RE: automated blackholing

From owner-freebsd-security Mon Jun 24 16:56: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2]) by hub.freebsd.org (Postfix) with ESMTP id 75E6B37B400 for ; Mon, 24 Jun 2002 16:55:53 -0700 (PDT) Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19) id ; Mon, 24 Jun 2002 19:55:56 -0400 Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com> From: Scott Ullrich To: 'Klaus Steden' , freebsd-security@FreeBSD.ORG Subject: RE: automated blackholing Date: Mon, 24 Jun 2002 19:55:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21BDA.AE161B20" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21BDA.AE161B20 Content-Type: text/plain; charset="iso-8859-1" FWIW, this could be done very easily with snort and the guardian perl script. You could simply craft a snort rule for the particular port and then change guardian to lookup host ip's on detection of the rule. If they are listed in the file, deny them with ipfw. Is this more up your alley? -Scott > -----Original Message----- > From: Klaus Steden [mailto:klaus@compt.com] > Sent: Monday, June 24, 2002 7:49 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: automated blackholing > > > Okay, my apologies. I should have clarified what I'm looking > to implement ... > > Essentially, it's this - I've got a list of clients I deny > FTP access to by > default (from my /etc/hosts.deny file). I'd sooner just > blackhole them, but > some are from large netblocks, and I'd rather blackhole > individual IPs as they > show up. Maybe I'm using the velvet gloves when it's not > necessary, but anyway > ... > > I was discussing this with an acquaintance who uses > portsentry, configured to > blackhole immediately anyone connecting to a port with no > service running on > it (i.e. the echo port). My situation is a little different, > in that I've got > a service actually running (FTP) that people need to connect > to legitimately, > but I'd like to blackhole illegitimate requests as they > appear, rather than > using TCP wrappers to disconnect them. > > I'm looking for something that can combine a blacklist > created by me to > blackhole someone connecting if he's found in the blacklist, > without having to > manually add blackhole routes or ipfw rules as these requests > turn up - I'm > only on duty 18 hours a day after all ;> > > Anyone done something like this before? It's sort of a back-asswards > combination of existing scenarios, but it seems possible ... > > thanks, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------_=_NextPart_001_01C21BDA.AE161B20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: automated blackholing

FWIW, this could be done very easily with snort and = the guardian perl script. You could simply craft a snort rule for = the particular port and then change guardian to lookup host ip's on = detection of the rule. If they are listed in the file, deny them with = ipfw.

Is this more up your alley?

-Scott

> -----Original Message-----
> From: Klaus Steden [mailto:klaus@compt.com]
> Sent: Monday, June 24, 2002 7:49 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: Re: automated blackholing
>
>
> Okay, my apologies. I should have clarified = what I'm looking
> to implement ...
>
> Essentially, it's this - I've got a list of = clients I deny
> FTP access to by
> default (from my /etc/hosts.deny file). I'd = sooner just
> blackhole them, but
> some are from large netblocks, and I'd rather = blackhole
> individual IPs as they
> show up. Maybe I'm using the velvet gloves when = it's not
> necessary, but anyway
> ...
>
> I was discussing this with an acquaintance who = uses
> portsentry, configured to
> blackhole immediately anyone connecting to a = port with no
> service running on
> it (i.e. the echo port). My situation is a = little different,
> in that I've got
> a service actually running (FTP) that people = need to connect
> to legitimately,
> but I'd like to blackhole illegitimate requests = as they
> appear, rather than
> using TCP wrappers to disconnect them.
>
> I'm looking for something that can combine a = blacklist
> created by me to
> blackhole someone connecting if he's found in = the blacklist,
> without having to
> manually add blackhole routes or ipfw rules as = these requests
> turn up - I'm
> only on duty 18 hours a day after all = ;>
>
> Anyone done something like this before? It's = sort of a back-asswards
> combination of existing scenarios, but it seems = possible ...
>
> thanks,
> Klaus
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>

------_=_NextPart_001_01C21BDA.AE161B20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message