Support Center > Search Results > SecureKnowledge Details
How to block traffic coming from known malicious IP addresses using the TOR.txt list Technical Level
Solution

Background

This article applies to Security Gateways R77 and higher.

This article describes a mechanism to block traffic coming from known malicious IP addresses:

  • Based on the list of known malicious IP addresses
  • Based on the list of known TOR Exit Nodes
  • Based on the list of bulletproof IP addresses

Check Point's Security Intelligence maintains a list of IP addresses known as TOR Exit Nodes. The Security Gateway queries Check Point's Threat Cloud and blocks all traffic from these source IP addresses (Check Point updates this list periodically):

https://secureupdates.checkpoint.com/IP-list/TOR.txt

Best Practice

Security Gateway Version Best Practice

R80.30 and higher, with enabled Anti-Virus or Anti-Bot

Use sk132193 - Custom Intelligence Feeds.

R81 and higher, without Anti-Virus or Anti-Bot

Use Generic Data Center objects.

See the Security Management Administration Guide for your version - chapter "Managing Objects" > section "Network Object Types" > section "Generic Data Center Objects".

R77.x, R80.10, R80.20

Use the IP block feature (based on https://secureupdates.checkpoint.com/IP-list/TOR.txt) as described below.

Note - In R80.30 / R80.40 without Anti-Virus or Anti-Bot, you can use the IP block feature as described below. But this is not the best practice.

Show / Hide this Article

This content below applies to:

  • R80.30, R80.40 versions, without Anti-Virus or Anti-Bot
  • R77.x, R80.10, and R80.20 versions, with and without Anti-Virus or Anti-Bot

Table of Contents:

  • Known Limitations
  • How to block traffic from custom IP feeds managed from a Management Server
  • How to block traffic from known TOR Exit Nodes
  • How to block traffic from bulletproof IP addresses
  • How to monitor
  • Related solutions

 

Known Limitations

  • Security Gateways must run Gaia OS.

  • VSX Gateways are not supported.

  • Scalable Platforms (Maestro and Chassis) must run these versions:

    Refer to the section "IP and URL Block Feature" in the Maestro Administration Guide / Chassis Administration Guide for your version.

  • If a Security Gateway connects to the Internet through a proxy server, you must use the modified scripts from the section "How to block traffic from custom IP feeds managed from a Management Server".

  • Blocking of IPv6 traffic is not supported. To block IPv6 traffic, use the Custom Intelligence Feeds feature in sk132193 - Custom Intelligence Feeds.

 

How to block traffic from custom IP address feeds managed from a Management Server

Security Gateways R77 and higher can block traffic from source IP addresses they receive from custom IP address feeds through automatic updates. You can manage this feature centrally from the Check Point Management Server.

Security Gateways download IP address feeds every 20 minutes.

When Security Gateways update the corresponding blocking rules with new IP addresses, they send a "Control" log to the Management Server / configured Log Server.

When Security Gateways block traffic from a known malicious IP address, they send a log that shows:

  • "Drop" in the "Action" field.
  • "SecureXL message: Quota Violation" in the "Information" field.

Configuration Procedure on the Management Server:

  1. Prepare a plain text file that contains a list of each Security Gateway / each Cluster Member that must block such traffic.

    Below, this file is denoted as <gw_list_file>.

    • Each line in this file must contain a name or an IP address of the Security Gateway / Cluster Member object.

    • For comments, use the pound character (#) at the beginning of a line.

  2. Prepare a plain text file that contains a list of URLs (feeds), from which Security Gateways / each Cluster Member downloads the malicious IP addresses.

    For example, https://secureupdates.checkpoint.com/IP-list/TOR.txt

    Below, this file is denoted as <feed_file>.

    • Each line in this file must contain a single complete URL.

    • For comments, use the pound character (#) at the beginning of a line.

    Notes about IP address feeds:

    • Each line in the IP address feed must contain one IPv4 address, or one range of IPv4 addresses (for example, 172.23.42.2-172.23.42.15).

    • For comments, use the pound character (#) at the beginning of a line.

  3. Optional: If it is necessary to bypass (exclude) specific IP addresses from an IP feed, prepare a plain text file that contains a list of IP addresses (in the IP-feed format mentioned above).

    Below, this file is denoted as <bypass_file>.

    Even if a custom IP feed contains these IP addresses, Security Gateways do not block traffic for this IP addresses.

  4. Download these shell scripts (ip_block_sk103154.tar) to your computer.

  5. Transfer these shell scripts from your computer to the Management Server into some directory (for example, /var/log/).

