About Archive Tags RSS Feed

 

I don't have no other pants!

5 September 2008 21:50

OK so I've knocked up a simple blacklist:

The source code behind it all is open.

Currently it is setup to import IPs which denyhosts has downloaded every hour, and it will also receive updates from several systems under my direct control.

If you wish to begin submitting your own reports you may get in touch, or read the documentation in the source repository. I'll document that on the site itself publically in a couple of days.

So far I see several people have rsync'd my zonefile a few times. I guess the domain name was a bit predictable.

ObFilm: The Great Muppet Caper

Tags: blacklist, mercurial | 6 comments

 

Comments on this entry

icon Tiago Faria at 21:53 on 4 September 2008
You never cease to amaze me. Great work!
icon Chris Burkhardt at 22:20 on 4 September 2008
That was fast. I plan to start using this at some point in the future. Thanks!
(By the way, 127.0.0.1 is currently blacklisted.)
icon Steve Kemp at 22:32 on 4 September 2008

Tiago: Thanks!

Chris: Thanks for that too. I've added the ability to whitelist IPs and added removed the 127.0.0.1 entry by using it.

I hope that other people do manage to submit, but I think it wouldn't be such a waste if they didn't. I'm already finding the list useful with only a couple of thousand IPs in it, and the overhead is pretty minimal.

icon Chris Burkhardt at 00:24 on 5 September 2008
It would be nice if you could get a least a few submitters spread about the IP address space so that no matter which address an attacker starts at it will get submitted to the blacklist in time for it to be useful.
icon Steve Kemp at 08:49 on 5 September 2008

I think that my own machines are spread out around IP-space as it is, but I'm happy for more submissions too :)

icon Adam Trickett at 11:32 on 10 September 2008
Very cool and useful. I've done something like that before, but I wasn't happy with my solution. I wrote a script that looked for failed log in attempts and other known dodgy behaviour then appended the date and IP to a file. When I open up my firewall to let in SSH traffic I load a blacklist in based on the date/ip file. Periodically I sort the list to remove the older IPs. The problem is that it doesn't dynamically update the firewall rules on the fly, so it only keep pests out if they come back the following day, which is why I gave up on the idea. I'd consider using your database of bad IPs if nothing else.

 

Created by ephemeris.

© Steve Kemp