[unisog] automated IP blacklist tools?

Getchell, Adam acgetchell at ucdavis.edu
Mon Nov 22 20:14:34 GMT 2004

If you're using OpenBSD/pf as a firewall (or run it for your DNS/LDAP
servers as I do), you can do it with this rule:

pass in proto tcp from any to $ldapserver port ldap flags S/SA \
	synproxy state (source-track rule, max-src-states 3, \
	tcp.established 60, tcp.closing 600)

	$ldapserver is a macro for your LDAP server
	ldap resolves to port 389 via /etc/services
	S/SA means allow only startup states (Syn/Syn-Ack)
	synproxy state means remember this connection in a state table and
randomize the TCP sequence numbers; also, complete the tcp handshake between
endpoints on behalf of the LDAP server (to prevent SYN floods)
	source-track rule means remember the source IP address
	max-src-states 3 means only allow 3 connections from that source
address at any given time
	tcp.established means keep the connection in memory for 60 seconds;
reset if a packet matches
	tcp.closing means remember the connection for 10 minutes

The above rule would prevent someone from accessing your LDAP server more
than 3 times in 10 minutes from a given IP address.

Full man page here:


For extensiblity I've had nice results using LaBrea to populate an
/etc/badhosts file which is loaded as a table in pf; hence, people showing
up in my tarpit (in front of the firewall) are blocked by the firewall.

* Adam Getchell, M.S.
* Application Developer
* College of Agricultural & Environmental Sciences Deans' Office
* acgetchell at ucdavis.edu      (530)752-9284
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Albert Lunde
> Sent: Monday, November 22, 2004 10:53 AM
> To: unisog at lists.sans.org
> Subject: [unisog] automated IP blacklist tools?
> We'd like to do something to prevent or rate-limit directory 
> harvesting and/or password guessing attacks against various 
> network services, including our LDAP servers, and our white-pages CGI.
> If I was implementing throttling of a single locally-written 
> CGI, I'd probably use a daemon on the same host to record 
> requests and failures on a per-IP basis and decide what to deny.
> However, looking at this in the bigger picture across 
> multiple servers, it seems like this would have similar 
> requirements to parts of various anti-spam or 
> intrusion-detection systems.
> So I'm wondering if people can suggest existing software or 
> products that could be adapted to this purpose?
> -- 
>      Albert Lunde  Albert-Lunde at northwestern.edu
>                    atlunde at panix.com  (new address for personal mail)
>                    Albert-Lunde at nwu.edu (old address)
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list