View Single Post
  #5   (View Single Post)  
Old 20th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,250
Default

Welcome to the Internet.

I use block lists for e-mail servers. They are part of a layered "defense in depth" for them. I'm very judicious in my use of them. You may realize, of course, that there are two main problems with "block lists":

1. They are an opinion.

There's an infinte number of block lists, because each is the expression of what the particular list creator/maintainer wants it to be. You'll need to find a list where the opinions of the list maintainers match your requirements. Some may fit, most won't. And each will have limited coverage, so you may need several to fill gaps.

2. They need to be maintained.

Are there ways for addresses to be dropped from the list, or, are they there forever? How do new addresses get added?

And, of course, you need a way to integrate a block list with your web server. I'm sure there's a way to integrate DNS-based ones with a web server, but I've never investigated it.

----

There are four self-described webserver scanners in the security section of the ports tree: security/arirang, security/cgichk, security/nikto, and security/whisker.

Under the www section, there are more security-related tools, such as: www/mod_security, www/ratproxy, www/calamaris, and www/transproxy.

I've never used any of these, so can make no recommendations.

----

I used to use net/snort. Snort is a very popular network analysis tool, and is often used as the main ingredient in an Intrusion Detection System (IDS). It can be integrated with PF, by having it add IPs to blocking tables and then killing state table entries, see the "flexresp" flavor.
Reply With Quote