[unisog] automated IP blacklist tools?
jtillots at purdue.edu
Mon Nov 22 20:08:57 GMT 2004
We have been discussing something similar. I would love to modify
tcp wrappers to query a black hole list using something like
postsentry to make the DNS entries. The idea would be whenever a
machine is caught scanning all the ports on a machine in a certain
amount of time (like less than one minute), their IP address gets
added to a DNS server. Then other machines, using tcp wrappers,
query that nameserver before allowing a machine to connect to them.
If they are in the DNS server, then they deny them the connection.
I would have these DNS entries removed after some time (like one
hour). It would also be great if you could change the rules - like
maybe you want to catch those people who are slowly scanning the
ports on a machine in order to avoid detection or someone banging on
a particular port to attempt to break in. The rule set would depend
on the attacks you see compared with the access you want to allow.
What we would like to do is share the information about break in
attempts across our machines. This would also catch machines in our
own network that are performing scans. Again, it's not a silver
bullet, but it would be yet another layer of protection (yalp).
On Mon, 22 Nov 2004, Albert Lunde wrote:
> We'd like to do something to prevent or rate-limit directory harvesting
> and/or password guessing attacks against various network services, including
> our LDAP servers, and our white-pages CGI.
> If I was implementing throttling of a single locally-written CGI, I'd
> probably use a daemon on the same host to record requests and failures on a
> per-IP basis and decide what to deny.
> However, looking at this in the bigger picture across multiple servers, it
> seems like this would have similar requirements to parts of various
> anti-spam or intrusion-detection systems.
> So I'm wondering if people can suggest existing software or products that
> could be adapted to this purpose?
> Albert Lunde Albert-Lunde at northwestern.edu
> atlunde at panix.com (new address for personal mail)
> Albert-Lunde at nwu.edu (old address)
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog