|
Virginia Tech DShield |
|
Block List
DShield maintains a "block" list of networks that have exhibited suspicious activity and that that you might consider blocking.
| http://dshield.cirt.vt.edu/feeds/block.txt | Block list (Regular http) | |
| http://dshield.cirt.vt.edu/feeds/block.txt | Block list (Secure http) | |
| http://dshield.cirt.vt.edu/feeds/block.txt.asc | PGP signature. |
Script to retrieve the block list and update iptables
The script generates a separate chain called "BLOCKLIST". Using a new chain instead of adding the rule to an existing chain will ease maintenance and lessen the probability of it interfering with existing rules. The "BLOCKLIST" should be called from INPUT or FORWARD chains. A possible setup would look like this:
# allow trusted sources, which we never want to lock out # iptables -A INPUT -s (...trusted ip...) (..further restrictions, e.g. port..) -j ACCEPT # call BLOCKLIST iptables -A INPUT -j BLOCKLIST # execute remainder of firewall rules # iptables -A INPUT ....
The same sequence can be used for other chains, like forward chains. The following perl script will retrieve the block list and add the rules to the BLOCKLIST.
The relevant PGP public keys can be found at http://dshield.cirt.vt.edu/dshield_public_key.txt. You may want to define a small chain to log blocked accesses distinctively. For example, use a chain like:
$IPTABLES -N LOGBLOCK $IPTABLES -A LOGBLOCK -j LOG --log-level warning --log-prefix "filter: BLOCKLIST " $IPTABLES -A LOGBLOCK -j DROP
in order to use this new custom chain, change
my $blocktarget='DROP'; to read my $blocktarget='LOGBLOCK'; in the script below.
With that out of the way, now you are ready for get_block.pl
[ Home | Login | What's New | Intro | Submit | Clients | Web Submission | All Reports | Links | About | Privacy ]