There are many online blacklists which are populated by volunteers. I'm looking for such a blacklist which contains records of hosts conducting portscans, ssh brute-forcing, or other similar "badness".
dshield looks good - but doesn't make the scanning IP availble - just shows the port data.
denyhosts allows you to upload/download a list of IPs trying to run ssh bruteforce attacks - but when I wrote my own RPC code to poll that list of IPs I found I couldnt' get the full list.
I'm aware that I could run denyhosts on a spare IP, then just copy the IPs it downloads but that feels icky...
I'm unaware of any existing service that I could use for my purposes.
So would there be any interest in a service listing only portscanning/ssh brute-force IPs? (Allowing DNS queries, XML-RPC, or rsync downloads of the submitted data.)
Obviously I have my own reason for wanting such a list of bad IPs... Those are probably obvious, but it does seem like it would be generally useful.
I'd be willing to host a server to process the submitted reports, and make the results available, but I guess thats the easy part. The hard part is persuading people to run my "submit IP" client. Which has to understand ssh logs, iptable logs, or something similar.. Ugh.
I guess between the machiens I work with and the machines I host myself I've got a fair number of IPs which I could collect scans from - I could populate the database myself. But this is a perfect job for distributed submission.
ObQuote: Batoru rowaiaru
Tags: attackers, distributed, ideas, useful, utilities 8 comments
I suspect that IPs would rotate on and off the list very quickly - but if the query/lookup is fast then it would still be useful for my purposes.