1. zeromechanic Member

    Gebruik blacklist

    Topic geplaatst op: 11-10-2014 om 13:59

    Misschien iets interessants.

    Ik zie in mijn logs veel SASL login fails.
    fail2ban werkt perfect wat dat betreft.

    maar lijkt mij idd beter om ze meteen al te blokken aan het begin, voordat ze gaan inloggen.

    https://github.com/trick77/ipset-blacklist

    is voor debian, maar voor andere OS zal er ook wel zat tevinden zijn.

  2. zeromechanic Member
    Reactie geplaatst op: 11-10-2014 om 22:15

    Nou, 8 uur verder nadat ik de blacklists heb toegepast, geen enkele failed login gelogged in de logs.
    Ook nog geen klachten gehad.

    192 packets gedropped volgens IPTABLES

    Vond u dit antwoord nuttig?

  3. zeromechanic Member
    Reactie geplaatst op: 17-10-2014 om 16:16

    Werkt perfect,
    geen klachten van klanten.

    slechts een handjevol komen er nog doorheen die zoals het moet door fail2ban worden geblokkeerd.

    Vond u dit antwoord nuttig?

  4. eenklant Member
    Reactie geplaatst op: 26-10-2014 om 04:49

    Met configserver(CFS) is simpel; lda blocklist "Edit the Blocklists configuration file (csf.blocklists)"


    ###############################################################################
    # Copyright 2006-2013, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # This file contains definitions to IP BLOCK lists.
    #
    # Uncomment the line starting with the rule name to use it, then restart csf
    # and then lfd
    #
    # Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
    # NAME : List name with all uppercase alphabetic characters with no
    # spaces and a maximum of 9 characters - this will be used as the
    # iptables chain name
    # INTERVAL: Refresh interval to download the list, must be a minimum of 3600
    # seconds (an hour), but 86400 (a day) should be more than enough
    # MAX : This is the maximum number of IP addresses to use from the list,
    # a value of 0 means all IPs
    # URL : The URL to download the list from
    #
    # Note: Some of thsese lists are very long (thousands of IP addresses) and
    # could cause serious network and/or performance issues, so setting a value for
    # the MAX field should be considered
    #
    # After making any changes to this file you must restart csf and then lfd
    #
    # If you want to redownload a blocklist you must first delete
    # /etc/csf/csf.block.NAME and then restart csf and then lfd
    #
    # Each URL is scanned for an IPv4/CIDR address per line and if found is blocked

    # Spamhaus Don't Route Or Peer List (DROP)
    # Details: http://www.spamhaus.org/drop/
    SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

    # Spamhaus Extended DROP List (EDROP)
    # Details: http://www.spamhaus.org/drop/
    SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

    # DShield.org Recommended Block List
    # Details: http://dshield.org
    DSHIELD|86400|0|http://www.dshield.org/block.txt

    # TOR Exit Nodes
    # Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
    TOR|86400|0|http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

    # BOGON list
    # Details: http://www.team-cymru.org/Services/Bogons/
    #BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

    # Project Honey Pot Directory of Dictionary Attacker IPs
    # Details: http://www.projecthoneypot.org
    HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

    # C.I. Army Malicious IP List
    # Details: http://www.ciarmy.com
    CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

    # BruteForceBlocker IP List
    # Details: http://danger.rulez.sk/index.php/bruteforceblocker/
    BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

    # Emerging Threats - Russian Business Networks List
    # Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
    RBN|86400|0|http://rules.emergingthreats.net/blockrules/rbn-ips.txt

    # OpenBL.org 30 day List
    # Details: http://www.openbl.org
    OPENBL|86400|0|http://www.us.openbl.org/lists/base_30days.txt

    # Autoshun Shun List
    # Details: http://www.autoshun.org/
    AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv

    # MaxMind GeoIP Anonymous Proxies
    # Details: https://www.maxmind.com/en/anonymous_proxies
    MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

    Vond u dit antwoord nuttig?