If the helo is in invalidhelo.txt the IP will be scored. After some
attempts the IP will get extreme black (PenaltyBox). The exported file can
be read by insta-ban.
I use the exported black file in the pfsense daemon pfBlockerNG. But it
can be also used in snort by creating a custome rule.
2015-09-23
fixed in assp 2.4.6 build 15266:
....
added:
- The file defined in 'exportExtremeBlack' can now be retrieved via the
Web-STATS-Interface. This makes it
possible for firewalls or IP-filters to download and implement the file
frequently.
The URL to download the file looks like:
http://assp.domain:55553/extremeblack
notice the appended '/extremeblack'
Thomas
Von: cw <colin.war...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 19.01.2016 17:34
Betreff: [Assp-test] Banning obvious botnet traffic
Hi,
I’ve noticed for a long time that we get a massive number of failed login
attempts from numerous different IP addresses.
There is one thing in common, the EHLO is ylmf-pc so I finally got around
to looking it up with Google and it turns out that it is the default
setting of a botnet called PushDo that has been around for years. It may
be
worth adding that to the default invalidhelo.txt file.
To take it a step further, I’d like to insta-ban any IP that uses that
helo
so we don’t waste any more bandwidth on them. Is there an obvious way to
do
that with ASSP? I’d rather not have to make fail2ban watch the ASSP log
and
take action because I don’t know whether the two will play nicely.
All the best,
Colin
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
