Wash your face and try again, if you survive.

Wednesday, 3 September 2008

There are many online blacklists which are populated by volunteers. I'm looking for such a blacklist which contains records of hosts conducting portscans, ssh brute-forcing, or other similar "badness".

dshield looks good - but doesn't make the scanning IP availble - just shows the port data.

denyhosts allows you to upload/download a list of IPs trying to run ssh bruteforce attacks - but when I wrote my own RPC code to poll that list of IPs I found I couldnt' get the full list.

I'm aware that I could run denyhosts on a spare IP, then just copy the IPs it downloads but that feels icky...

I'm unaware of any existing service that I could use for my purposes.

So would there be any interest in a service listing only portscanning/ssh brute-force IPs? (Allowing DNS queries, XML-RPC, or rsync downloads of the submitted data.)

Obviously I have my own reason for wanting such a list of bad IPs... Those are probably obvious, but it does seem like it would be generally useful.

I'd be willing to host a server to process the submitted reports, and make the results available, but I guess thats the easy part. The hard part is persuading people to run my "submit IP" client. Which has to understand ssh logs, iptable logs, or something similar.. Ugh.

I guess between the machiens I work with and the machines I host myself I've got a fair number of IPs which I could collect scans from - I could populate the database myself. But this is a perfect job for distributed submission.

ObQuote: Batoru rowaiaru

| 8 comments.

 

Comments On This Entry

[gravitar] Cyril Jaquier

Submitted at 14:58:27 on 3 september 2008

The problem with such distributed database is that everyone can submit almost anything. This is a possible source of denial of services. I had once written a small Python script that add an IP address into the denyhosts database. I don't know if denyhosts checks the source of the submission but if you are able to run such script on several machines I guess you can really do some nasty things.
It would probably be better to have your own, private database but then the concept is less interesting. So I'm not really sure that this is a perfect job for distributed submission ;)
[author] Steve Kemp

Submitted at 15:34:11 on 3 september 2008

You do raise a valid point. If you allow anybody to submit reports then the drawback is that some people will submit malicious reports.

The common approach seems to be to ignore reports of address 1.2.3.4 unless N people have submitted it. But in the presence of botnets that kind of approach doesn't help.

I think you need to have some trust metric involved whereby you pay attention to history and hope for the best.

But quite how that would work in practise is hard to predict. Almost an interesting enough reason to start it up!

For the moment I've changed my personal firewalls to log connects on port 23, 222, and 1022. Any client that hits all those ports will be a good candidate for auto-submitting to any system that I do come up with - private or public.

[gravitar] Faidon Liambotis

Submitted at 15:34:21 on 3 september 2008

I'd be definitely interested in an RBL listing such hosts.
[gravitar] Anonymous

Submitted at 15:40:01 on 3 september 2008

Any such list probably consists mostly of random broken-into boxen across the world, and I suspect that the list changes quite a bit over time. I don't know that the same IP will recur very often.
[author] Steve Kemp

Submitted at 15:54:10 on 3 september 2008

I suspect that IPs would rotate on and off the list very quickly - but if the query/lookup is fast then it would still be useful for my purposes.


[gravitar] Richard Edward Horner

Submitted at 16:35:05 on 3 september 2008

Other issued aside, you could copy the logic from something like fail2ban for the SSH brute forcing aspect.
[gravitar] Clifford W. Hansen

Submitted at 17:50:16 on 3 september 2008

I'd love to help with this, coding and/or submitting logs... I agree security will be an issue, maybe setup a registration type service using openid or physical contact (like keysigning) I know the latter is always difficult, and not always desired.
[author] Steve Kemp

Submitted at 18:54:33 on 3 september 2008

Thanks for the offer Clifford. I've written most of the code now, and I'm just playing with it.

So far I've got:

  • Online submission.
  • Online lookup.
  • Realtime DNS server to allow lookups, and serve the results.
  • Static Rsync download of the submitted data.

Expect another post in a few days when I've got the submission handled properly..

 

Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags