was trying to find a good source to build a ip ban list from..

mrmnemo · 03-18-2010, 04:51 PM

i am new to all this so dont flame me to much.
I am trying to setup denyhosts and am not real sure of a good resource for a list of known bad ip ranges or "unwanted guests" ip's.

any help is appreciated.

john

Noway2 · 03-18-2010, 07:23 PM

What you are looking for would typically be called an RBL or "run time black list". There may be ones available that will work in conjunction with deny hosts, but I can't say for certain. Try searching for that term with denyhosts and see if anything comes up.

Personally, I think you would be better of trying to focus on securing your server before the fact rather than after the fact. The problem with an RBL is that it is only effective against known sources and undboutedly it will be someone who is not on the RBL that will cause you problems.

A few things you can (and should do): 1 - use public keys instead of passwords for SSH. 2 - i fyou do use passswords, make sure they are strong. 3 - use denyhosts or fail2ban to shut down attempts at cracking. 4 - install an intrusion detection system such as Ossec + Snort. 5 - don't run any other services you don't need. Above all else, don't use VNC.

chrism01 · 03-18-2010, 09:08 PM

If you use passwds, don't allow root to login remotely (ie via ssh). Use another acct+strong passwd and 'su -' from there.

mrmnemo · 03-18-2010, 11:02 PM

at the moment i have set up denyhosts as well as i can. however, i do see that i can point denyhosts to a file with a list "banned" ips. upon thinking of it..guess it would be better to block with iptables if I AM sure the ip needs to be banned. I took the advice on using keys vs. passwords ( thanks).

if you have not been told today...thanks very much to both of you!!

jim80net · 03-18-2010, 11:44 PM

Here's a starting point. Spamhaus publishes one such list. Link includes how to's on configuration: http://www.spamhaus.org/faq/answers....ion=DROP%20FAQ

DShield also publishes a smaller drop list: http://www.dshield.org/xml.html

Noway2 · 03-19-2010, 05:09 AM

Just a hint / suggestion. one advantage to using snort with the base add on (php web based reporting screen) is that you can get a reports that show repeat offenders. Typically if someone tries to access something once, I let it go. If they try multiple times, as in on multiple days, or show some intelligence behind the attempt, I add a black list entry to IP tables and shut them off.

mrmnemo · 03-19-2010, 11:11 AM

ok i am new to all this but have set up a firewall a few times in a non production enviroment. Now, i am running fedora12 _x64. and i tried to load up my old rule sets for a base on the fire wall set up. Odd thing is that almost all the connection tracking mods ( anything that makes iptables worthwhile) does not exist.

Code:

[fedora@_x64 ~]$ /sbin/lsmod 
Module                  Size  Used by
udf                    69827  0 
vfat                    8487  1 
fat                    44978  1 vfat
cryptd                  6913  0 
aes_x86_64              7734  2 
aes_generic            27076  1 aes_x86_64
fuse                   57189  2 
sunrpc                193803  1 
cpufreq_ondemand        8793  1 
powernow_k8            14706  1 
freq_table              3947  2 cpufreq_ondemand,powernow_k8
ip6t_REJECT             4222  2 
nf_conntrack_ipv6      18504  2 
ip6table_filter         2791  1 
ip6_tables             16760  1 ip6table_filter
ipv6                  279399  22 ip6t_REJECT,nf_conntrack_ipv6
snd_hda_codec_realtek   279457  1 
arc4                    1425  2 
ecb                     2079  2 
snd_ice1724           107314  2 
snd_rawmidi            20374  1 snd_ice1724
snd_hda_intel          23712  4 
snd_ice17xx_ak4xxx      2807  1 snd_ice1724
snd_ac97_codec        115696  1 snd_ice1724
snd_hda_codec          71956  2 snd_hda_codec_realtek,snd_hda_intel
ac97_bus                1322  1 snd_ac97_codec
snd_ak4xxx_adda         7406  2 snd_ice1724,snd_ice17xx_ak4xxx
snd_ak4114              8205  1 snd_ice1724
snd_hwdep               6446  1 snd_hda_codec
snd_seq                52773  0 
rt61pci                19269  0 
nvidia               9617586  38 
rt2x00pci               6047  1 rt61pci
rt2x00lib              36537  2 rt61pci,rt2x00pci
mac80211              203545  2 rt2x00pci,rt2x00lib
ppdev                   7925  0 
snd_seq_device          6151  2 snd_rawmidi,snd_seq
parport_pc             21189  0 
snd_pcm                78375  6 snd_ice1724,snd_hda_intel,snd_ac97_codec,snd_hda_codec,snd_ak4114
parport                31685  2 ppdev,parport_pc
i2c_nforce2             6819  0 
snd_pt2258              3108  1 snd_ice1724
cfg80211              117514  2 rt2x00lib,mac80211
eeprom_93cx6            1671  1 rt61pci
snd_timer              19840  2 snd_seq,snd_pcm
rfkill                 16966  1 cfg80211
wmi                     6872  0 
i2c_core               26876  2 nvidia,i2c_nforce2
snd_i2c                 4732  2 snd_ice1724,snd_pt2258
joydev                  9512  0 
edac_core              39581  0 
snd                    62376  26 snd_hda_codec_realtek,snd_ice1724,snd_rawmidi,snd_hda_intel,snd_ac97_codec,snd_hda_codec,snd_ak4xxx_adda,snd_ak4114,snd_hwdep,snd_seq,snd_seq_device,snd_pcm,snd_pt2258,snd_timer,snd_i2c
k8temp                  3735  0 
edac_mce_amd            7714  0 
sky2                   42194  0 
soundcore               6271  1 snd
snd_page_alloc          7389  2 snd_hda_intel,snd_pcm
dm_multipath           14558  0 
pata_acpi               3395  0 
ata_generic             3467  0 
usb_storage            43762  1 
firewire_ohci          20739  0 
firewire_core          43768  1 firewire_ohci
crc_itu_t               1539  3 udf,rt61pci,firewire_core
pata_amd               11269  1 
sata_nv                20834  5 
[fedora@_x64 ~]$

so, i was wondering: could seLinux cause mods not to load? i iknow that the rule sets i am trying to use worked on f11 _x32. and i am wondering if by not using the conntrack_, ect, if any other security measures i take are kinda gonna be half way done. if iptables isnt loging bade connection attempts then how can deny host, snort or OCCS work correctly? Occs (based on research at link posted earlier) needs to have a good log base to go off to build its rules.

anyways, i am just wondering if i am doing something wrong ( most likely ) or if i get to recompile a kernel with the mods i will need.

john