Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Compromised host list - some clarification...
From: "Robert P. McKenzie" <rmckenzi () rpmdp com>
Date: Tue, 21 Feb 2006 16:03:56 +0000

James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all in
my previous message...go me!  Here's a web site that I did manage to
find that has a current list of open proxies:

http://www.samair.ru/proxy/index.htm

My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes.  The RBL's
pretty much have smtp covered.  I would run a cron job at midnight, wget
and grep the file, then create an iptables table to block those hosts.
This is an attempt to be more proactive then reactive...if I knew those
hosts that were actively doing naughty things, why not block them at
the get go?

Does this make sense?  Am I barking up the wrong tree?  Thanks all =)

It's clear, however, as others have pointed out it's far easier to block everything and
then selectivily allow what you want to talk to you.  How do you think iptables will react
if you have say 20,000 entries in it?  My guess is it will slow your machines down.

Go the sensible route and block everything and permit the much smaller list of hosts to
connect to you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]