Is there a place to submit IP’s to a blacklist? Or a community project anyone knows about?
I do a search and only see services to check if my own IP is on a blacklist. I’d like to submit the german site that attempted to dictionary attack me.
They don’t have generic attack black lists for brute force attacks agaisnt ssh and http auth…
The majority of black lists are for spam…
Black listing whatever IP won’t help anyone its probably a compromised machine or a proxy…
Secure your shit…Get a IDS/IPS…Check your logs…
Obviously if someone is trying to brute force some kind of login mechanism you can block them at your firewall…
Block any IP from Korea or Asia. I have two /8 subnets blocked in my clusters and has stopped 90% of the brute force attacks. I have a list going that a few friends contribute to that you can dump into your APF/iptables deny list if you want.
IDP/IPS is shitty and a waste of money. LZ seems to have drank some of the InfoSec koolade.
If you run a server that is public, you are going to get brute forced. Make sure your password and protection systems lock down if they have a lot of failed logins and ignore IPs.
:lol: InfoSec koolade
If you’re being brute forced there are a number of scripts to automatically block ips after X number of attempts.
I have seen IDS/IPS block incoming shell code for remote exploits before…but to each their own…
Edit: Whole bunch of spelling fixes
IDP/IPS is expensive and when setup correctly generates thousands of errors. Its a waste of man power to really configure it and get it tuned right for each network and to look for possible attacks beyond the basic stuff.
Ive set one up and hate IDP/IPS for a ton of reasons but don’t have time to go on and on in a rant here.
If its a linux box just setup APF with BFD. APF will suck down IP blacklists automatically and BFD will add failed attempts to specific services to its deny list.
http://www.fail2ban.org/wiki/index.php/Main_Page
http://www.morph3ous.net/2006/07/19/stop-ssh-brute-force-attacks/
However from previous talks I assume you need something for Windows?
Yes, I’m on win 08 servers… DoS wasn’t an issue. I don’t think I was targeted specifically. Most likely an opportunistic bot…pinged a port for 5 hrs straight…every 3 milliseconds with failed admin attempts. Blocked that port at the firewall with an updated setting and he was shut down. Then made sure all my db and webservice access occurs on the private network.
I may not be battle hardened now, but I’ll get there.
I was just wondering if there was a community effort to host black list ips. Sure he can change it or it might have run from a compromised system, but between his IP and his hosts IP…could help others, no?
Oh the firewall on the router apparently does not lock down an IP for failed login attempts…thats what my host says anyway. Its for DoS attacks. But is there some other appliance, s/w or win policy I can apply to block an IP for say X failed login attempts within Y minutes?
Edit:
Just found this http://www.iis.net/extensions/DynamicIPRestrictions … That will be good for port 80 traffic? Assuming something got past the router firewall?
Routers are not firewalls… you really should look at putting something in front it to scan incoming connections and apply some sort of rules if you have internal resources accessing the internet and vice versa
my options are somewhat limited for hardware appliances now in the DC I use.
Is there anything s/w based that I can throw on another VM in the domain…and let that monitor traffic on all the web servers? Is that what ISA server or Forefront does? Reaching here…this is not my area of expertise.
Hmm. why don’t I just pay you to do this for me?
If you run a VM you can sent up a quazi filter but you will either A have to mirror traffic to the vm and the main server or setup some type of proxy. If its just a internet facing server and its not on a corporate network, then you can get away with a software firewall on the windows box.
Remember tho, a “secure” os and server is just a state at that time. You will still need to actively protect it and know what is running on it.
Honestly I would worry more about whatever web application your publishing then an OS level attack…
Something like 60% of all attacks are against web applications right now…
I’m not 100% sure what your current configuration is but a transparent firewall is probably a good direction to look in…However this won’t stop brute force attacks against an open service you would still need something server side.