[VoiceOps] Web Attacker Blacklist

J. Oquendo sil at infiltrated.net
Wed Oct 23 08:04:39 EDT 2013

On Tue, 22 Oct 2013, Jay Hennigan wrote:

> On 10/22/13 6:57 AM, J. Oquendo wrote:
> > 
> > Going to cross post this to the list (I know some of us
> > criss-cross lists). Reasoning, a lot of IP PBXs have
> > web based interfaces, and some need to be on the public
> > Internet.
> > 
> > Cobbled together a script to scrape my logs, parse out web
> > based attackers (SQLi, XSS, CSRF, etc) and compile said list
> > for blacklisting. Script is pulling from 6 different web
> > servers for now. I may add more later depending on whether
> > or not I see a lot of usage.
> > 
> > http://www.infiltrated.net/webattackers.txt
> Thanks.  I personally would like to see it as solely raw IP addresses
> rather than a mix of IPs and PTRs.  The PTRs may not match forward DNS,
> particularly if a bad guy has control of rDNS.

I changed it up, but will leave existing domains on there.
I thought about this (domains vs. IPs) in the sense that,
filtering (WAF) often tends to rely on domains. Then I
thought about matching domains to IPs on that instance but
it wouldn't have been cumbersome considering anyone can
edit /etc/hosts or c:\windows\system32\etc\drivers\hosts
so I left it alone. As of about 20 minutes of the original
post, I re-configured Apache to stop hostname lookups.

J. Oquendo

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF

More information about the VoiceOps mailing list