I don't have no other pants!

Friday, 5 September 2008

OK so I've knocked up a simple blacklist:

The source code behind it all is open.

Currently it is setup to import IPs which denyhosts has downloaded every hour, and it will also receive updates from several systems under my direct control.

If you wish to begin submitting your own reports you may get in touch, or read the documentation in the source repository. I'll document that on the site itself publically in a couple of days.

So far I see several people have rsync'd my zonefile a few times. I guess the domain name was a bit predictable.

ObFilm: The Great Muppet Caper

| 6 comments.

 

Comments On This Entry

[gravitar] Tiago Faria

Submitted at 21:53:20 on 4 september 2008

You never cease to amaze me. Great work!
[gravitar] Chris Burkhardt

Submitted at 22:20:10 on 4 september 2008

That was fast. I plan to start using this at some point in the future. Thanks!
(By the way, 127.0.0.1 is currently blacklisted.)
[author] Steve Kemp

Submitted at 22:32:52 on 4 september 2008

Tiago: Thanks!

Chris: Thanks for that too. I've added the ability to whitelist IPs and added removed the 127.0.0.1 entry by using it.

I hope that other people do manage to submit, but I think it wouldn't be such a waste if they didn't. I'm already finding the list useful with only a couple of thousand IPs in it, and the overhead is pretty minimal.

[gravitar] Chris Burkhardt

Submitted at 00:24:39 on 5 september 2008

It would be nice if you could get a least a few submitters spread about the IP address space so that no matter which address an attacker starts at it will get submitted to the blacklist in time for it to be useful.
[author] Steve Kemp

Submitted at 08:49:47 on 5 september 2008

I think that my own machines are spread out around IP-space as it is, but I'm happy for more submissions too :)

[gravitar] Adam Trickett

Submitted at 11:32:42 on 10 september 2008

Very cool and useful. I've done something like that before, but I wasn't happy with my solution. I wrote a script that looked for failed log in attempts and other known dodgy behaviour then appended the date and IP to a file. When I open up my firewall to let in SSH traffic I load a blacklist in based on the date/ip file. Periodically I sort the list to remove the older IPs. The problem is that it doesn't dynamically update the firewall rules on the fly, so it only keep pests out if they come back the following day, which is why I gave up on the idea. I'd consider using your database of bad IPs if nothing else.

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags