Gentoo Archives: gentoo-security

From: Kyle Lutze <kyle@×××××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Tue, 04 Oct 2005 14:51:02
Message-Id: 4342958A.5040203@randomvoids.com
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Dave Strydom
1 Dave Strydom wrote:
2
3 > You know what would be seriously awesome, is if they have a type of
4 > RBL listing for this kind of thing, and you could just link your
5 > iptables up to the rbl listings.
6 >
7 > (for those of you who don't know how rbl's work)
8 >
9 > Example, I see this in my auth.log:
10 > -------------------------------------------
11 > Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203
12 > <http://209.50.253.203> maps to srv.warofthering.net
13 > <http://srv.warofthering.net>, but this does not map back to the
14 > address - POSSIBLE BREAKIN ATTEM
15 > PT!
16 > Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
17 > 209.50.253.203 <http://209.50.253.203>
18 > Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203
19 > <http://209.50.253.203> maps to srv.warofthering.net
20 > <http://srv.warofthering.net>, but this does not map back to the
21 > address - POSSIBLE BREAKIN ATTEM
22 > PT!
23 > Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
24 > 209.50.253.203 <http://209.50.253.203>
25 > Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
26 > 209.50.253.203 <http://209.50.253.203>
27 > Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
28 > 209.50.253.203 <http://209.50.253.203>
29 > -------------------------------------------
30 >
31 > I could then submit the IP address to a RBL listing site, and then all
32 > people who plugin to the rbl listing could update their firewalls with
33 > the latest listing.
34 >
35 > Just an idea, i dont know how hard it would be to do?
36 >
37 > Dave
38
39 That will never happen. The reason being stated plenty of times over,
40 but I'll state them again:
41
42 * Many of those addresses are from dynamic IPs
43
44 * Some may be using fake IPs that you login from, it would suck to have
45 you banned from your own server
46
47 * if anybody can submit to an RBL you would have the whole world added
48 to that RBL in no time because somebody will get the bright idea to do so.
49
50 In short, bad idea.
51
52 Kyle

Replies

Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs Dave Strydom <strydom.dave@×××××.com>