Blacklisting (and blocking) remote sites - blt.tar.gz (0/1)

Matthew Dillon dillon at apollo.backplane.com
Thu Dec 27 15:33:19 PST 2007


:Hi all,
:
:you probably also get your logfiles flooded with lines reporting
:failed login attempts via ftp or ssh from remote sites.
:...
:
:So here's my homebrewed blacklisting toolset, consisting of just two
:simple shell scripts and a master configuration file.
:
:Enjoy the show
:
:--Joerg

    Cool stuff... I like the variable names you chose.

    There are two issues that I see.  The first is that the hosts.allow
    file can potentially become huge... thousands or tens of thousands
    of entries (or more) if you are attacked, and that could be used as a
    denial of service attack against regular operations.   every connect()
    to your box will search the file.

    The second is that I'm not sure it is safe to insert the strings
    you are greping out of the BLACKLIST file (thrown into your
    PISSNELKE variable) directly into the hosts.allow file like that.  
    You need to sanitize the contents of PISSNELKE before you can embed
    it or you will be vulnerable to reverse DNS insertion attacks.  For
    example, what would happen if $PISSNELKE contained a ':' ?  Or a
    wildcard?

    I'd like to see those connections denied too but the next best thing
    is to not use passwords at all.... use ssh only for all machine access,
    like we do on leaf.dragonflybsd.org (and every other machine I manage,
    including my personal boxes).

					-Matt
					Matthew Dillon 
					<dillon at backplane.com>






More information about the Users mailing list