[VoiceOps] Web Attacker Blacklist
J. Oquendo
sil at infiltrated.net
Wed Oct 23 08:04:39 EDT 2013
On Tue, 22 Oct 2013, Jay Hennigan wrote:
> On 10/22/13 6:57 AM, J. Oquendo wrote:
> >
> > Going to cross post this to the list (I know some of us
> > criss-cross lists). Reasoning, a lot of IP PBXs have
> > web based interfaces, and some need to be on the public
> > Internet.
> >
> > Cobbled together a script to scrape my logs, parse out web
> > based attackers (SQLi, XSS, CSRF, etc) and compile said list
> > for blacklisting. Script is pulling from 6 different web
> > servers for now. I may add more later depending on whether
> > or not I see a lot of usage.
> >
> > http://www.infiltrated.net/webattackers.txt
>
> Thanks. I personally would like to see it as solely raw IP addresses
> rather than a mix of IPs and PTRs. The PTRs may not match forward DNS,
> particularly if a bad guy has control of rDNS.
>
I changed it up, but will leave existing domains on there.
I thought about this (domains vs. IPs) in the sense that,
filtering (WAF) often tends to rely on domains. Then I
thought about matching domains to IPs on that instance but
it wouldn't have been cumbersome considering anyone can
edit /etc/hosts or c:\windows\system32\etc\drivers\hosts
so I left it alone. As of about 20 minutes of the original
post, I re-configured Apache to stop hostname lookups.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
More information about the VoiceOps
mailing list