Re: Compromised host list - some clarification...

[Dean Pierce <piercede () pdx edu>]

If you need to protect your ssh from scanners, wouldn't it prolly just
be best to block people that are actually scanning you?  I use the
denyhosts script (watches logs for failed login attempts, and blocks ips
based on that), and there are a couple other good ones.  The two main
problems with your solution is..

1. how can you trust some magical offsite list so much that you are
willing to block traffic based on what it says?

2. how can you believe that such a list would ever be complete, or even
through?  New machines get taken over all the time, and my guess is that
the average lifespan of such machines is about a week or so before an
admin sees what's going on.

   - DEAN

James Lay wrote:
> So ok.....I'm completely positive I didn't make myself clear at all in
> my previous message...go me!  Here's a web site that I did manage to
> find that has a current list of open proxies:
>
> http://www.samair.ru/proxy/index.htm
>
> My hope is that I could find a site that has a list of currently
> reported open proxies, scanners, and ssh brute force boxes.  The RBL's
> pretty much have smtp covered.  I would run a cron job at midnight, wget
> and grep the file, then create an iptables table to block those hosts.
> This is an attempt to be more proactive then reactive...if I knew those
> hosts that were actively doing naughty things, why not block them at
> the get go?
>
> Does this make sense?  Am I barking up the wrong tree?  Thanks all =)
>
> James
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/