After some thought, I decided it would be useful to document some of the projects i’m actively working on for this site. One of such projects is a real time black list (RBL) for the Rizon IRC Network. The network consists of 20~ servers holding around 15 – 17 thousand users.
Why is this important? Because IRC is such a old and simple text based chat protocol. It is often abused by hackers, script kiddies and other malicious reasons to abuse people’s personal computers which have been compromised and turned into drones. They are then often used to disrupt the chat of others, or even denial of service attacks.
First the setup, after talking with some other RBL projects, dronebl.org and proxybl.org, I decided on a mix of MySQL and rbldnsd.
Rizon has several methods of detecting compromised hosts, drones, open proxies or other types malicious users. Each time a user is detected which matches one of our rulesets, his or her IP address is added to our ban list, normally for a 3 day period. While 3 days is useful, we wanted to pool the knowledge we had gained of the IP’s which were bad.
No small task, but I decided to spin up one of Rackspace’s new Cloud Servers to Debian (5.0). Tasks before me include:
- installation of mysql, rbldnsd, and lighttpd, my web server choice.
- setup of DNS records to create my blacklist & domain acquisition
- creation of php scripts to allow our services to add hosts & comments
- creation of scripts to dump the mysql database into a zone format for rbldnsd
- creation of informational website as well as a check & removal system for users who have cleaned up their problem.
- meet with the different Rizon developers depending on service and agree on a protocol for blacklist adds.
more to come…. as I get things implemented.
