0

Are there any tools similar to fail2ban that would allow sharing of IP black lists? What I'm looking for is something similar to a DNS based blackhole list or real-time blackhole list as is used to stop the spread of spam. However I'm not so much interested in SPAM but in attackers doing things like port scans, password guessing, etc. My servers get attacked hundreds of times a day and attackers could be shut down so much quicker if there was a list of known (suspected?) attackers.

Toddinpal
  • 101

3 Answers3

0

Such lists exist. Or pretty close. Example: https://www.spamhaus.org/sbl/

But my advice would be not to rely on those lists.

First of all install a tool like fail2ban or CSF+LFD on your servers - if you haven't already. Then offending IP addresses will be quickly blocked at firewall level.

When you have a machine exposed on the Internet being scanned is a fact of life. The problem is that some of the scanning activity is legitimate, some of it is malicious. Not everyone has the same criteria about what constitutes malicious activity.

For example search engines will routinely scan the Internet for ports 80/443 in order to discover new hosts and websites to index etc. That is perfectly legitimate. Some hosts probe for FTP/SSH/telnet/Mysql/SQL Servers etc or scan all the TCP/IP ports. Many sysadmins won't like this kind of probing. But it can still be legitimate for statistical purposes.

It's always interesting to know the prevalence of FTP servers, or Gopher or whatever. Or the respective market share of web server software vendors. In order to aggregate this data, you have to scan.

That is also how some poorly-protected servers hosting databases or sensitive files are found and reported through responsible disclosure.

So my criteria would be to show some leniency when it comes to scanning, but throttle the requests. On the other hand the brute-force attacks must be thwarted without mercy. By default CSF+LFD will ban an IP address for one hour after 5 failed SSH attempts I believe. It can also automatically blocks port scanning attempts.

You can tune the limits and also create your own rules.

In short, I would rather block the IP addresses actually attacking my servers, than base the decision process on a second-hand list that may not be accurate or relevant. There is no list that will cover all possible attackers.

Kate
  • 453
  • 3
  • 7
0

Yes, there are such tools but in fact you can use fail2ban. See https://www.blocklist.de/en/. They have a config for fail2ban that also includes use of badips.com

https://docs.danami.com/juggernaut/user-guide/ip-block-lists has links to other lists that may allow user contribution.

I wouldn't use them because they can be easily abused.

Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • Do these lists include some sort of mechanism to rank the reported abuse? I'm not really concerned with robots, port scans, etc. What I'm really interested in blocking as soon as possible are attempted break-ins. I run fail2ban on the systems I can, but it seems far more efficient to cut off known offenders before they even get to one of my ports. I'm not running large public servers and I'm also running a bunch of home automation stuff that I'd like to protect. Ideally I'd want my router to just blackhole packets from known or even suspected abusers. A few false positives are OK. – Toddinpal Feb 20 '20 at 17:38
0

AbuseIPDB offers an API to check an IP address under several categories of abuse. It can integrate with CSF in both directions (query and report) and with fail2ban for reporting abuse only.

I wouldn't certainly use the IP addresses in this database to deny access from an IP, but it could be a hint to set lower fail2ban limits.

However as all other answers, this database can be easily overflown with fake reports from spammers whenever it becomes a problem.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • Seems like all of these reporting systems need a reputation mechanism to prevent spamming of the lists. – Toddinpal Feb 21 '20 at 16:41
  • Such a system is difficult to implement. You can not verify that the listed IP really attacked the reporter and the fact that you were not attacked by the listed IP doesn't mean it is clean. Spammers can report the same IPs which legitimate users do and add some of their own. – Piotr P. Karwasz Feb 21 '20 at 22:36