blocking.