Malicious IP Firewall Automation

Overview

The Malicious IP Firewall Automation project is an open-source initiative aimed at building a robust tool for dynamically managing malicious IP addresses in Windows Firewall. This project consolidates data from trusted sources such as Spamhaus and Feodo Tracker to provide a unified, secure, and automated firewall configuration.

With the newly added master script, users can now manage and execute multiple firewall scripts seamlessly, making the system more scalable and maintainable.

---

Features

• Dynamic Updates: Fetches malicious IP lists from trusted sources like Spamhaus and Feodo Tracker.
• Master Script for Orchestration: The firewall_master.py script executes all configured scripts in sequence, allowing for easy management of multiple sources.
• Rule Management: Automatically removes outdated firewall rules created by the scripts to avoid duplication.
• Validation: Ensures only valid IP addresses or CIDR ranges are applied.
• Error Handling: Logs any errors encountered during execution and continues with subsequent tasks.
• Modularity: Future scripts can be added easily without modifying the core functionality.

---

Future Goals

• Integrate additional IP blocklists, such as:
  • Proofpoint Emerging Threats
  • FireHOL IP Threat Lists
  • Project Honeypot
• Expand support to other platforms:
  • Linux: Use iptables for firewall management.
  • macOS: Use pfctl for rule configuration.
• Build a GUI for easier management and visualization of sources and rules.
• Develop logging and reporting features to provide detailed insights into blocked IPs and system activity.

---

Getting Started

Prerequisites

• Operating System: Windows (for the current version).
• Python: Version 3.x.
• Administrator Privileges: Required to manage Windows Firewall rules.

Installation

1. Clone the Repository:

   git clone https://github.com/<your-username>/malicious-ip-firewall.git
   cd malicious-ip-firewall

2. Install Required Python Libraries: Install dependencies:

   pip install -r requirements.txt

---

Usage

Running the Master Script

The firewall_master.py script is the central tool for managing and executing all configured firewall scripts.

1. Run the Master Script:

   python firewall_master.py

2. What Happens:

   • Executes all listed scripts (e.g., abuse_ch_firewall.py, spamhaus_firewall.py, proofpoint_firewall.py, firehol_firewall.py, honeypot_firewall.py).
   • Fetches IP blocklists and updates firewall rules dynamically.
   • Logs success and errors for each script.

3. Add New Scripts:

   • Place the new script in the same directory.
   • Ensure the script has a main() function.
   • Add the script name to the scripts_to_run list in firewall_master.py.

Example Output

Starting firewall master script...
Executing abuse_ch_firewall.py...
Successfully executed abuse_ch_firewall.py.
Executing spamhaus_firewall.py...
Successfully executed spamhaus_firewall.py.
Executing proofpoint_firewall.py...
Successfully executed proofpoint_firewall.py.
Executing firehol_firewall.py...
Successfully executed firehol_firewall.py.
Executing honeypot_firewall.py...
Successfully executed honeypot_firewall.py.
Firewall master script completed.

Script-Specific Notes

Project Honeypot Integration

The Project Honeypot integration requires an API key:

1. Register at Project Honeypot to get your API key.
2. Edit honeypot_firewall.py and replace "your_api_key_here" with your actual API key.
3. Customize the threat filtering settings if needed:
   • MIN_THREAT_SCORE: Minimum score to consider an IP malicious (1-100)
   • MAX_DAYS_SINCE_ACTIVITY: Only block IPs active within this many days

FireHOL Integration

The FireHOL script uses the "level1" list by default, which is a balanced blocklist with minimal false positives. If you need a more aggressive or specialized list, you can modify the BLOCKLIST_URL in firehol_firewall.py to point to a different list from https://iplists.firehol.org/files/.

---

Sources

Currently Supported

• Feodo Tracker: https://feodotracker.abuse.ch/
• Spamhaus DROP List: https://www.spamhaus.org/drop/drop_v4.json
• Proofpoint Emerging Threats: https://rules.emergingthreats.net/blockrules/compromised-ips.txt
• FireHOL IP Threat Lists: https://iplists.firehol.org/
• Project Honeypot: https://www.projecthoneypot.org/

Future Integrations

• Additional threat intelligence sources as they become available

Have a trusted source to recommend? Open an issue or submit a PR!

📌 Future Integrations

The following IP threat intelligence feeds are under consideration for future integration. These sources will expand the firewall system's coverage of malicious actors across networks:

Source Name	Type	Integration Notes
Blocklist.de	Text-based IP list	https://lists.blocklist.de/lists/all.txt — Aggregated attacker IPs from honeypots.
Cisco Talos Intelligence	API	https://talosintelligence.com — Threat data via API queries.
AlienVault OTX (Open Threat Exchange)	API	https://otx.alienvault.com — Community-driven threat indicators (IP, domains).
DShield (SANS ISC)	Text-based	https://www.dshield.org/ipsascii.html?limit=1000 — Top reported attack sources.
Tor Exit Nodes	Text-based	https://check.torproject.org/exit-addresses — Exit IPs used for anonymized attacks.
CINS Active Threat Feed	Text-based	https://cinsscore.com/list/ci-badguys.txt — Aggressive blocklist maintained by Sentinel Labs.
abuse.ch URLhaus	Text/CSV	https://urlhaus.abuse.ch/downloads/ — Contains URLs and their resolved malicious IPs.
RIPE NCC Abuse Feeds	WHOIS/ASN	Advanced parsing of abuse reports for high-risk Autonomous Systems (ASNs).

🔧 These will follow the same modular script structure with rule deletion, validation, and chunked IP blocking.

---

Contributing

We welcome contributions to make this project more robust and comprehensive.

How to Contribute

1. Fork the Repository:

   • Click the "Fork" button on GitHub to create your copy of the repository.

2. Clone Your Fork:

   git clone https://github.com/<your-username>/malicious-ip-firewall.git
   cd malicious-ip-firewall

3. Create a Feature Branch:

   git checkout -b feature/<your-feature-name>

4. Make Your Changes:

   • Write clear, concise code.
   • Add comments and documentation if needed.
   • Test your changes thoroughly.

5. Submit a Pull Request (PR):

   • Push your changes:

     git push origin feature/<your-feature-name>

   • Open a PR on the main repository.

---

Contribution Guidelines

• Code Security: Ensure all contributions are secure and follow best practices.
• Testing: Test changes locally before submitting.
• Documentation: Add or update documentation for new features.
• Respect: Collaborate respectfully and constructively with the community.

---

License

This project is licensed under the MIT License. See the LICENSE file for more information.

---

Community and Support

Have ideas, feedback, or issues? Open a discussion or issue on GitHub.

Let's build a secure, crowd-powered firewall solution together!

---