[unisog] automated IP blacklist tools?
acgetchell at ucdavis.edu
Mon Nov 22 20:14:34 GMT 2004
If you're using OpenBSD/pf as a firewall (or run it for your DNS/LDAP
servers as I do), you can do it with this rule:
pass in proto tcp from any to $ldapserver port ldap flags S/SA \
synproxy state (source-track rule, max-src-states 3, \
tcp.established 60, tcp.closing 600)
$ldapserver is a macro for your LDAP server
ldap resolves to port 389 via /etc/services
S/SA means allow only startup states (Syn/Syn-Ack)
synproxy state means remember this connection in a state table and
randomize the TCP sequence numbers; also, complete the tcp handshake between
endpoints on behalf of the LDAP server (to prevent SYN floods)
source-track rule means remember the source IP address
max-src-states 3 means only allow 3 connections from that source
address at any given time
tcp.established means keep the connection in memory for 60 seconds;
reset if a packet matches
tcp.closing means remember the connection for 10 minutes
The above rule would prevent someone from accessing your LDAP server more
than 3 times in 10 minutes from a given IP address.
Full man page here:
For extensiblity I've had nice results using LaBrea to populate an
/etc/badhosts file which is loaded as a table in pf; hence, people showing
up in my tarpit (in front of the firewall) are blocked by the firewall.
* Adam Getchell, M.S.
* Application Developer
* College of Agricultural & Environmental Sciences Deans' Office
* acgetchell at ucdavis.edu (530)752-9284
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Albert Lunde
> Sent: Monday, November 22, 2004 10:53 AM
> To: unisog at lists.sans.org
> Subject: [unisog] automated IP blacklist tools?
> We'd like to do something to prevent or rate-limit directory
> harvesting and/or password guessing attacks against various
> network services, including our LDAP servers, and our white-pages CGI.
> If I was implementing throttling of a single locally-written
> CGI, I'd probably use a daemon on the same host to record
> requests and failures on a per-IP basis and decide what to deny.
> However, looking at this in the bigger picture across
> multiple servers, it seems like this would have similar
> requirements to parts of various anti-spam or
> intrusion-detection systems.
> So I'm wondering if people can suggest existing software or
> products that could be adapted to this purpose?
> Albert Lunde Albert-Lunde at northwestern.edu
> atlunde at panix.com (new address for personal mail)
> Albert-Lunde at nwu.edu (old address)
> unisog mailing list
> unisog at lists.sans.org
More information about the unisog