We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Dionaea (nephentes successor) and Kippo (ssh honeypot) are a good start for the honeypot side. http://carnivore.it/ http://dionaea.carnivore.it/ http://code.google.com/p/kippo/ Watching the tty logs in kippo is great entertainment. Perfect way to collect the skiddies tools. As far as the automation of ACLs if you find a script out in the wild please share. I do know of the following SNORT to Cisco PIX perl script. Hope this helps. http://www.chaotic.org/guardian/ http://www.chaotic.org/guardian/scripts/pix-block.pl Regards, Ruben Guerra -----Original Message----- From: Brian R. Watters [mailto:brwatters@absfoc.com] Sent: Tuesday, January 18, 2011 1:12 PM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
On Jan 18, 2011, at 1:12 PM, Brian R. Watters wrote:
Any current solutions or ideas ??
This sort of thing can be gamed by attackers to cause DoS on your network/for your users/for others trying to access resources on your network. It's a Bad Idea. Set up S/RTBH and do it by hand. ------------------------------------------------------------------------ Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
send/expect? On Jan 18, 2011, at 2:12 PM, Brian R. Watters wrote:
We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
--
BRW
-- This message and any attachments may contain confidential and/or privileged information for the sole use of the intended recipient. Any review or distribution by anyone other than the person for whom it was originally intended is strictly prohibited. If you have received this message in error, please contact the sender and delete all copies. Opinions, conclusions or other information contained in this message may not be that of the organization.
On Tue January 18 2011 13:12, Brian R. Watters wrote:
We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
Private BGP session with Zebra or Quagga on a linux box adding the selected IP to a null route. -- Larry Smith lesmith@ecsis.net
From: Larry Smith [mailto:lesmith@ecsis.net] Sent: Tuesday, January 18, 2011 8:32 PM
On Tue January 18 2011 13:12, Brian R. Watters wrote:
We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
Private BGP session with Zebra or Quagga on a linux box adding the selected IP to a null route.
As we currently do it by putting new rules automatically in firewalls (iptables) it should be easy to change it a little bit I think. After the change it should be able to put rules in Zebra/Quagga (or something similar based on Linux/Unix). As long as telnet access is available it should also be doable to put it automatically in routers without the need of a setup with BGP and Zebra/Quagga. We are currently looking for ways to increase the list with "abusive" systems to block. If someone wants to work together with us on increasing the mentioned options feel free to contact me offlist. How we get the data currently (from multiple sources) or how the process currently work isn't something I can currently mention here (at least not the details). Regards, Mark
I would consider doing it through BGP via quagga or such. Nullrouting with BGP is much cleaner than ACLs as your config stays static and only your routing table changes. I also imagine due to existing BGP blacklisting methods, that much of the work is already done and all you need is to get the honeypot to export the right format. -----Original Message----- From: Brian R. Watters [mailto:brwatters@absfoc.com] Sent: Tuesday, January 18, 2011 11:12 AM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
Brian, Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you? Ron
-----Original Message----- From: Brian R. Watters [mailto:brwatters@absfoc.com] Sent: Tuesday, January 18, 2011 2:12 PM To: nanog@nanog.org Subject: Auto ACL blocker
We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
--
BRW
Ron, I am sure any solution given enough time could be used against you, However my hope was that a whitelist could help in that regard however I know your correct. ----- Original Message ----- From: "Ronald Bonica" <rbonica@juniper.net> To: "Brian R. Watters" <brwatters@absfoc.com>, nanog@nanog.org Sent: Tuesday, January 18, 2011 11:55:28 AM Subject: RE: Auto ACL blocker Brian, Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you? Ron
-----Original Message----- From: Brian R. Watters [mailto:brwatters@absfoc.com] Sent: Tuesday, January 18, 2011 2:12 PM To: nanog@nanog.org Subject: Auto ACL blocker
We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
--
BRW
-- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatters@absfoc.com http://www.americanbroadbandservice.com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.
