[unisog] automated IP blacklist tools?

Jenett Tillotson jtillots at purdue.edu
Mon Nov 22 20:08:57 GMT 2004


We have been discussing something similar.  I would love to modify 
tcp wrappers to query a black hole list using something like 
postsentry to make the DNS entries.  The idea would be whenever a 
machine is caught scanning all the ports on a machine in a certain 
amount of time (like less than one minute), their IP address gets 
added to a DNS server.  Then other machines, using tcp wrappers, 
query that nameserver before allowing a machine to connect to them. 
If they are in the DNS server, then they deny them the connection. 
I would have these DNS entries removed after some time (like one 
hour).  It would also be great if you could change the rules - like 
maybe you want to catch those people who are slowly scanning the 
ports on a machine in order to avoid detection or someone banging on 
a particular port to attempt to break in.  The rule set would depend 
on the attacks you see compared with the access you want to allow.

What we would like to do is share the information about break in 
attempts across our machines.  This would also catch machines in our 
own network that are performing scans.  Again, it's not a silver 
bullet, but it would be yet another layer of protection (yalp).

Jenett Tillotson
Envision Center
Purdue University

On Mon, 22 Nov 2004, Albert Lunde wrote:

> We'd like to do something to prevent or rate-limit directory harvesting
> and/or password guessing attacks against various network services, including
> our LDAP servers, and our white-pages CGI.
>
> If I was implementing throttling of a single locally-written CGI, I'd
> probably use a daemon on the same host to record requests and failures on a
> per-IP basis and decide what to deny.
>
> However, looking at this in the bigger picture across multiple servers, it
> seems like this would have similar requirements to parts of various
> anti-spam or intrusion-detection systems.
>
> So I'm wondering if people can suggest existing software or products that
> could be adapted to this purpose?
>
> --
>     Albert Lunde  Albert-Lunde at northwestern.edu
>                   atlunde at panix.com  (new address for personal mail)
>                   Albert-Lunde at nwu.edu (old address)
>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
>



More information about the unisog mailing list