Hi Michael, On Wed, Apr 08, 2009 at 01:57:26PM -0500, Michael Weber wrote: >> >>> Jeff Dairiki <[email protected]> 4/8/2009 11:27 AM >>> >> >> Have you ever thought about making the shared "Denied Hosts database" >> available via a DNS-based system? (http://en.wikipedia.org/wiki/DNSBL) > > Could we use the DNS return address as a code for what the host's > history has been? For example, if the host has been blacklisted by 17 > hosts, return an address is 127.0.0.17. If the host has been flagged > for the last 3 months by 200 hosts, return 127.0.3.200. If the > attacks were against root users, add a 1 to the second octet. If the > attacks were against known users, add a 2. If the attacks were > against unknown users, add a 4. > > I'm just throwing out a concept here, not a well thought out plan > for a return variable. > > If we could get that to work, we could all have our own rule sets as > to what to allow or deny.
Yes, I was thining along those lines, though I don't have a well thought-out plan either. AFAIK, DenyHosts currently has two parameters which control the blacklisting of hosts listed in the central db: SYNC_DOWNLOAD_THRESHOLD (minimum number of reporting hosts) and SYNC_DOWNLOAD_RESILIENCY (time in database). So one would want to support at least those. I would think the use of one octet in the listed A record for each of those parameters would be plenty -- though one might want to use some sort of quasi-logarithmic scale. E.g. 127.x.x.1 => resiliency < 1h 127.x.x.2 => 1h <= resiliency < 2h 127.x.x.3 => 2h <= resiliency < 4h 127.x.x.4 => 4h <= resiliency < 6h 127.x.x.5 => 6h <= resiliency < 8h 127.x.x.6 => 8h <= resiliency < 12h 127.x.x.7 => 12h <= resiliency < 18h 127.x.x.8 => 18h <= resiliency < 24h 127.x.x.9 => 24h <= resiliency < 2d 127.x.x.10 => 2d <= resiliency < 4d etc, etc... Similarly for number of reporting hosts: 127.x.1.x => 1 reporting host 127.x.2.x => 2 reporting hosts ... 127.x.10.x => 20 <= reporting hosts < 30 127.x.11.x => 30 <= reporting hosts < 50 etc, etc... Your idea about the bit-field for which account types had been attacked is interesting, too. Does this data currently get reported to the central DB by DenyHosts? Jeff PS: > However, some of us have more stringent policies than others. > Either by law or by policy. By law? Out of curiousity, can you elaborate? ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
