|
I don’t know if this has been discussed but I don’t
think it has. If you are running the active response I would recommend white
listing the DNS root servers. If someone was to find out you were running
any kind of automated blocker they could (or should if they were smart) spoof
attack packets from the DNS root servers IP addresses. This would cause
OSSEC (or whatever software your running) to temporarily block those IP’s
and essentially DOS yourself. If you can’t make external DNS
resolutions your not going to be able to do ANYTHING on the internet. Here is a list if anyone wants to cut and paste into their
ossec.conf (in the <global> section) <white_list>198.41.0.4</white_list>
<white_list>192.228.79.201</white_list>
<white_list>192.33.4.12</white_list>
<white_list>128.8.10.90</white_list>
<white_list>192.203.230.10</white_list>
<white_list>192.5.5.241</white_list>
<white_list>192.112.36.4</white_list>
<white_list>128.63.2.53</white_list>
<white_list>192.36.148.17</white_list>
<white_list>192.58.128.30</white_list>
<white_list>193.0.14.129</white_list>
<white_list>198.32.64.12</white_list>
<white_list>202.12.27.33</white_list> Daniel: I would also recommend this be added to the default
ossec.conf (with comments). -- Jon Scheidell Security Engineer Secnap Network Security (561) 999-5000 x:4110 www.secnap.com |
- [ossec-list] White listing DNS root servers Jonathan Scheidell
