Dynamic banning of hosts

Nigel Kukard nkukard@lbsd.net
Fri, 26 Oct 2001 16:14:39 +0000 (UTC) 

On Fri, 26 Oct 2001, Robert Sandilands wrote:

> This is such a bad idea. Think of the following nmap command:
> 
> nmap -sT
> -Dwww.cnn.com,www.microsoft.com,www.netscape.com,www.whitehouse.gov,www.nsa.
> gov,www.nasa.gov,www.iana.org,ME your.ip.address.range
> 
> Wouldn't that have sort of the wrong effect on your system?


why would u think that? i'm not talking about outgoing traffic, i'm talking
about incomming... so portscanning from the inside out i have no problem with
as many of out technical support personell do this to see if our servers are
up & running the services tehy sposed to be. futhermore, u could easily tune
the below project to only block those protocols being used to attack or
whateva.


> 
> Just a simple question.
> 
> Robert Sandilands
> 
> > -----Original Message-----
> > From: Nigel Kukard [mailto:nkukard@lbsd.net]
> > Sent: 26 October 2001 02:54
> > To: Netfilter Development List
> > Subject: Dynamic banning of hosts
> > 
> > 
> > 
> > > > actually yes, i'm working on such a thing... basically 
> > using the idea from
> > > > ULOG, matching packets & sending them to a central 
> > database server... every
> > > > evening all the clients download these new updates and 
> > block possibly
> > > > dangerous hosts. say for instance a host makes requests 
> > on an unused ip
> > > > (we use these to detect things like nimba), if more than 
> > 2 ip's out of our
> > > > multiple class C's gets hit an entry is made into the 
> > database for 7 day
> > > > "ban", if more than 5 hosts get hit, the server tries to 
> > get the admin
> > > > contact of the ip owner & sends off an email with detailed logs.
> > > This is very interesting.  At the moment I just use perl scripts to
> > > parse the log and dynamically ban, but a centralised 
> > database would be
> > > excellent.
> > 
> > ok, could all the people interested in this contact me off 
> > list so i can
> > basically see the demand and move it up on the list of things i must
> > release.
> > 
> > 
> > Kind regards
> > Nigel
> > 
> > 
> > 
> 

-- 
================================================================================

Contact Details
---------------
Name: Nigel Kukard
GSM Mobile: (+27) 082 564 2120
GSM Fax: (+27) 082 131 564 2120
Email: nkukard@linuxrulz.za.net

Organizations
-------------
 - LinuxRulz
     Url: http://www.linuxrulz.za.net
     Position: Owner
 - Linux Based Systems Design
     Url: http://www.lbsd.net
     Position: Systems Designer, Programmer
 - Lando Technologies
     Url: http://www.lando.co.za
     Position: Linux Systems/Network Administrator