firewall setup and whois for blacklisting IP's

Mon Jan 10 11:16:46 PST 2005

On 01/10/05 01:34 PM, dave sat at the `puter and typed:
> Hello,
>     For your setup of blacklisting IP's do you use any cron scripts for
> procedure automation?
>     I'm assuming for your firewall block table that you store that in a
> separate file? Can you send that file my way? I've tried to come up with a
> perl script to get whois information out of a maillog, i'm gettin ssh
> atempts that corespond to mail relaying atempts so i thought that would be
> best, however there seems to be  difference in the way certain servers
> return whois information, do you have any experience with this?
>     When you email an abuse contact approximately what percentage of them
> write you back? I've emailed several providers comcast mostly in the US, but
> i have not heard anything back from the person. Is there some sort of
> standard email template you follow?
> Thanks.
> Dave.

Good questions.  I don't use any automation, I just look at the auth
logs on a regular basis.  The reason is that I don't want to block every
network that attempts my system.  I haven't found any of the security
settings to include illegal user attempts in the security mailing -
though I'd think that would be there, and on by default.  If it were
there, I'd use that as a more reliable alert.

Also, I don't typically do anything at all with Amsterdam IPs, mostly
because I haven't decided whether there's anything legitimate to be
expected.  I know there's a lot of porn sites, and this could easily be
a starting point for a lot of these attempts, but it's a fairly open
society, and I don't know whether the ISPs would really care about them.
They may well care in those that I do block, but my experience has shown
that they typically won't make much effort.  Giving the benefit of the
doubt, it's probably more of a language barrier than a lack of interest.

When I used ipfw, I did keep the blocked lists in a separate file,
/etc/rc.firewall.blocked contained a rule for each CIDR block I
rejected.  Now I keep it in a table definition in /etc/pf.conf.  So far,
in the last month, this is the full table definition for my pf firewall:

table <BLOCKED> { \
                  60.0.0.0/8, \
                  61.0.0.0/8, \
                  195.0.0.0/8, \
                  202.0.0.0/7, \
                  221.0.0.0/8, \
                  222.0.0.0/8 \
                  }

And at the appropriate place, I have a rule to block anything from those
blocks:
# Block Network Badlands (table <BLOCKED>)
block in quick on $ext_if inet from <BLOCKED> to any

I haven't figured out how to automagically include a separate file with
this table defined yet, but I haven't really tried either.  Another
option I haven't tried is to simply pull the CIDR specs out of something
like blackholes.us, which I use to block mail from Asia, but I haven't
taken the time to do that.

It probably wouldn't be rocket science to automagically scan for the
table definition and add a CIDR spec at the top of the table if it
wasn't already there, but like I said, I haven't really been trying.

BTW, I'm copying this back to the list in case someone there *is* using
some kind of automation to alert them to illegal user attempts, or if
there is a switch I missed to include them in the security mailings.
That will give them an opportunity to give you some help.

That's usually a better option than getting me at the FreeBSD-at-
address, since it goes to a mailbox specifically for the list, and
unless the subject sets off any bells (like yours did in this case) I
won't always read it.  Besides, I'm more of a novice with network
security/firewall setup, so you want some of the more knowledgeable
folks there to have an opportunity to correct me :)  For *true offlist*
email, I can be reached more reliably at leblanc-at-

Good luck.  I'll continue to follow this thread in case someone posts
something I can elaborate on to some useful end.

Lou
-- 
Louis LeBlanc               FreeBSD at keyslapper.org
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org                     Ô¿Ô¬

McGowan's Madison Avenue Axiom:
  If an item is advertised as "under $50", you can bet it's not $19.95.