Block Sources

Blocking and unblocking addresses based on an intel source is a common task, so there is a helper class called bhr_client.source_blocker.SourceBlocker

To implement a source blocker, simply write a class that subclasses bhr_client.source_blocker.SourceBlocker

This example blocks addresses found in the DataPlane.org SSH Password Authentication feed.

from bhr_client.source_blocker import SourceBlocker
from bhr_client.rest import login_from_env
import requests


class DataplaneBlocker(SourceBlocker):
    source = 'dataplane'
    must_exist = True
    duration = 0

    def get_records(self):
        blocks = []
        for line in requests.get("https://www.dataplane.org/sshpwauth.txt").iter_lines():
            if line.startswith("#"):
                continue
            parts = line.split("|")
            parts = [x.strip() for x in parts]
            if len(parts) != 5:
                continue
            asn, asname, saddr, utc, category = parts
            blocks.append({
                'cidr': saddr,
                'why': 'DataPlane SSH pwauth feed',
            })
        return blocks

To use the blocker, you would write a main function like:

from bhr_client.rest import login_from_env
def main():
    client = login_from_env()
    s = DataplaneBlocker(client)
    s.run()

To keep the BHR system in sync with the source, set must_exist to True and duration to 0. If the intel feed only contains daily updates, you would set must_exist to False and duration to something like 7d.

class bhr_client.source_blocker.SourceBlocker(client)

get_records()

Return a list of dictionaries of hosts to block. The dictionaries should contain cidr and why fields. They can also contain source and duration fields to override the class attributes.

run()

Run the blocker, adding or removing blocks as needed