Skip to content

I don't have no other pants!

5th September 2008

OK so I've knocked up a simple blacklist:

The source code behind it all is open.

Currently it is setup to import IPs which denyhosts has downloaded every hour, and it will also receive updates from several systems under my direct control.

If you wish to begin submitting your own reports you may get in touch, or read the documentation in the source repository. I'll document that on the site itself publically in a couple of days.

So far I see several people have rsync'd my zonefile a few times. I guess the domain name was a bit predictable.

ObFilm: The Great Muppet Caper

Tags: blacklist, mercurial. | 6 comments.

Comments On This Entry

  1. [gravitar] Tiago Faria Submitted at 21:53:20 on 4 September 2008
    You never cease to amaze me. Great work!
  2. [gravitar] Chris Burkhardt Submitted at 22:20:10 on 4 September 2008
    That was fast. I plan to start using this at some point in the future. Thanks!
    (By the way, 127.0.0.1 is currently blacklisted.)
  3. [author] Steve Kemp Submitted at 22:32:52 on 4 September 2008

    Tiago: Thanks!

    Chris: Thanks for that too. I've added the ability to whitelist IPs and added removed the 127.0.0.1 entry by using it.

    I hope that other people do manage to submit, but I think it wouldn't be such a waste if they didn't. I'm already finding the list useful with only a couple of thousand IPs in it, and the overhead is pretty minimal.

  4. [gravitar] Chris Burkhardt Submitted at 00:24:39 on 5 September 2008
    It would be nice if you could get a least a few submitters spread about the IP address space so that no matter which address an attacker starts at it will get submitted to the blacklist in time for it to be useful.
  5. [author] Steve Kemp Submitted at 08:49:47 on 5 September 2008

    I think that my own machines are spread out around IP-space as it is, but I'm happy for more submissions too :)

  6. [gravitar] Adam Trickett Submitted at 11:32:42 on 10 September 2008
    Very cool and useful. I've done something like that before, but I wasn't happy with my solution. I wrote a script that looked for failed log in attempts and other known dodgy behaviour then appended the date and IP to a file. When I open up my firewall to let in SSH traffic I load a blacklist in based on the date/ip file. Periodically I sort the list to remove the older IPs. The problem is that it doesn't dynamically update the firewall rules on the fly, so it only keep pests out if they come back the following day, which is why I gave up on the idea. I'd consider using your database of bad IPs if nothing else.