Re: Compromised host list - some clarification...

["Robert P. McKenzie" <rmckenzi () rpmdp com>]

James Lay wrote:
> So ok.....I'm completely positive I didn't make myself clear at all in
> my previous message...go me!  Here's a web site that I did manage to
> find that has a current list of open proxies:
>
> http://www.samair.ru/proxy/index.htm
>
> My hope is that I could find a site that has a list of currently
> reported open proxies, scanners, and ssh brute force boxes.  The RBL's
> pretty much have smtp covered.  I would run a cron job at midnight, wget
> and grep the file, then create an iptables table to block those hosts.
> This is an attempt to be more proactive then reactive...if I knew those
> hosts that were actively doing naughty things, why not block them at
> the get go?
>
> Does this make sense?  Am I barking up the wrong tree?  Thanks all =)

It's clear, however, as others have pointed out it's far easier to block everything and
then selectivily allow what you want to talk to you.  How do you think iptables will react
if you have say 20,000 entries in it?  My guess is it will slow your machines down.

Go the sensible route and block everything and permit the much smaller list of hosts to
connect to you.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/