Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Jun 2002 19:55:55 -0400
From:      Scott Ullrich <sullrich@CRE8.COM>
To:        'Klaus Steden' <klaus@compt.com>, freebsd-security@FreeBSD.ORG
Subject:   RE: automated blackholing
Message-ID:  <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com>
next in thread | raw e-mail | index | archive | help 
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C21BDA.AE161B20
Content-Type: text/plain;
	charset="iso-8859-1"

FWIW, this could be done very easily with snort and the guardian perl
script.  You could simply craft a snort rule for the particular port and
then change guardian to lookup host ip's on detection of the rule. If they
are listed in the file, deny them with ipfw.

Is this more up your alley?

-Scott



> -----Original Message-----
> From: Klaus Steden [mailto:klaus@compt.com]
> Sent: Monday, June 24, 2002 7:49 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: Re: automated blackholing
> 
> 
> Okay, my apologies. I should have clarified what I'm looking 
> to implement ...
> 
> Essentially, it's this - I've got a list of clients I deny 
> FTP access to by
> default (from my /etc/hosts.deny file). I'd sooner just 
> blackhole them, but
> some are from large netblocks, and I'd rather blackhole 
> individual IPs as they
> show up. Maybe I'm using the velvet gloves when it's not 
> necessary, but anyway
> ...
> 
> I was discussing this with an acquaintance who uses 
> portsentry, configured to
> blackhole immediately anyone connecting to a port with no 
> service running on
> it (i.e. the echo port). My situation is a little different, 
> in that I've got
> a service actually running (FTP) that people need to connect 
> to legitimately,
> but I'd like to blackhole illegitimate requests as they 
> appear, rather than
> using TCP wrappers to disconnect them.
> 
> I'm looking for something that can combine a blacklist 
> created by me to
> blackhole someone connecting if he's found in the blacklist, 
> without having to
> manually add blackhole routes or ipfw rules as these requests 
> turn up - I'm
> only on duty 18 hours a day after all ;>
> 
> Anyone done something like this before? It's sort of a back-asswards
> combination of existing scenarios, but it seems possible ...
> 
> thanks,
> Klaus
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

------_=_NextPart_001_01C21BDA.AE161B20
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: automated blackholing</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>FWIW, this could be done very easily with snort and =
the guardian perl script.&nbsp; You could simply craft a snort rule for =
the particular port and then change guardian to lookup host ip's on =
detection of the rule. If they are listed in the file, deny them with =
ipfw.</FONT></P>

<P><FONT SIZE=3D2>Is this more up your alley?</FONT>
</P>

<P><FONT SIZE=3D2>-Scott</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>&gt; -----Original Message-----</FONT>
<BR><FONT SIZE=3D2>&gt; From: Klaus Steden [<A =
HREF=3D"mailto:klaus@compt.com">mailto:klaus@compt.com</A>]</FONT>
<BR><FONT SIZE=3D2>&gt; Sent: Monday, June 24, 2002 7:49 PM</FONT>
<BR><FONT SIZE=3D2>&gt; To: freebsd-security@FreeBSD.ORG</FONT>
<BR><FONT SIZE=3D2>&gt; Subject: Re: automated blackholing</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Okay, my apologies. I should have clarified =
what I'm looking </FONT>
<BR><FONT SIZE=3D2>&gt; to implement ...</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Essentially, it's this - I've got a list of =
clients I deny </FONT>
<BR><FONT SIZE=3D2>&gt; FTP access to by</FONT>
<BR><FONT SIZE=3D2>&gt; default (from my /etc/hosts.deny file). I'd =
sooner just </FONT>
<BR><FONT SIZE=3D2>&gt; blackhole them, but</FONT>
<BR><FONT SIZE=3D2>&gt; some are from large netblocks, and I'd rather =
blackhole </FONT>
<BR><FONT SIZE=3D2>&gt; individual IPs as they</FONT>
<BR><FONT SIZE=3D2>&gt; show up. Maybe I'm using the velvet gloves when =
it's not </FONT>
<BR><FONT SIZE=3D2>&gt; necessary, but anyway</FONT>
<BR><FONT SIZE=3D2>&gt; ...</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; I was discussing this with an acquaintance who =
uses </FONT>
<BR><FONT SIZE=3D2>&gt; portsentry, configured to</FONT>
<BR><FONT SIZE=3D2>&gt; blackhole immediately anyone connecting to a =
port with no </FONT>
<BR><FONT SIZE=3D2>&gt; service running on</FONT>
<BR><FONT SIZE=3D2>&gt; it (i.e. the echo port). My situation is a =
little different, </FONT>
<BR><FONT SIZE=3D2>&gt; in that I've got</FONT>
<BR><FONT SIZE=3D2>&gt; a service actually running (FTP) that people =
need to connect </FONT>
<BR><FONT SIZE=3D2>&gt; to legitimately,</FONT>
<BR><FONT SIZE=3D2>&gt; but I'd like to blackhole illegitimate requests =
as they </FONT>
<BR><FONT SIZE=3D2>&gt; appear, rather than</FONT>
<BR><FONT SIZE=3D2>&gt; using TCP wrappers to disconnect them.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; I'm looking for something that can combine a =
blacklist </FONT>
<BR><FONT SIZE=3D2>&gt; created by me to</FONT>
<BR><FONT SIZE=3D2>&gt; blackhole someone connecting if he's found in =
the blacklist, </FONT>
<BR><FONT SIZE=3D2>&gt; without having to</FONT>
<BR><FONT SIZE=3D2>&gt; manually add blackhole routes or ipfw rules as =
these requests </FONT>
<BR><FONT SIZE=3D2>&gt; turn up - I'm</FONT>
<BR><FONT SIZE=3D2>&gt; only on duty 18 hours a day after all =
;&gt;</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; Anyone done something like this before? It's =
sort of a back-asswards</FONT>
<BR><FONT SIZE=3D2>&gt; combination of existing scenarios, but it seems =
possible ...</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; thanks,</FONT>
<BR><FONT SIZE=3D2>&gt; Klaus</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; To Unsubscribe: send mail to =
majordomo@FreeBSD.org</FONT>
<BR><FONT SIZE=3D2>&gt; with &quot;unsubscribe freebsd-security&quot; =
in the body of the message</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C21BDA.AE161B20--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F6DCE1EFAB3BC418B5C324F13934C96016C9E96>