As far as I know, once a system has been compromised (virus, rootkit, etc), it acts as a zombie host for a number of things. Thus, the same compromised system may act as a proxy to send spam, participate in a DDoS attack, perform Brute Force attacks, and all sorts of other "kool" things.
What I believe would be ideal, is a complete all-in-one system that protects all services from blacklisted/banned IP addresses.
For example, by extending cPHulk, to cover:
- exim from spam (instead of exim using /etc/spammeripaddresses).
- apache from remove exploits and other attacks (blocking IP addresses is faster than sending the requests to be processed via modsec).
- dovecot from overzealous brute force attempts that flood the authentication processes and don't let normal users get in.
By extension, it would be ideal if cPHulk would block whole countries per domain/account. Some clients are so local based that they have no communication outside their own country or even organization. It would be ideal for them to block continents/countries. It is something we already do, but with 3rd party tools.
The result, would be to block an IP address because it tried to perform a Brute Force attack one day, and the next day when it tries to send spam, it will be already blacklisted!!! Next day it may try a remote exploit on apache/php, or whatever, it will still fail to have any effect because it has already been blacklisted the very first day it tried something.
What do you guys think?
PS:
I came to this conclusion because I compared cpHulk IP addresses to my exim/dovecot/apache logs and I found the same addresses being repeated over and over again.
What I believe would be ideal, is a complete all-in-one system that protects all services from blacklisted/banned IP addresses.
For example, by extending cPHulk, to cover:
- exim from spam (instead of exim using /etc/spammeripaddresses).
- apache from remove exploits and other attacks (blocking IP addresses is faster than sending the requests to be processed via modsec).
- dovecot from overzealous brute force attempts that flood the authentication processes and don't let normal users get in.
By extension, it would be ideal if cPHulk would block whole countries per domain/account. Some clients are so local based that they have no communication outside their own country or even organization. It would be ideal for them to block continents/countries. It is something we already do, but with 3rd party tools.
The result, would be to block an IP address because it tried to perform a Brute Force attack one day, and the next day when it tries to send spam, it will be already blacklisted!!! Next day it may try a remote exploit on apache/php, or whatever, it will still fail to have any effect because it has already been blacklisted the very first day it tried something.
What do you guys think?
PS:
I came to this conclusion because I compared cpHulk IP addresses to my exim/dovecot/apache logs and I found the same addresses being repeated over and over again.
