RE: automated blackholing

From owner-freebsd-security Mon Jun 24 15:42: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2]) by hub.freebsd.org (Postfix) with ESMTP id DD43037B404 for ; Mon, 24 Jun 2002 15:41:55 -0700 (PDT) Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19) id ; Mon, 24 Jun 2002 18:41:59 -0400 Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E95@exchange.corp.cre8.com> From: Scott Ullrich To: 'Klaus Steden' , freebsd-security@FreeBSD.ORG Subject: RE: automated blackholing Date: Mon, 24 Jun 2002 18:41:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21BD0.591CC380" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21BD0.591CC380 Content-Type: text/plain; charset="iso-8859-1" This may be a good job for D. J. Bernstein's ucspi-tcp. Using a DNS server, tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) and rblsmtpd (http://cr.yp.to/ucspi-tcp/rblsmtpd.html). I currently do this for spam but it would not be hard to hack this for your situation. Hope this helps, Scott > -----Original Message----- > From: Klaus Steden [mailto:klaus@compt.com] > Sent: Monday, June 24, 2002 6:36 PM > To: freebsd-security@FreeBSD.ORG > Subject: automated blackholing > > > Hi, > > I've got a situation with one of my servers at work that gets > script kiddies > attempting to use it as a warez repository. It worked once, > for about three > days, but I guess the hostname/address is still in someone's > list of good > targets. I've been using tcpd to block access, but I'm > getting a little more > annoyed by now and would like to start blackholing these > people as soon as > they attempt to connect. > > I've got my list of hosts to refuse - what's the best way to > automatically > disappear when one of them tries to connect? > > thanks, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------_=_NextPart_001_01C21BD0.591CC380 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: automated blackholing

This may be a good job for D. J. Bernstein's = ucspi-tcp. Using a DNS server, tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) and = rblsmtpd (http://cr.yp.to/ucspi-tcp/rblsmtpd.html).

I currently do this for spam but it would not be hard = to hack this for your situation.

Hope this helps,

Scott

> -----Original Message-----
> From: Klaus Steden [mailto:klaus@compt.com]
> Sent: Monday, June 24, 2002 6:36 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: automated blackholing
>
>
> Hi,
>
> I've got a situation with one of my servers at = work that gets
> script kiddies
> attempting to use it as a warez repository. It = worked once,
> for about three
> days, but I guess the hostname/address is still = in someone's
> list of good
> targets. I've been using tcpd to block access, = but I'm
> getting a little more
> annoyed by now and would like to start = blackholing these
> people as soon as
> they attempt to connect.
>
> I've got my list of hosts to refuse - what's = the best way to
> automatically
> disappear when one of them tries to = connect?
>
> thanks,
> Klaus
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>

------_=_NextPart_001_01C21BD0.591CC380-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message