Dave Strydom wrote:
> You know what would be seriously awesome, is if they have a type of
> RBL listing for this kind of thing, and you could just link your
> iptables up to the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203
> <http://209.50.253.203> maps to srv.warofthering.net
> <http://srv.warofthering.net>, but this does not map back to the
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203
> <http://209.50.253.203> maps to srv.warofthering.net
> <http://srv.warofthering.net>, but this does not map back to the
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with
> the latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave
That will never happen. The reason being stated plenty of times over,
but I'll state them again:
* Many of those addresses are from dynamic IPs
* Some may be using fake IPs that you login from, it would suck to have
you banned from your own server
* if anybody can submit to an RBL you would have the whole world added
to that RBL in no time because somebody will get the bright idea to do so.
In short, bad idea.
Kyle
> You know what would be seriously awesome, is if they have a type of
> RBL listing for this kind of thing, and you could just link your
> iptables up to the rbl listings.
>
> (for those of you who don't know how rbl's work)
>
> Example, I see this in my auth.log:
> -------------------------------------------
> Sep 28 03:20:42 cerberus sshd[20136]: Address 209.50.253.203
> <http://209.50.253.203> maps to srv.warofthering.net
> <http://srv.warofthering.net>, but this does not map back to the
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20171]: Invalid user cchen from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:43 cerberus sshd[20141]: Address 209.50.253.203
> <http://209.50.253.203> maps to srv.warofthering.net
> <http://srv.warofthering.net>, but this does not map back to the
> address - POSSIBLE BREAKIN ATTEM
> PT!
> Sep 28 03:20:43 cerberus sshd[20176]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20181]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> Sep 28 03:20:44 cerberus sshd[20186]: Invalid user admin from
> 209.50.253.203 <http://209.50.253.203>
> -------------------------------------------
>
> I could then submit the IP address to a RBL listing site, and then all
> people who plugin to the rbl listing could update their firewalls with
> the latest listing.
>
> Just an idea, i dont know how hard it would be to do?
>
> Dave
That will never happen. The reason being stated plenty of times over,
but I'll state them again:
* Many of those addresses are from dynamic IPs
* Some may be using fake IPs that you login from, it would suck to have
you banned from your own server
* if anybody can submit to an RBL you would have the whole world added
to that RBL in no time because somebody will get the bright idea to do so.
In short, bad idea.
Kyle