  6. Connect to the command line on the Management Server.

  7. Log in to the Expert mode.

  8. Unpack the shell scripts:

    [Expert@HostName:0]# cd /var/log/

    [Expert@HostName:0]# tar -xvf ip_block_sk103154.tar

  9. Assign the 'execute' permission to the scripts:

    [Expert@HostName:0]# chmod -v u+x ip_block*

  10. Use the ip_block_activate.sh script to manage the Security Gateways / Cluster Members:

    [Expert@HostName:0]# ./ip_block_activate.sh -a {on | off | stat | allow} [-g <gw_list_file>] [-b <bypass_file>] [-f <feed_file>] [-s /<full_path_to>/ip_block.sh]

    Important Note: When executing the ip_block_activate.sh script for the first time, you must also use the "-s /full_path_to/ip_block.sh" parameter.

    Parameters:

    Parameter Description

    -a on

    Starts the blocking of traffic from malicious IP addresses on each Security Gateway / Cluster Member specified in the <gw_list_file>

    -a off

    Stops the blocking of traffic from malicious IP addresses on each Security Gateway / Cluster Member specified in the <gw_list_file>

    -a stat

    Prints the feature status for each Security Gateway / Cluster Member specified in the <gw_list_file>

    -a allow

    Starts the bypass for the specified IP addresses (even if they are listed in the feeds) on each Security Gateway / Cluster Member specified in the <gw_list_file>

    -a delete_bypass

    Stops the bypass for the specified IP addresses on each Security Gateway / Cluster Member specified in the <gw_list_file>

    -g <gw_list_file>

    Specifies a plain text file that contains a list of Security Gateways / each Cluster Member that must block traffic from malicious IP addresses

    -b <bypass_file>

    Specifies a list of IP addresses that each Security Gateway / each Cluster Member specified in the <gw_list_file> must exclude (bypass) from blocking

    -f <feed_file>

    Specifies a plain text file that contains a list of URLs (feeds) that each Security Gateway / Cluster Member specified in the <gw_list_file> must download

    For example: https://secureupdates.checkpoint.com/IP-list/TOR.txt

    -s /<full_path_to>/ip_block.sh

    Specifies a full path to the ip_block.sh script to copy it to each Security Gateway / Cluster Member specified in the <gw_list_file>

    Important Note: Must use this parameter when executing the ip_block_activate.sh script for the first time

Examples:

  • To start the feature:

    [Expert@HostName:0]# ip_block_activate.sh -a on -g gw_list.txt -f feeds_list.txt [-s /<full_path_to>/ip_block.sh]
  • To stop the feature:

    [Expert@HostName:0]# ip_block_activate.sh -a off -g gw_list.txt
  • To start the bypass of specified IP addresses (using an exception list):

    [Expert@HostName:0]# ip_block_activate.sh -a allow -g gw_list.txt -b bypass_file.txt
  • To stop the bypass and remove the bypass list:

    [Expert@HostName:0]# ip_block_activate.sh -a delete_bypass -g gw_list.txt
  • To check if the feature is active on the specified Security Gateways / Cluster Members:

    [Expert@HostName:0]# ip_block_activate.sh -a stat -g gw_list.txt
  • To see the applicable logs:

    [Expert@HostName:0]# cat $FWDIR/log/ip_block_activate.log

Troubleshooting:

Issue

Security Gateway / Cluster does not block the traffic from "External" to "Internal".

Cause

SecureXL is not configured to work with internal interfaces.

Solution

Run this command on the Security Gateway / each Cluster Member:

fwaccel dos config set --enable-internal

The output must be: OK

This command does not survive reboot.

To make this change permanent:

  1. Edit the configuration file:

    vi $FWDIR/conf/fwaccel_dos_rate_on_install

  2. Add the command to the bottom of the file:

    fwaccel dos config set --enable-internal

  3. Save the file and exit Vi editor.

 

How to block traffic from known TOR Exit Nodes

Important Notes:

  • We recommend using the solution from section "How to block traffic from custom IP feeds managed from a Management Server" with the Check Point's feed database https://secureupdates.checkpoint.com/IP-list/TOR.txt.

  • The Check Point's feed database https://secureupdates.checkpoint.com/IP-list/TOR.txt is a best-effort database only.

    To block access completely, you must enable and configure these on the Security Gateway / Cluster:

    1. Application Control Software Blade
    2. HTTPS Inspection

TOR networks are deployed worldwide to keep their users anonymous. This is usually the stepping stone for suspicious/malicious web activity or anonymous server fingerprinting.

