Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #707

Re: yet another IP blocklist (mine!)

From Supratim Sanyal <supratim@riseupnet.invalid.com>
Newsgroups comp.os.linux.security
Subject Re: yet another IP blocklist (mine!)
Date 2016-11-22 18:49 -0500
Organization albasani.net
Message-ID <MPG.329ea37bff320fd4989681@news.albasani.net> (permalink)
References (1 earlier) <slrnnv84fd.9g.ibuprofin@planck.phx.az.us> <MPG.327c65692bdf48dc989683@news.eternal-september.org> <slrno17fn7.raa.ibuprofin@planck.phx.az.us> <MPG.327d9502ab733f6f989682@reader80.eternal-september.org> <slrno1a8cn.q8v.ibuprofin@planck.phx.az.us>

Show all headers | View raw

In article <slrno1a8cn.q8v.ibuprofin@planck.phx.az.us>, 
ibuprofin@painkiller.example.tld.invalid says...
> 
> On Fri, 28 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
> <MPG.327d9502ab733f6f989682@reader80.eternal-september.org>, Supratim Sanyal wrote:
> 
> >ibuprofin@painkiller.example.tld.invalid says...
> 
> >> Hits on 22/tcp have been relatively low for over a year (average
> >> about 1.5 attempts per hour).
> 
> >iptables + ipset with public blocklists has kept port 22 spam in
> >control for my internet-facing servers for over a decade now
> 
> A man page to look at (from 'tar -tvzf tcp_wrappers_7.6.tar.gz')
> 
>   -r--r--r-- 309/326  15225 1995-01-30 11:51
>                      tcp_wrappers_7.6/hosts_access.5
> 
> Notice the date.  Then try 'man 5 hosts_access'   It's part of the
> tcp_wrappers or lib_wrap package from the last (April 1997) release
> of that now unmaintained (but still useful) program.  Look down at the
> EXAMPLES section (about 9/10 of the way down the man-page).  Either you
> are "MOSTLY CLOSED" or "MOSTLY OPEN".   Do you check the identity of
> everyone trying to enter your house and only block them if they are on
> a list?   Or do you block everyone, and only allow those on a different
> list in?      Slight difference in practicality.   Mentioned, I only
> allow blocks where I know authorized users might be located.  When I
> (or other authorized users) were traveling to unknown places, the
> firewall here would have port-knocking enabled (user tries to connect
> to closed port $FOO and then $BAR - and the firewall would open from
> that IP for 30 seconds to allow establishing a connection to 22/tcp). 
> That trick has been in use for over 30 years.  Biggest problem with it
> is that some firewalls on the Internet block outbound connections to
> "unusual" ports, and that may prevent knocking port $BAZ or $QUX.
> 
> >(your experience is far longer than mine)
> 
> I actually was on DARPA net back in 1976 at NASA Ames, though it was
> not a primary part of my job then.
> 
> >but these blocklists are missing a vast number of port 23 bots. 
> 
> I'm not sure it's even possible to come up with a reasonably accurate
> list - it changes so frequently.   It's getting worse even now due to
> the "Internet of Things" (commonly written as "IoT") which includes
> all of the poorly designed devices in the modern home.   Most of the
> current crop of 'bots are unprotected DVD players, Internet-enabled
> cameras, and similar.  Search the Risks digest of the ACM (Association
> for Computing Machinery) which you can find as the Usenet newsgroup
> "news://comp.risks" on most news servers:
> 

interesting - looks like mirai would have eventually got into your DVD 
players - looked up the password list it uses, it covers the ones your 
DVD players came with

-- 
Supratim Sanyal
DECnet VMSMAIL: QCOCAL::SANYAL (via HECnet)
Internet email: http://mcaf.ee/sdlg9f
QCOCAL - VAXserver 3900/OpenVMS 7.3 - telnet://sanyalnet-openvms-
vax.freeddns.org
CLOUDY - VAX-11/780/OpenVMS 7.3 - SET HOST from QCOCAL
JUICHI - PDP-11/24/RSX-11M-PLUS - SET HOST from QCOCAL
SunOS 5.11/Solaris 11 OpenIndiana: ssh sanyal.duckdns.org
SanyalCraft Minecraft Server: sanyal.duckdns.org:25565
NTP servers: sanyalnet-ntp.freeddns.org,sanyalnet-cloud-
vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
Ad-Blocking Recursive DNS Servers: sanyalnet-cloud-
vps.freeddns.org,sanyalnet-cloudvps2.freeddns.org
WBRi Radio Stream: banglaradio.homeip.net:8000
Anonymous FTP: sanyal.duckdns.org / HTTP wrapper for FTP: 
http://sanyal.duckdns.org:81

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web