On Sun, Nov 30, 2014 at 9:15 PM, Mike Hammett <[email protected]>
wrote:
> I was thinking openBGDd, but admittedly, I haven't used either yet.
>
>
sure, quagga, openbgpd, whatever... 'bgp speaking daemon'... :)
The quagga part I've done previously... so it's familiar to me.
> Of course controls would be in place to not blackhole myself.
>
>
>
great! remember, with great power comes ... and all that.
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> <https://www.facebook.com/ICSIL>
> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb>
> <https://www.linkedin.com/company/intelligent-computing-solutions>
> <https://twitter.com/ICSIL>
>
> ------------------------------
> *From: *"Christopher Morrow" <[email protected]>
> *To: *"Gavin Henry" <[email protected]>
> *Cc: *"fail2ban list" <[email protected]>,
> [email protected]
> *Sent: *Sunday, November 30, 2014 7:26:09 PM
> *Subject: *Re: [Fail2ban-users] Syslog -> BGP Blackhole
>
> Jumping in near/at the end of this conversation...
>
> On Sun, Nov 30, 2014 at 2:23 PM, Gavin Henry <[email protected]>
> wrote:
> >
> > On 30 Nov 2014 19:09, "Mike Hammett" <[email protected]> wrote:
> >>
> >> You can still withdraw the route advertisement.
> >>
> >> If you're attempting to gain access to my systems, you don't belong on
> my
> >> network. No one other than my management should ever attempt to gain
> access
> >> to my systems. The vast majority of the time it'll be script kiddies or
> >> malware.
>
> There area myriad of reasons NOT to do this, but since you seem like
> you've thought through a few, I think you want to do something like:
>
> 0) setup quagga on your machine that does the logging, have it ibgp
> peer with your network gear (quagga - http://www.nongnu.org/quagga/)
>
> 1) setup an 'action script' to simply add the offending ip
> address(range/etc) and a tiemstamp for the event to a simple text
> file.
> (http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Actions)
>
> 2) have a cronjob cycle through the list, adding/removing offending
> ips to a list of static routes in quagga, you can do this with expect
> or you could simply update the on-disk configuration file for quagga
> and hup the daemon (which I think won't bounce the bgp sessions.. but
> you'd be best testing)
>
> 3) redistribute the static routes into BGP with some community the
> ibgp speakers can match and reset next-hop with.
>
> I suggest the expect method so your config starts clean at each
> reboot, I think you'll also want to quality control some of the inputs
> to quagga's list, you might not want to blackhole yourself or other
> interesting things around the network.
>
> -chris
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