  • On Security Gateways / Clusters R80.20 and higher:

  • On Security Gateways / Clusters R80.10 and lower:

    1. Create a copy of the current $CPDIR/bin/IP-blacklist.sh script:

      [Expert@HostName:0]# cp -v $CPDIR/bin/IP-blacklist.sh $CPDIR/bin/IP-blacklist-TOR.sh

    2. Modify the default values in the $CPDIR/bin/IP-blacklist-TOR.sh script:

      1. Edit the $CPDIR/bin/IP-blacklist-TOR.sh script:

        [Expert@HostName:0]# vi $CPDIR/bin/IP-blacklist-TOR.sh

      2. Modify Line #3:

        from:

        url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"

        to:

        url="https://secureupdates.checkpoint.com/IP-list/TOR.txt"

      3. Modify Line #5:

        from:

        comment="threatcloud_ip_block"

        to:

        comment="threatcloud_TOR_block"

      4. Save the changes and exit Vi editor.

    3. Create a copy of the current $CPDIR/bin/ip_block.sh script:

      [Expert@HostName:0]# cp -v $CPDIR/bin/ip_block.sh $CPDIR/bin/ip_block_TOR.sh

    4. Modify the default values in the $CPDIR/bin/ip_block_TOR.sh script:

      1. Edit the $CPDIR/bin/ip_block_TOR.sh script:

        [Expert@HostName:0]# vi $CPDIR/bin/ip_block_TOR.sh

      2. Modify Line #15:

        from:

        echo "$(date): Starting" >> $FWDIR/log/ip_block.log

        to:

        echo "$(date): Starting" >> $FWDIR/log/ip_block_TOR.log

      3. Modify Line #19:

        from:

        $CPDIR/bin/cpd_sched_config add ip_block -c "$CPDIR/bin/IP-blacklist.sh" -e 1200 -r -s

        to:

        $CPDIR/bin/cpd_sched_config add ip_block_TOR -c "$CPDIR/bin/IP-blacklist-TOR.sh" -e 1200 -r -s

      4. Modify Line #20:

        from:

        echo "ip_block: Known malicious IP blocking mechanism is ON"

        to:

        echo "ip_block_TOR: Known TOR Exit Nodes blocking mechanism is ON"

      5. Modify Line #24:

        from:

        $CPDIR/bin/cpd_sched_config delete ip_block -r

        to:

        $CPDIR/bin/cpd_sched_config delete ip_block_TOR -r
      6. Modify Line #26:

        from:

        echo "ip_block: Known malicious IP blocking mechanism is OFF"

        to:

        echo "ip_block_TOR: Known TOR Exit Nodes blocking mechanism is OFF"
      7. Modify Line #30:

        from:

        cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/ip_block/{flag=1}/Active: true/{if(flag)res="ON"}END{print "ip_block: Known malicious IP blocking mechanism status is "res}'

        to:

        cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/ip_block_TOR/{flag=1}/Active: true/{if(flag)res="ON"}END{print "ip_block_TOR: Known TOR Exit Nodes blocking mechanism status is "res}'
      8. Modify Lines #34-39:

        from:

        echo 'Usage:'
        echo '  ip_block.sh <option>'
        echo 'Option:'
        echo '  on: blocks malicious IPs'
        echo '  off: stops malicious IPs blocking'
        echo '  stat: prints the status of malicious IP blocking'
        

        to:

        echo 'Usage:'
        echo '  ip_block_TOR.sh <option>'
        echo 'Option:'
        echo '  on: blocks Known TOR Exit Nodes'
        echo '  off: stops Known TOR Exit Nodes blocking'
        echo '  stat: prints the status of Known TOR Exit Nodes blocking'
        
      9. Modify Line #45:

        from:

        echo "ip_block: This utility is supported on GAIA Security Gateway only"

        to:

        echo "ip_block_TOR: This utility is supported on GAIA Security Gateway only"
      10. Save the changes and exit from Vi editor.

      11. Manually execute this script:

        [Expert@HostName:0]# ip_block_TOR.sh { on | off | stat }

        where:

        Parameter Description
        on Enables TOR Exit Nodes block
        off Disables TOR Exit Nodes block (default state)
        stat Displays the current state of TOR Exit Nodes block
    5. On Security Gateways / Clusters R77 / R77.10 / R77.20

      1. Download the relevant shell script:

        • In case your Security Gateway connects to the Internet directly (without a proxy), download the IP-blacklist.sh script.

        • If your Security Gateway connects to the Internet through a Proxy server, download the IP-blacklist-wProxy.sh

      2. Transfer the script from your computer to the Security Gateway / each Cluster Member into some directory (for example, /var/log/).

