[asterisk-users] Is there a public blacklist of hackers' IP addresses?

asterisk at lists.bod.org asterisk at lists.bod.org
Thu Mar 26 13:41:10 CDT 2009 

I highly recommend http://www.dshield.org. A large community submits 
their logs to dshield on a regular basis (most do it hourly). dshield 
then makes aggregate information available, including worst offenders, 
etc. You can also query for the number of reported attacks originating 
from a given IP address.

http://www.threatstop.com/ is a commercial service that aggregates 
threat info from dshield and other services to produce a list of IP 
subnets to block. I used them during their beta period, but when they 
launched, the pricing was a bit high for a 'home' user.

Also useful: the geoip netfilter module in xtables-addons 
(http://xtables-addons.sourceforge.net/) for linux distributions. This 
allows you to write firewall rules that depend on the country of the 
originating IP address. Great way to cut out a lot of SSH attempts from 
countries you don't reside in (like a lot of cruft I get from China, 
Russia and the Netherlands).

fail2ban is a good tool for monitoring logged security violations and 
banning IPs based on repeat offenders. If I remember correctly it's a 
little more broad in the logs it reacts to than sshdfilter is (mentioned 
in another post). Either one is much better than nothing :)  Using geoip 
in your netfilter rules will drastically reduce the number of attacks, 
so they make a good combo.

A more advanced technique is to set up a 'firewall' virtual machine on 
your machine that handles your public IP address(es). Use a stripped 
down 'firewall' distribution with only the binaries it needs to be a 
firewall (no dev tools, perl, python, etc.). Run a few proxies for the 
few services that mush be exposed (e.g. SMTP), and filter those heavily 
too (e.g. by using geoip mentioned above). Even if that virtual machine 
is compromised, there's no interesting info available and little to 
damage (plus it's easy to restore from a backup image kept on the host). 
I've just started setting up something like this using KVM (kernel 
virtual machine), running an instance of OpenWRT.

Paul

Zeeshan Zakaria wrote:
> Hi,
>
> In last one week I have seen two servers of our organization 
> successfully hacked and some other under attack from some other IP 
> addresses. We would block one IP address on our firewall and after a 
> few hours, they would start getting hits from some another IP address. 
> When I checked them on whois.net <http://whois.net>, they all were 
> from Amsterdam. Surprisingly, I once had similar attack in the past 
> and it was also from an Amsterdam IP address. And they all blong to 
> one same organization.
>
> Seems like somebody in Amsterdam is really active in trying to hack 
> asterisk servers around the world.
>
> I was wondering if somebody maintains a list of these IP addresses 
> which everybody can block in their firewalls. And is there a place I 
> can publish these IP addresses?
>
> Thanks
>
> -- 
> Zeeshan A Zakaria
> ------------------------------------------------------------------------
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list