Re: automated blackholing

From: Klaus Steden (klaus@compt.com)
Date: 06/25/02


Date: Mon, 24 Jun 2002 19:49:18 -0400
From: Klaus Steden <klaus@compt.com>
To: freebsd-security@FreeBSD.ORG

Okay, my apologies. I should have clarified what I'm looking to implement ...

Essentially, it's this - I've got a list of clients I deny FTP access to by
default (from my /etc/hosts.deny file). I'd sooner just blackhole them, but
some are from large netblocks, and I'd rather blackhole individual IPs as they
show up. Maybe I'm using the velvet gloves when it's not necessary, but anyway
...

I was discussing this with an acquaintance who uses portsentry, configured to
blackhole immediately anyone connecting to a port with no service running on
it (i.e. the echo port). My situation is a little different, in that I've got
a service actually running (FTP) that people need to connect to legitimately,
but I'd like to blackhole illegitimate requests as they appear, rather than
using TCP wrappers to disconnect them.

I'm looking for something that can combine a blacklist created by me to
blackhole someone connecting if he's found in the blacklist, without having to
manually add blackhole routes or ipfw rules as these requests turn up - I'm
only on duty 18 hours a day after all ;>

Anyone done something like this before? It's sort of a back-asswards
combination of existing scenarios, but it seems possible ...

thanks,
Klaus

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message