On Tue, Jan 18, 2011 at 1:12 PM, Brian R. Watters <brwatters@absfoc.com>wrote:
We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
--
BRW
A good start from the honeypot would be sshguard. I'm sure that it could be adapted to script out an ACL or such, as well in my usage of it it has timed values to release the block after X_amount_of_time . I'd be curious as to what other(s) you find for this. -Joe Blanchard
We have used this solution for some time and find it works pretty well .. http://www.rfxn.com/projects/ However need to find a way to pass this info off to a router, this project used to hold promise however its dead now .. www.ipblocker.org ----- Original Message ----- From: "Joe Blanchard" <jbfixurpc@gmail.com> To: "Brian R. Watters" <brwatters@absfoc.com> Cc: nanog@nanog.org Sent: Tuesday, January 18, 2011 12:19:24 PM Subject: Re: Auto ACL blocker On Tue, Jan 18, 2011 at 1:12 PM, Brian R. Watters < brwatters@absfoc.com > wrote: We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW A good start from the honeypot would be sshguard. I'm sure that it could be adapted to script out an ACL or such, as well in my usage of it it has timed values to release the block after X_amount_of_time . I'd be curious as to what other(s) you find for this. -Joe Blanchard -- Brian R. Watters Director American Broadband Family of Companies 5718 East Shields Ave Fresno, CA. 93727 brwatters@absfoc.com http://www.americanbroadbandservice.com tel: 559-420-0205 fax:559-272-5266 toll free: 866-827-4638 ABS offers T-1's starting at $289 in over 450 cities. Is your city on the list? Click here to find out. This message and any attachment(s) are solely for the use of intended recipients. They may contain privileged and/or confidential information legally protected from disclosure. If you are not the intended recipient, you are hereby notified that you received this e-mail in error and that any review, dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the message and any attachment(s) from your system. Thank you for your cooperation.
Also, have you considered just using the spamhaus DROP list? They even have code to have the list pushed to IOS available. You could simply substitute your file for their list if you only want to use IPs caught by your honeypot. http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ -----Original Message----- From: Brian R. Watters [mailto:brwatters@absfoc.com] Sent: Tuesday, January 18, 2011 11:12 AM To: nanog@nanog.org Subject: Auto ACL blocker We are looking for the following solution. Honey pot that collects attacks against SSH/FTP and so on Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders .. Of course we would require a master whitelist as well as to not be blocked from our own networks. Any current solutions or ideas ?? -- BRW
On 1/18/2011 6:48 PM, Thomas Magill wrote:
Also, have you considered just using the spamhaus DROP list? They even have code to have the list pushed to IOS available. You could simply substitute your file for their list if you only want to use IPs caught by your honeypot.
http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ
I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution? There is a PHP script that pull the DROP list and make a Cisco ACL or IPtables rules. http://www.potato-people.com/code/misctools/spamhausdrop.phps
-----Original Message----- From: ML [mailto:ml@kenweb.org] Sent: Tuesday, January 18, 2011 4:28 PM To: nanog@nanog.org Subject: Re: Auto ACL blocker
I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution?
"DROP is currently available only as a simple text list but may be available in the future by BGP, announced via an Autonomous System Number (ASN). DROP users could then choose to peer with that ASN to null those prefixes as being ranges for which they do not wish to route traffic." I considered giving it a shot until I read that. It doesn't seem very difficult but don't have the free time to work on things that someone else claims is coming. I also don’t have a spare ASN to share it externally which would be the ultimate goal, like the Cymru bogon peering.
LOL.. oops.. I guess I could just use 65xxx. -----Original Message----- From: Thomas Magill [mailto:tmagill@providecommerce.com] Sent: Tuesday, January 18, 2011 5:23 PM To: ml@kenweb.org; nanog@nanog.org Subject: RE: Auto ACL blocker -----Original Message----- From: ML [mailto:ml@kenweb.org] Sent: Tuesday, January 18, 2011 4:28 PM To: nanog@nanog.org Subject: Re: Auto ACL blocker
I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution?
"DROP is currently available only as a simple text list but may be available in the future by BGP, announced via an Autonomous System Number (ASN). DROP users could then choose to peer with that ASN to null those prefixes as being ranges for which they do not wish to route traffic." I considered giving it a shot until I read that. It doesn't seem very difficult but don't have the free time to work on things that someone else claims is coming. I also don’t have a spare ASN to share it externally which would be the ultimate goal, like the Cymru bogon peering.
participants (10)
-
Brian R. Watters
-
Greg Whynott
-
Guerra, Ruben
-
Joe Blanchard
-
Larry Smith
-
Mark Scholten
-
ML
-
Roland Dobbins
-
Ronald Bonica
-
Thomas Magill