      3. Rename the script from IP-blacklist.sh to a desired name (for example, IP-blacklist-TOR.sh):

        [Expert@HostName:0]# cd /var/log/

        [Expert@HostName:0]# mv -v IP-blacklist.sh IP-blacklist-TOR.sh

      4. Assign the required permissions:

        [Expert@HostName:0]# chmod -v 750 IP-blacklist-TOR.sh
      5. Run the dos2unix command:

        [Expert@HostName:0]# dos2unix IP-blacklist-TOR.sh
      6. Modify the default values in the IP-blacklist-TOR.sh script:

        1. Edit the IP-blacklist-TOR.sh script:

          [Expert@HostName:0]# vi IP-blacklist-TOR.sh
        2. Modify Line #3:

          from:

          url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"

          to:

          url="https://secureupdates.checkpoint.com/IP-list/TOR.txt"
        3. Modify Line #5:

          from:

          comment="IP-blacklist"

          to:

          comment="IP-blacklist-TOR"
        4. Modify Line #17:

          from:

          echo "$(date): Starting" >> $FWDIR/log/IP-blacklist.log

          to:

          echo "$(date): Starting" >> $FWDIR/log/IP-blacklist-TOR.log
        5. Save the changes and exit from Vi editor.

      7. Copy the script to the $CPDIR/bin/ directory:

        [Expert@HostName:0]# cp -v IP-blacklist-TOR.sh $CPDIR/bin/
      8. Manually execute this script in the background:

        [Expert@HostName:0]# IP-blacklist-TOR.sh &
      9. You can configure Check Point WatchDog process to monitor and invoke this script automatically if it stops:

        • In the current uptime session only:

          Run:

          [Expert@HostName:0]# cpwd_admin start -name IP_BLACKLIST_TOR -path $CPDIR/bin/IP-blacklist-TOR.sh -command IP-blacklist-TOR.sh & > /dev/null

        • During each boot:

          1. Back up the current $FWDIR/bin/fwstart script:

            [Expert@HostName:0]# cp -v $FWDIR/bin/fwstart{,_ORIGINAL}
          2. Edit the current $FWDIR/bin/fwstart script:

            [Expert@HostName:0]# vi $FWDIR/bin/fwstart
          3. Add the following command - below the line that contains the string "CI_CLEANUP":

            Important Note: Perform these steps with extra care.

            cpwd_admin start -name IP_BLACKLIST_TOR -path $CPDIR/bin/IP-blacklist-TOR.sh -command IP-blacklist-TOR.sh

        To disable the Check Point WatchDog monitoring of this script:

        • In the current uptime session only:

          Run:

          [Expert@HostName:0]# cpwd_admin stop -name IP_BLACKLIST_TOR

        • During each boot:

          1. Back up the current $FWDIR/bin/fwstart script:

            [Expert@HostName:0]# cp -v $FWDIR/bin/fwstart{,_with_IP_BLACKLIST_TOR}
          2. Edit the current $FWDIR/bin/fwstart script:

            [Expert@HostName:0]# vi $FWDIR/bin/fwstart
          3. Delete the following line:

            Important Note: Perform these steps with extra care.

            cpwd_admin start -name IP_BLACKLIST_TOR -path $CPDIR/bin/IP-blacklist-TOR.sh -command IP-blacklist-TOR.sh

 

How to block traffic from bulletproof IP addresses

  • Bulletproof hosting is a service that allows anonymous and untraceable web hosting, without content filtering. Domains and websites provided by these services make fertile ground for threat actors to host their attack infrastructure.

  • The list of bulletproof IP addresses is created and updated by the Check Point Threat Intelligence team, based on real-world threat analysis, IP reputation, and AI.

  • To use this feed, please follow the steps underHow to block traffic from known TOR Exit Nodes, replacing TOR.txt with Bulletproof.txt

 

How to monitor

Note - In R80.30 and higher, the Management Server / Log Server does not index the logs generated by the rate-limiting rules.

  • To monitor the list of blocked IP address indicators:

    1. Connect to the command line on the Security Gateway / each Cluster Member.

    2. Log in to the Expert mode.

    3. Get the current rate-limiting policy:

      [Expert@HostName:0]# fw samp get | grep threatcloud_ip_block
    4. In SmartConsole / SmartView / SmartView Tracker, search for:

      Comment = threatcloud_ip_block"

      The source IP address is in:

      Information attribute - Source field.

  • To monitor the list of blocked TOR node's address indicators:

    1. Connect to the command line on the Security Gateway / each Cluster Member.

    2. Log in to the Expert mode.

    3. Get the current rate-limiting policy:

      [Expert@HostName:0]# fw samp get | grep threatcloud_TOR_block
    4. In SmartConsole / SmartView / SmartView Tracker, search for:

      Comment = threatcloud_TOR_block"

      The source IP address is in:

      Information attribute - Source field.

  • To monitor the blocked IP addresses:

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment