Security Basics mailing list archives
Re: What addresses to put on my NEW black list?
From: Neil <neil () voidfx net>
Date: Thu, 23 Feb 2006 22:00:51 +0530
The aforementioned port-blocking would be wiser (though some apps willautomatically tunnel through http/https). So maybe a combo. Maybe log IPs visiting your 'Access Disallowed' page. Then if you do decide to hunt 'em down, they're just an nslookup away (unless they share workstations).
But if you still want to blacklist ips, just from a security stantpoint, you'd definitly want to use a bogon list (a list of unassigned ip numbers by the IANA, sometimes in DDoSes and by the occasional very badly misconfigured network device).
If you're willing to accept a few false positives, you could also look into the Dshield lists, a list of cracker ips.
Both easily googled for. To use either, you need to make sure the lists are updated frequently, as IPs are added and removed pretty fairly frequently.
Ryan Cummings wrote:
You might be much better off blocking the ports that filesharing/streaming media come in on. You should be able to do a bit of searching around and find the default ports for most of these applications and shut them down at the firewall level. Also depending on your firewall or even IDS (this is debatable on the use:P) you could filter the content there. I know searching around on shoutcast.com most of the streaming stations use 8000+ for a port number so that is a good start. On 2/22/06, phunked up! <phunkodelic () gmail com> wrote:Trying to create a blacklist for my network. Want to include addresses for mainly streaming audio, and file shareing. I have a couple of network abusers who listen to internet radio that just don't follow company policy which has banned it. Yes I know I should try and bust them but thats a pain in the butt and besides if I do that I don't get the joy or experience of doing this. First off I was going to deny the addresses of various "bad" severs/web sites on the net at my firewall. I was then going to create a DNS entry that points all restriced IPs to a internal web server that would host a page stating that the site is banned (blackholing IPs). As mentioned above the issue I have is finding the IP addresses to ban. Any help would be appreciated. Thanks!
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- What addresses to put on my NEW black list? phunked up! (Feb 22)
- Re: What addresses to put on my NEW black list? Ryan Cummings (Feb 22)
- RE: What addresses to put on my NEW black list? David Gillett (Feb 23)
- Re: What addresses to put on my NEW black list? Brian Loe (Feb 23)
- Re: What addresses to put on my NEW black list? nodialtone (Feb 23)
- Re: What addresses to put on my NEW black list? Neil (Feb 23)
- <Possible follow-ups>
- re: What addresses to put on my NEW black list? Steve Barron (Feb 23)
- re: What addresses to put on my NEW black list? Jim Halfpenny (Feb 24)
- Re: What addresses to put on my NEW black list? Ryan Cummings (Feb 22)