From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1EMihp-0003eH-Rr
	for garchives@archives.gentoo.org; Tue, 04 Oct 2005 09:03:26 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j948rcoK014095;
	Tue, 4 Oct 2005 08:53:38 GMT
Received: from qproxy.gmail.com (qproxy.gmail.com [72.14.204.194])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j948kxH3002200
	for <gentoo-security@lists.gentoo.org>; Tue, 4 Oct 2005 08:47:00 GMT
Received: by qproxy.gmail.com with SMTP id v38so760360qbe
        for <gentoo-security@lists.gentoo.org>; Tue, 04 Oct 2005 01:55:13 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references;
        b=kuVWtAiBMc8u4G7TFNKKRdJGx7XFhR2iVCsWsdJR7BIJZ0TqersLaXh7bz22ETRdrmYoRZMJHc1mccCazhmf/sdv72aAMMlE+HGkYdURSz29vDQVcX45IWPDKt+72RZo7HnDTCcgJVEeVzzpV27vPjcg8jR2TPVM+vzUZUYTiLI=
Received: by 10.64.210.15 with SMTP id i15mr2960416qbg;
        Tue, 04 Oct 2005 01:55:13 -0700 (PDT)
Received: by 10.64.196.5 with HTTP; Tue, 4 Oct 2005 01:55:13 -0700 (PDT)
Message-ID: <fc38b710510040155rcf44495g935f64dbd99c3557@mail.gmail.com>
Date: Tue, 4 Oct 2005 10:55:13 +0200
From: Dave Strydom <strydom.dave@gmail.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
In-Reply-To: <200510040815.41603.smurphy@solsys.org>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_6269_1208254.1128416113054"
References: <43404CB8.3@lunatic.net.nz> <4341BE2A.5080600@lunatic.net.nz>
	 <200510040815.41603.smurphy@solsys.org>
X-Archives-Salt: 6808acc1-5ce6-4c39-aa19-8e4887cc750f
X-Archives-Hash: e902da935c42e36d09aea6d8fb3516bb

------=_Part_6269_1208254.1128416113054
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

You know what would be seriously awesome, is if they have a type of RBL
listing for this kind of thing, and you could just link your iptables up to
the rbl listings.

(for those of you who don't know how rbl's work)

Example, I see this in my auth.log:
-------------------------------------------
Sep 28 03:20:42 cerberus sshd[20136]: Address
209.50.253.203<http://209.50.253.203>maps to
srv.warofthering.net <http://srv.warofthering.net>, but this does not map
back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:43 cerberus sshd[20141]: Address
209.50.253.203<http://209.50.253.203>maps to
srv.warofthering.net <http://srv.warofthering.net>, but this does not map
back to the address - POSSIBLE BREAKIN ATTEM
PT!
Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
209.50.253.203<http://209.50.253.203>
-------------------------------------------

I could then submit the IP address to a RBL listing site, and then all
people who plugin to the rbl listing could update their firewalls with the
latest listing.

Just an idea, i dont know how hard it would be to do?

Dave

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

------=_Part_6269_1208254.1128416113054
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

You know what would be seriously awesome, is if they have a type of RBL
listing for this kind of thing, and you could just link your iptables
up to the rbl listings.<br>
<br>
(for those of you who don't know how rbl's work)<br>
<br>
Example, I see this in my auth.log:<br>
-------------------------------------------<br>
Sep 28 03:20:42 cerberus sshd[20136]: Address <a href=3D"http://209.50.253.=
203">209.50.253.203</a> maps to
<a href=3D"http://srv.warofthering.net">srv.warofthering.net</a>, but this =
does not map back to the address -
POSSIBLE BREAKIN ATTEM<br>
PT!<br>
Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from <a href=3D"ht=
tp://209.50.253.203">209.50.253.203</a><br>
Sep 28 03:20:43 cerberus sshd[20141]: Address <a href=3D"http://209.50.253.=
203">209.50.253.203</a> maps to
<a href=3D"http://srv.warofthering.net">srv.warofthering.net</a>, but this =
does not map back to the address -
POSSIBLE BREAKIN ATTEM<br>
PT!<br>
Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from <a href=3D"ht=
tp://209.50.253.203">209.50.253.203</a><br>
Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from <a href=3D"ht=
tp://209.50.253.203">209.50.253.203</a><br>
Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from <a href=3D"ht=
tp://209.50.253.203">209.50.253.203</a><br>
-------------------------------------------<br>
<br>
I could then submit the IP address to a RBL listing site, and then all
people who plugin to the rbl listing could update their firewalls with
the latest listing.<br>
<br>
Just an idea, i dont know how hard it would be to do?<br>
<br>
Dave<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
<br>

------=_Part_6269_1208254.1128416113054--
-- 
gentoo-security@gentoo.org mailing list