blacklist-main-nonUS.sh has US IP's

[SomePersonSomeWhereInTheWorld]

Great idea! Would definitely like some more flexibility, e.g., we have staff that travels to different parts of the world, including China. But I ran blacklist-main-nonUS.sh and and subnet 150.0.0.0/8 is listed and our IP's are in the 150.108.*.* address space and we're definitely in the US (New York).

How are you pulling in these class A IP's? What source(s) are you using? We use the lists from badips.com and blocklist.de but those are individual IP's.

[DPsystems]

Thanks for the feedback! I was unaware of US IP space in that block, but it doesn't surprise me - I haven't had this tested as much as I'd like. So thanks for looking into it.

I am debating the proper approach to situations like this. Is it better to whitelist the areas where clients may be in the blacklisted areas? Or further fragment the blacklist into smaller pieces? I'd like to gather more info to figure out the best course of action.

I'd say in the meantime, my recommendation is, comment out the IP space that interferes with your legit traffic, and then see how much that increases unwanted traffic?

Obviously the intent here is to create a useful, dynamic system that people in different areas can use, so I figure this will eventually evolve into a combo black/whitelist where each user can specify areas that are their clients and the system will tailor the blacklisting around them. But first I want to get more feedback to see how effective this is for others and how much it may impact any legit traffic? Thanks! - DP

[DPsystems]

I'm going to comment out 150/8 for now in the dist version.

[SomePersonSomeWhereInTheWorld]

I saw your post on the Fail2ban mailing list which led me here. You can take a look at 2 other scripts, this one uses badips.com, and this one uses blocklist.de.

I also like some of the suggestions this user made and note he mentions his IP being close to one in the blacklist.

[DPsystems]

Interesting. Thanks for the info. Here's some comments on those systems and how login-shield is different. First the badip list.. looks like no new info has been posted since 2014 on the web site, not sure how well maintained it is? It appears to be an individual IP-based blacklist. Login-shield uses hashes and groups of IPs. I also don't think putting banned hosts in hosts.deny is very efficient and I'm not sure all necessary systems are using tcpwrappers these days - my previous versions of the blacklist did this as well and I couldn't block all the services I wanted so I switched to using iptables instead.

Same situation with blocklist.de - these are all individual IPs, so just the ssh list is incredibly huge and takes 1000x more memory and resources than my entire system. I also think there's potential problems with crowdsourced IP blacklists. I was involved in the spamcop project early on and they had lots of problems in that respect and had to change their approach to reporting bad IP space.

Admittedly, login-shield uses a more "blunt" approach to blacklisting IP space, opting to go with subnets and not individual IPs. As such, it's not really intended to replace individual IP-based blocking such as Fail2Ban, blocklist or badips. Regardless, all systems are going to require ongoing maintenance and massaging to ensure the quality of their data and the elimination of false positives.

At this point I want to gather more data from people such as yourself and others as to what the best approach may be to address some of these concerns? Right now I consider this project to be in a kind of "research phase." I want to see how well the system works for others and how many false positives, and if there is a way to augment this method with some sort of whitelisting to make it more versatile and functional.

Right now I'm aware, if I push out updates, people have to abandon any customization they've done - I hope to fix this very soon.. but ultimately it all depends on whether other people find this system useful? Thanks for the feedback! Keep it coming!

-DP

[DPsystems]

I'm going to close this thread since I've fixed this particular issue.

However, I do enjoy discussing the functionality of this outside of bug reporting... So perhaps I'll create an issue just for open discussion.