RBL for bots?

• Previous message (by thread): botnets: web servers, end-systems and Vint Cerf
• Next message (by thread): RBL for bots?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I had started to create a list for brute forcers and have been updating 
them when I can. It's sort of like a personal RBL list with solely the 
ip address of the offender based off of some scripts that I wrote. For 
those interested, the script is twofold:

1) Script runs from cron checking /var/log/*secure/messages/etc, 
depending on the system. If it finds an attacker it blocks them via 
/etc/hosts.deny and or iptables
2) My version posts the attacking host to www.infiltrated.net/bruteforcers

When I started it, I hadn't heard of or used Denyhosts else I would have 
modified that script in itself. When I first wrote sharpener, I had 
intended on finding the abuse contact for the offending attacker and 
send an automated reply with the date, time, host address and log file 
information. Scenario:

Attack begins
Script sees attack
Script blocks out attack
Script checks the owner of the netblock and finds their abuse contact
Script sends an automated message stating something like: "At 02/17/07 
10:20am EST, our host was attacked from a machine in your netblock. The 
offending IP address is xxx.xxx.xxx.xxx"

I hadn't had the time to finish the whois $attacker|grep -i abuse 
portion of it though, then I got bored, sidetracked. What I instead do 
now is, I use the bruteforcer list from cron on all machines I 
maintain/manage and have those machines auto block out attackers. The 
theory is if one machine is getting attacked from luzerA, all machines 
should block luzerA, and they do now:

http://www.infiltrated.net/sharpener for those interested in 
modifying/finishing/tweaking the script.

As for creating an RBL such as SORBS or something along those lines. 
Last I need is a packet attack or political "Take my netblock off!" 
crap. Hence me not really wanting to bother updating it for the Interweb 
folk. For those who find it useful, kudos... For those who want to 
ramble on I have mail filters for you so don't bother.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5157 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070216/d683435f/attachment.bin>

• Previous message (by thread): botnets: web servers, end-systems and Vint Cerf
• Next message (by thread): RBL for bots?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]