On Tue, Aug 15, 2006 at 11:28:52AM -0400, Simetrical wrote:
On 8/15/06, Tim Starling t.starling@physics.unimelb.edu.au wrote:
We can use a dedicated IP for scanning, to make automatic blocking of that IP by firewalls irrelevant, and we can set up an informative reverse DNS entry and a webserver on that IP, to ward off some of the abuse complaints.
It was the abuse complaints that I was wondering about. If those wouldn't be a problem, this would seem to be the sensible course. Assuming portscans aren't that expensive (I know that there's some latency involved, but that's okay for this), anything listed as an open proxy could be invisibly scanned and deblacklisted if appropriate anytime it tried to edit, which solves the problem of outdated entries. Any IP that's not blacklisted as an open proxy could be portscanned and whitelisted if appropriate when it tries to edit, with some expiry period. A block could force reevaluation of the appropriate address(es), just in case something is whitelisted and becomes compromised within the expiry period.
I would only like to note scanning for proxies is not the same thing as portscanning.
Good proxy-scan consists of
-rather wide portscan -tests on interesting ports --that usualy means attempts to establish conection to ANOTHER dedicated server on other ip, with running webserver --for every service there are specific ways how to test for weaknesses -you evaluate the requests on the "recievening server"
Proxy scans are usually not welcome by admins, above described procedure is exactly what a lot of spammers do, you are going to receive some complains, and likely to end up on some blacklists.
Certainly informative reverse record is necessary, but part of the "feedback" is automated.
Now who wants to write this and set it up? :)
On 8/15/06, Jan Kulveit jk-wikitech@ks.cz wrote:
-how to develop the rbl ... I think it could be done the wiki way
That would require a ton of effort keeping the list up-to-date that's really not needed. You'd also have to constantly field complaints of misblocked IPs, which would be solved in days rather than seconds. An automated solution is the way to go for this.
Automatic re-scanning of any blacklisted ip anytime it tries to edit is IMO too expensive, you'll have to add some backoff/ expiry period anyway, likely in scale of hours and days.
Better solution is to add automated removal upon human request - if you're unhappy being blocked, you fill some form, you're re-tested and if it's ok, removed. Effort is the same wether the initial data are a wiki or completely in-house.
Jan Kulveit