Matthew: I think something like this is good, although be very very careful as doing so could get you sued.
If you don't believe me, ask my friends Paul Vixie and Dave Rand. They are the inventors of one of the first (IF NOT THE FIRST) e-mail RBLs (MAPS) and doing so got them sued. http://en.wikipedia.org/wiki/Mail_Abuse_Prevention_System Vixie also happens to be the guy that wrote BIND - the DNS server that runs over 75% of the Internet. Once again, I think it's a great idea...just be sure to protect yourself. Bill > -----Original Message----- > From: Matthew Gamble [mailto:mgam...@mgamble.ca] > Sent: Wednesday, September 01, 2010 8:21 PM > To: Bruce N; asterisk Mailing > Subject: Re: [on-asterisk] Crowd sourcing rules for blocking hacking > attempts? > > Bruce, > > What I'm proposing (and actually just started writing the code for) is > a system where we allow anyone to sign up (the power of the crowds) > but require a few things: > > 1) Authenticated email address. Not hard to get, but it does stop > random signups > 2) Reports from new accounts are not added to the global list for X > days to monitor the quality of the data they are submitting. > > Further to the above, I'm adding a "score" feature to the output, so > when you request a list of "bad" hosts you would get a file with IP, > last reported date, and "score". The score would be a function of a > few things: > > 1) How well do you trust the reporter(s)? Age of accounts, never > flagged for reporting bad data, etc > 2) How many people reported this IP? 1? It wouldn't be in the > database until a few different sites reported it, etc > 3) Other criteria I'm still writing. > > The third piece of security would be a system for people to "flag" > data as being bad, creating a feedback loop to ensure that if a person > submitted false data that it was quickly removed from the DB. > > Remember that crowd sourced rule systems already work for email > (Cloudmark for example) and with a trust system and good scoring rules > the issue of false positives becomes much less of a risk. > > > On Wed, Sep 1, 2010 at 8:13 PM, Bruce N <het...@hotmail.com> wrote: > > Hello Mathew, > > > > Are you suggesting an open system for everyone and anyone to input an > IP > > address? Two scenarios: > > > > 1- Allow only people who you trust - > > CONS: > > a- Still can't negate the fact that some > authorized > > user may mistakenly put a client's IP in the "BAD" IP table. > > b- Limiting the number of reported "BAD" IPs > to the > > number of trusted people which I would like to believe would be very > small > > or else it won't be a trusted circle. > > PROS: > > a- Can be MORE or LESS a trusted database - > As long > > as no bulk IPs are allowed to be entered and there are restrictions > to add > > more than 1 IP per hour let's say. > > > > 2- Allow anyone to sign-up and add "BAD" IPs. > > CONS: > > a- Anyone can sign-up. Even the cracker!!! > He can > > put our legit IPs in the database and "BOOM", shutdown service for > clients > > for no good reason. I mean an IP that is "BAD" today can be a > potential > > customer tomorrow. What would be the rules to remove them when you > have a > > whole bunch of people submitting these - specially if this grows > really big. > > b- The list will grow so big that it won't > be > > possible to handle or it might again block legit users as the attacks > are > > usually co-ordinated not from the cracker IP address but rather > compromised > > servers and it might literally block a good portion of the USA > continental > > as lots of attacks do originate from compromised servers in USA while > the > > cracker is enjoying his tea break in Russia. > > > > PROS: > > a- Would be a more complete list of "BAD" IP > > addresses. > > > > These work around will be somehow useful but isnt' it about time that > SIP > > becomes more transparent to the common folks (simpler, less ambiguous > > output, and more manageable SIP debug) - as it's becoming more > commonplace > > now-a-days? Or maybe pay more attention to it's security feature > innately > > like other popular protocols rather than keeping them as an option > for the > > user to turn on? As an example, just few years ago, all wireless > routers > > were possible to setup without a wireless security (one could > literally jump > > from neighbour to neighbour in the whole block) and now any router > you take > > out of the box either has a randomly generated wireless password or > asks for > > one before setting up the wireless leaving you with no access to > neighbours > > hot spot. > > > > -Bruce > > > > > >> Date: Wed, 1 Sep 2010 19:48:54 -0400 > >> From: mgam...@mgamble.ca > >> To: asterisk@uc.org > >> Subject: [on-asterisk] Crowd sourcing rules for blocking hacking > attempts? > >> > >> I've been following the threads over the past weeks about Asterisk > >> hacks being on the rise, and I have to say I've been seeing the same > >> thing in my logs. > >> > >> I'm wondering if there is any community interest in creating a > >> database of known "attack" IP's that we could all update our > IPTables > >> or other firewall rules with? I'm thinking we create some interface > >> for people to submit hosts they have blocked and a second interface > >> for people to download a list of "bad hosts" with number of reports. > >> > >> If anyone is interested in working on something like this please let > >> me know. I don't mind hosting / writing / running it, but I would > >> like to know that the community would use it before I invest the > time > >> to set it up. > >> > >> Thanks! > >> > >> -------------------------------------------------------------------- > - > >> To unsubscribe, e-mail: asterisk-unsubscr...@uc.org > >> For additional commands, e-mail: asterisk-h...@uc.org > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: asterisk-unsubscr...@uc.org > For additional commands, e-mail: asterisk-h...@uc.org --------------------------------------------------------------------- To unsubscribe, e-mail: asterisk-unsubscr...@uc.org For additional commands, e-mail: asterisk-h...@uc.org
