Dynamic banning of hosts
Robert Sandilands
robert.sandilands@secureworx.com
Fri, 26 Oct 2001 16:58:02 +0200
This is such a bad idea. Think of the following nmap command:
nmap -sT
-Dwww.cnn.com,www.microsoft.com,www.netscape.com,www.whitehouse.gov,www.nsa.
gov,www.nasa.gov,www.iana.org,ME your.ip.address.range
Wouldn't that have sort of the wrong effect on your system?
Just a simple question.
Robert Sandilands
> -----Original Message-----
> From: Nigel Kukard [mailto:nkukard@lbsd.net]
> Sent: 26 October 2001 02:54
> To: Netfilter Development List
> Subject: Dynamic banning of hosts
>
>
>
> > > actually yes, i'm working on such a thing... basically
> using the idea from
> > > ULOG, matching packets & sending them to a central
> database server... every
> > > evening all the clients download these new updates and
> block possibly
> > > dangerous hosts. say for instance a host makes requests
> on an unused ip
> > > (we use these to detect things like nimba), if more than
> 2 ip's out of our
> > > multiple class C's gets hit an entry is made into the
> database for 7 day
> > > "ban", if more than 5 hosts get hit, the server tries to
> get the admin
> > > contact of the ip owner & sends off an email with detailed logs.
> > This is very interesting. At the moment I just use perl scripts to
> > parse the log and dynamically ban, but a centralised
> database would be
> > excellent.
>
> ok, could all the people interested in this contact me off
> list so i can
> basically see the demand and move it up on the list of things i must
> release.
>
>
> Kind regards
> Nigel
>
>
>