hours, totalhours changed

jim — Fri, 06 Sep 2013 11:20:25 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.0 to 0.1

The place to enable this is /etc/csf/csf.conf in the section labelled:

# SECTION:Global Lists/DYNDNS/Blocklists

It's a case of settings some false/0 to 1/true... Also you should set _CUSTOM_CONFIG_CSF=YES in #~/.barracuda.cnf so these settings aren't overwritten by BOA updates.

However, I'd recommend doing this one AFTER the #586 New Relic install so we get the latest BOA version of csf.conf before locking updates to it. Then we get the recent improvements, plus anti-spam protection at a firewall level.

hours, totalhours changed

chris — Sun, 15 Sep 2013 17:08:17 GMT

hours changed from 0.0 to 0.7
totalhours changed from 0.1 to 0.8

The /etc/csf/csf.blocklists contains configs for the following lists, I have noted which ones have been enabled.

The firewall was restarted:

csf -r

And the documentation updated, wiki:PuffinServer#CSFLDF

Spamhaus Don't Route Or Peer List (DROP)

Details: http://www.spamhaus.org/drop/

DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers. DROP and EDROP are a tiny subset of the SBL designed for use by firewalls and routing equipment.

This looks safe to enable.

DShield.org Recommended Block List

Details: http://dshield.org

This list summarized the top 20 attacking class C (/24) subnets over the last three days.

This looks safe to enable.

TOR Exit Nodes

Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList

I'm strongly opposed to this being enabled.

BOGON list

Details: http://www.team-cymru.org/Services/Bogons/

A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

This looks safe to enable.

Project Honey Pot Directory of Dictionary Attacker IPs

Details: http://www.projecthoneypot.org

Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website.

This looks safe to enable.

C.I. Army Malicious IP List

Details: http://www.ciarmy.com

Based on information from our network of Sentinel devices deployed around the world, we compile a list of known bad IP addresses. How do we know their bad? We utilize DPAM (read more about DPAM here), and part of that is proprietary, but here's a hint: Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, we feel confident the IP is malicious and should be blocked.

Not sure about this one, not enabling it for now, the list isn't that long.

BruteForceBlocker IP List

Details: http://danger.rulez.sk/index.php/bruteforceblocker/

block SSH bruteforce attacks via firewall

Makes sense, I have enabled this one.

Emerging Threats - Russian Business Networks List

Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

IP address ranges from which the former customers of the RBN ISP, their malware marketing affiliate networks, emulators, and other organized crime groups exploit consumers. Block at will. Test for your production environment prior to utilization.

Not sure about this one, not enabling it for now.

OpenBL.org 30 day List

Details: http://www.openbl.org

The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.

Enabled.

Autoshun Shun List

Details: http://www.autoshun.org/

AutoShun? is a Snort plugin that allows you to send your Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world.

With the Autoshun plugin installed you can contribute alerts from your IDS/IPS Sensors to the assist the fight against bots, worms, spam engines, and zombies!

Enabled.

MaxMind GeoIP Anonymous Proxies

Details: https://www.maxmind.com/en/anonymous_proxies

This is another one which we should not use.

hours, status, totalhours changed; resolution set

chris — Fri, 15 Nov 2013 12:16:06 GMT

hours changed from 0.0 to 0.1
status changed from new to closed
resolution set to fixed
totalhours changed from 0.8 to 0.9

This ticked has been linked to from the server documentation, wiki:PuffinServer#Blocklists and I can't see any reason not to now close it.

Transition Technology: Ticket #589: Blocking spammers at a firewall level

hours, totalhours changed

hours, totalhours changed

Spamhaus Don't Route Or Peer List (DROP)

DShield.org Recommended Block List

TOR Exit Nodes

BOGON list

Project Honey Pot Directory of Dictionary Attacker IPs

C.I. Army Malicious IP List

BruteForceBlocker IP List

Emerging Threats - Russian Business Networks List

OpenBL.org 30 day List

Autoshun Shun List

MaxMind GeoIP Anonymous Proxies

hours, status, totalhours changed; resolution set