Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Compromised host list - some clarification...
From: Dean Pierce <piercede () pdx edu>
Date: Tue, 21 Feb 2006 10:06:50 -0800

If you need to protect your ssh from scanners, wouldn't it prolly just
be best to block people that are actually scanning you?  I use the
denyhosts script (watches logs for failed login attempts, and blocks ips
based on that), and there are a couple other good ones.  The two main
problems with your solution is..

1. how can you trust some magical offsite list so much that you are
willing to block traffic based on what it says?

2. how can you believe that such a list would ever be complete, or even
through?  New machines get taken over all the time, and my guess is that
the average lifespan of such machines is about a week or so before an
admin sees what's going on.

   - DEAN

James Lay wrote:
So ok.....I'm completely positive I didn't make myself clear at all in
my previous message...go me!  Here's a web site that I did manage to
find that has a current list of open proxies:

http://www.samair.ru/proxy/index.htm

My hope is that I could find a site that has a list of currently
reported open proxies, scanners, and ssh brute force boxes.  The RBL's
pretty much have smtp covered.  I would run a cron job at midnight, wget
and grep the file, then create an iptables table to block those hosts.
This is an attempt to be more proactive then reactive...if I knew those
hosts that were actively doing naughty things, why not block them at
the get go?

Does this make sense?  Am I barking up the wrong tree?  Thanks all =)

James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]