Hey Scott,

Love the new features.

I just wanted to see if you could add a "Select All" button to the Geoblocking page, then I can just unselect the USA TLD and not have to select all the other TLD's I want to block. Or if not that, a "Block Everything except the selected TLDs" would be nice.


Thanks!

Andrew T.

You will want to be careful with that, since the intrawebs are fairly border neutral. My last server from 1and1 was reported in a Germany IP space, even thought it was all US centric websites. (shaking my fist at the stupid spam filter at pobox.)

Now blocking some of the dirtier corners I'm all for (Hi Nigeria and China!), but be sure you understand the risks in doing so. I actually had a customer check their email from Slovenia while they were visiting their roots!

Is there a default somewhere, witch one would you like to block for sure?

Is it possible to make Groups as "Know bad countries" "Europe" "USA" etc..?

I was thinking of maybe grouping them by continent next. Another way to do it might be to go with the Unless Allow, Deny model. Where instead of "GeoBlocking" we're "GeoAllowing".

I'm all ears for a known bad list. This is a good place to discuss who that would be and how it would look.

Theres another layer to this as well, mod_security also supports GeoBlocking, which could allow you to narrow this all the way down to specific applications in specific vhosts. For example, one idea might be to have an ASL interface down at the domain level for the users to set a policy like this.

Anyway, I havent thought it all the way through. This is where we could use everyones feedback.

I'm not sure that geoblocking would be all that effective in the end. Consider that currently a good amount of spam is being sent, not from servers, but "zombie" computers at homes and businesses around the world that have been compromised and are now at the beck and call of people in those areas you'd like to geoblock. This is why MAPS lists aren't all that effective at blocking spam. I've had hack attempts on my machines from servers within the US that got hacked. Geoblocking would block the newbies but not stop the dedicated people that we'd all like to stop.

One thing I've been thinking about would be some sort of feedback mechanism for ASL similar to a email sender reputation system. If an IP is attacking an ASL server, it would upload the attacker/sig fired to a central repo to be shared by other ASL subscribers. Get hit by many and your "bad" reputation score goes up, eventually evaporating over time. Thresholding (Evil, questionable, hit someone once) could then be set at the individual ASL subscriber level to determine how paranoid they want to be. There are challenges to overcome, such as being used for a DOS.

Just kicking around an idea.

Very nice idea! this would be a nice addition to ASL

Yes indeed, we actually have had something like that set up since before I started working on ASL 2.0. Before mike had even found out about mod_security, he maintained mod_access+rbl, which does exactly what you're talking about. There are elements of this in some other parts of ASL as well, DenyHosts has its own shared blacklist system.

I agree completely that there needs to be reputation involved in the system to prevent poisoning attacks. Fortunately there are some other systems out there that have established some protocols for this (Vipals Razor for example) that we can look to for guidance. Anyway, I asked mike to check in here on this thread because this has been his baby for years.

Keep the ideas coming!

We're working on just such a feature right now. :-)

I'll post more details for feedback later today, but right now we are doing internal testing on a realtime RBL fed by all ASL nodes, and a local RBL that is fed by just the ASL nodes controlled by a group. So think of it as both your own personal RBL that only effects you, and a global ASL community feedback system that everyone can contribute to and benefit from.

Please let us know what you would like to see. I'm leading this one, so get your ideas in now and I'll code em up. :-)

Some things I'd like to see:

1) Option to turn on, off, and only use local reputation. Some servers have to be careful on the information they share.

2) Submissions to a central repo contain attacking IP, Sig, and md5 of the default plesk IP address. This would allow for confidence levels in the signatures, as well as allow blocking of updates from someone intent on poisoning the DB. The md5 would keep it relatively anonymous in the DB, but I realize there are other ways you could map the identity.

3) Be able to weight the reputation based on preferences:
Evil - block the netblock if ASL says so. or if local rep says so
Diet coke of Evil - block the IP if ASL says so. or if local rep says so
Questionable - block 'em if ASL says so, or local repo says so for non-generic attack sigs --Best option would be to be able to customize sigs as high confidence, but that might never get used for most installs
Have at er - use local sigs with no reputation, but send attack data to ASL anyway

4) Generate reports on said blocking by attacker, hosted domain, sig, etc.

Agreed.



Well, you trust us don't you?

I'd also like to allow people to opt in and provide even more if they choose, such as the attack payload - we can use that not only improve the rules, but we have some automated stuff in the research pipeline thats going to auto-learn new attacks, malware, etc. and the payloads would be really key to that. Again, opt-in, as some folks may not be able to share anything like that.



Right, OK we'll brainstorm on a workflow to support this. BAsically, you need control to decide what data is gonna work in your environment what you want to do. I agree complete.y



Any thoughts on what you might want a report to look like? We're working on feeding all the data into a database in realtime, so in the future there will be plenty of ways to work with the data.[/quote]

Now that I can't wait for! ASL goes honeynet.


Well, I see two major types. One would be advertising to the clients. You know, charts in pretty colors. The other side would be things like sigs hit, sites/applications attacked by percentage, comparison to the ASL "average", trending by box and domain, correlation with spammers. The ability to print/pdf reports for auditors would be nice as well. I'm thinking like compliance with PCI DSS, etc. requirements.

I'd also like to add a widget graph on my biz website like "ASL Protected" with some graph of all the bad stuff blocked might be good advertisement for both you and me. This wishing stuff is easy! Can I have a pony too?

Seriously though, I'm lovin' the direction ASL is going.

Oh, one more thing that just came to me - give the ability to report false positives to domain owners. It could be to you or me, but it would curb some frustration when they post something to Joomla containing *iagra|*enis|gurth in a five paragraph post and get locked out.

I like this, I added the ART logo in my Plesk headers already maybe you can use the system of scanalert.com (HackerSafe) if you are 100% hackerSafe you get this in your logo, if there is a vulnerability is shows to

Ans give this man a pony for his good idea!