Re: pf: blocklists
spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf in an automated way as a cron job. Has anyone attempted to do this? Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. I guess I could do it such that if a list fails download or conversion, then leave the old list alone, but that sucks too. Also, which lists do you use? Thanks.
Re: pf: blocklists
Here is some example how to read from file in pf, but I think that you know this already http://www.openbsd.org/faq/pf/tables.html and here you can get more ideas for other protocols http://home.nuug.no/~peter/pf/en/bruteforce.html On Thu, Mar 4, 2010 at 2:34 PM, nixlists nixmli...@gmail.com wrote: spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf in an automated way as a cron job. Has anyone attempted to do this? Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. I guess I could do it such that if a list fails download or conversion, then leave the old list alone, but that sucks too. Also, which lists do you use? Thanks. -- http://www.openbsd.org/lyrics.html
Re: pf: blocklists
nixlists wrote: spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf in an automated way as a cron job. Has anyone attempted to do this? Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. I guess I could do it such that if a list fails download or conversion, then leave the old list alone, but that sucks too. Also, which lists do you use? Thanks. I scan apache error log for entries that I know are undesirable. That script immediately adds that IP to badhosts table in PF. I do not believe that any botlist will be very effective for apache attacks, although I could be wrong. But all of this is based on personal experience in scanning my error log. There are also many bots that scan software that some people may use. The ones I don't use get added to that list. Pretty simple perl script with a sleep 1; entry. Always runs to stop those particularly heavy handed intruders quickly. I also use spamd, but apart from any lists I use, I have a script that scans spamdb for known evildoers and traps them. I have a continuing problem with one botnet but their spam never changes usernames, so easy to thwart. -- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. -- Robert Heinlein
Re: pf: blocklists
On Thu, Mar 4, 2010 at 14:34, nixlists nixmli...@gmail.com wrote: spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf If I understand your question and read the spamd-setup(8) man page correctly, you may want to try your luck with its '-b' option. Or did I misunderstand your question? Besides that, if spamd and spamd-setup work for you, you can use the spamd table in PF to block access to other targets than SMTP. If you want to use the spamd-setup mechanic but not want the data to end up in spamd (and the spamd table), look at its sources and rework it a bit. Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. If you want to increase reliability of a (vanilla or reworked) spamd-setup succeeding, you can scrape and parse the lists yourself and distribute them locally. You mentioned that sucks too, though I do not directly see why, other than perhaps the work involved or stale list contents (which can be periodically expired as well). I suspect it's easier to treat the latter reliability concerns as a separate issue rather than work it into spamd-setup, but that's just a personal preference, I suppose. Regards, Rogier -- If you don't know where you're going, any road will get you there.
Re: pf: blocklists
2010/3/4 Iqigo Ortiz de Urbina tarom...@gmail.com: What are you trying to accomplish? I would be interested on helping you but first I would like to understand it better. I really think all those task can be easily automated via scripts and pfctl to load the netblocks on tables. Have a nice day, Iqigo Since the blocklists (take a look at okean.com and some stuff on other sites I won't mention) are distributed through http - downloads fail sometimes, so I am not sure how to make a reliable automated script that gets these lists periodically. Maybe it should just leave the old file in place when it can't get a new blocklist file. Some distribution sites are overloaded and flaky, downloads fail. Further, the lists needs to be converted from their formats to other formats. That's easy, except for the case when there are syntax errors in these list files, and I've seen quite a few. So automatic conversion fails as well :(
Re: pf: blocklists
nixlists nixmli...@gmail.com writes: spamd is great, but I need to filter other traffic. I still wonder how people manage to download and convert blocklists for loading into pf in an automated way as a cron job. Has anyone attempted to do this? This is still pretty vague. If you want to download lists of IP addresses to load into tables, that's fairly straightforward, but there is always the risk of bumping into the limits on table entries if the lists are large enough, for example. Often there are syntax errors in the lists, sometimes transfers fail. IOW it's unreliable, and I have to do it manually. I guess I could do it such that if a list fails download or conversion, then leave the old list alone, but that sucks too. For garbage in downloadable lists, you would need to talk to the people who generate them and ask them to clean up, or devise some simple tests for validity before loading the data into your tables. As for using old data vs no data, there is the possibility that no data is preferable to using out of date data with a higher propability of false positives. Your system, your call of course. Also, which lists do you use? For spamd, I use and recommend uatraps and nixspam, both in the default spamd.conf for you to include. My own greytrap list is available to others too (fetchable from bsdly.net), use at your own risk and so forth. At the moment I have no other blacklist machinery in place other than the usual auto-LARTing of rapid-fire bruteforcers. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
pf: blocklists
Does anyone use blocklists of addresses for blocking spam and other unwanted traffic, such as those from okean and other places? How do you manage download and conversion/loading of blocklists? Automatically through scripts or manually? . Thanks.
Re: pf: blocklists
http://www.openbsd.org/spamd/ On Thu, Mar 4, 2010 at 1:58 AM, nixlists nixmli...@gmail.com wrote: Does anyone use blocklists of addresses for blocking spam and other unwanted traffic, such as those from okean and other places? How do you manage download and conversion/loading of blocklists? Automatically through scripts or manually? . Thanks. -- http://www.openbsd.org/lyrics.html