I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.
At this moment the following blocklists are implemented:
- Emerging Threats: Known Compromised Hosts
- TOR exit nodes
- Blocklist.de All
The feeds are downloaded, sanity checked and then published on cpdbl.net for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.net
Screenshot of the interface:
These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.
Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.
VSX is not supported for now.
The server(cpdbl.net) downloads all the lists nightly and
- Validates that all entries are valid IPs.
- Baselines the lists, makes sure a list does not suddenly grow enormously.
- Publishes the lists for the clients to download.
- Downloads fresh lists every 12 hours
- Times out entries in the block-table after 12 hours, hence if cpdbl.net is unavailable all entries will be removed at this time.
- Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)
- Installs validated entries into blocking tables and waits for 12 hours before starting over again.
To monitor the blocked IP addresses:
In SmartView Tracker, search for "SecureXL message: Quota violation".
In SmartLog, search for "blade:Firewall Alert".