Re: [Full-disclosure] Compromised host list - some clarification...

[James Lay <jlay@xxxxxxxxxxxxxxxxxxx>]

On Tue, 21 Feb 2006 16:03:56 +0000
"Robert P. McKenzie" <rmckenzi@xxxxxxxxx> wrote:

> James Lay wrote:
> > So ok.....I'm completely positive I didn't make myself clear at all
> > in my previous message...go me!  Here's a web site that I did
> > manage to find that has a current list of open proxies:
> > 
> > http://www.samair.ru/proxy/index.htm
> > 
> > My hope is that I could find a site that has a list of currently
> > reported open proxies, scanners, and ssh brute force boxes.  The
> > RBL's pretty much have smtp covered.  I would run a cron job at
> > midnight, wget and grep the file, then create an iptables table to
> > block those hosts. This is an attempt to be more proactive then
> > reactive...if I knew those hosts that were actively doing naughty
> > things, why not block them at the get go?
> > 
> > Does this make sense?  Am I barking up the wrong tree?  Thanks all
> > =)
> 
> It's clear, however, as others have pointed out it's far easier to
> block everything and then selectivily allow what you want to talk to
> you.  How do you think iptables will react if you have say 20,000
> entries in it?  My guess is it will slow your machines down.
> 
> Go the sensible route and block everything and permit the much
> smaller list of hosts to connect to you.
> 

Robert,

I do understand this, however this would not fit well for services that
are for public use..IE web or email I could not simply just deny
everyone.  But for ports that I do NOT want the public to see you
bet...block all is the way to go.  Thank you!

James
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/