| Darxus on Thu, 10 Jan 2002 06:02:28 -0500 |
|
On 01/10, Joe Coyle wrote: > This could be useful for firewall design... http://www.dshield.org/ > The general idea is that by sharing information about intrusions, that > members can benefit in configuring their own firewalls. DShield.org > collects firewall log data submitted by its members. The collected data is > then compiled and summarized in reports by port number, IP address, etc. You asked if this could be used in a firewall. I created (and attached) an extreemly simple script (4 lines) that grabs the list of the top 10 current port scanners and uses ipchains (kernel v2.2.x) all inbound traffic from them. It requires the "wget" program be installed. It should be equally easy to do with iptables (kernel v2.4.x). Unfortunately they don't seem to provide a larger dataset. I'm becoming a little concerned that this organization doesn't seem very... open. They are collecting what could be a rather valuble dataset (everybody's firewall logs), and not sharing them. As we were discussing at dinner, I could see this information being useful in preventing windows servers from being infected by new worms. -- "Blessed are they who, in the face of death, think only about the front sight." http://www.ChaosReigns.com #dshield-ipchains, created by Darxus@ChaosReigns.com on 1/10/2002, #released under the GPL. # #This program retrieves a list of the top 10 portscanners from dsheild.org, #and then tells ipchains to deny all incoming traffic from them. # #It requires wget for the retrieval: #http://www.gnu.org/software/wget/wget.html wget -N http://feeds.dshield.org/top10.txt for host in `cat top10.txt`; do ipchains -l -A input -p all -s $host -j DENY; done Attachment:
pgpipyMsmkUxJ.pgp
|
|