03.20
Bei blocklist.de kann man sich ja kostenlos registrieren und dann über uns SSH-, FTP-, imap- usw. Attacken automatisiert melden und verarbeiten, ähnliche wie bei spamcop.net.
Dazu ist allerdings eine Registrierung per Double-Opt-In nötig, wo der Inhaber der E-Mailadresse die Registrierung innerhalb von 7 Tage bestätigen muss.
Nun tauchen in den Logs immer wieder folgende Aufrufe auf:
http://www.blocklist.de/en/register.html?agreed=true
Es erfolgt dann eine Weiterleitung mit Generierung einer neuen Session. Dies wird von den Bots wohl als Erfolg gewertet, da diese dann in der nächsten Sekunde sich versuchen einzuloggen.
Hier einmal so ein Vorgang von der IP 31.184.238.23 am 26.02.2012:
31.184.238.23 - - [26/Feb/2012:12:46:40 +0100] "GET /en/register.htmlagreed=true?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5BPLM=0%5D%5BR%5D+GET+http://www.blocklist.de/en/register.htmlagreed=true?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5B0,13411,13246%5D+-%3E+%5BR%5D+POST+http://www.blocklist.de/en/register.htmlagreed=true?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5B0,0,13598%5D+-%3E+%5BL%5D+GET+http://www.blocklist.de/en/login.html+%5BR=302%5D%5B0,0,223%5D+-%3E+%5BL%5D+GET+http://www.blocklist.de/en/login.html+%5BR=302%5D%5B7123,0,12270%5D+-%3E+%5BL%5D+GET+http://www.blocklist.de/en/login.html?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5B0,12608,12316%5D+-%3E+%5BL%5D+POST+http://www.blocklist.de/en/login.html?sid=29f0115bd34fa1cbc680a8e2a8f54da4&action=login+%5B7122,0,12426%5D HTTP/1.0" 302 16088 "http://www.blocklist.de/en/register.htmlagreed=true?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5BPLM=0%5D%5BR%5D+GET+http://www.blocklist.de/en/register.htmlagreed=true?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5B0,13411,13246%5D+-%3E+%5BR%5D+POST+http://www.blocklist.de/en/register.htmlagreed=true?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5B0,0,13598%5D+-%3E+%5BL%5D+GET+http://www.blocklist.de/en/login.html+%5BR=302%5D%5B0,0,223%5D+-%3E+%5BL%5D+GET+http://www.blocklist.de/en/login.html+%5BR=302%5D%5B7123,0,12270%5D+-%3E+%5BL%5D+GET+http://www.blocklist.de/en/login.html?sid=29f0115bd34fa1cbc680a8e2a8f54da4+%5B0,12608,12316%5D+-%3E+%5BL%5D+POST+http://www.blocklist.de/en/login.html?sid=29f0115bd34fa1cbc680a8e2a8f54da4&action=login+%5B7122,0,12426%5D" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:40 +0100] "GET /en/register.htmlagreed=truesid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255BPLM=0%255D%255BR%255D%2BGET%2Bhttp://www.blocklist.de/en/register.htmlagreed=truesid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255B0,13411,13246%255D%2B-%253E%2B%255BR%255D%2BPOST%2Bhttp://www.blocklist.de/en/register.htmlagreed=truesid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255B0,0,13598%255D%2B-%253E%2B%255BL%255D%2BGET%2Bhttp://www.blocklist.de/en/login.html%2B%255BR=302%255D%255B0,0,223%255D%2B-%253E%2B%255BL%255D%2BGET%2Bhttp://www.blocklist.de/en/login.html%2B%255BR=302%255D%255B7123,0,12270%255D%2B-%253E%2B%255BL%255D%2BGET%2Bhttp://www.blocklist.de/en/login.htmlsid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255B0,12608,12316%255D%2B-%253E%2B%255BL%255D%2BPOST%2Bhttp://www.blocklist.de/en/login.htmlsid=29f0115bd34fa1cbc680a8e2a8f54da4&action=login%2B%255B7122,0,12426%255D?sid=ac7bdd463e38b425be22042f2d41bd39 HTTP/1.0" 200 18703 "http://www.blocklist.de/en/register.htmlagreed=truesid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255BPLM=0%255D%255BR%255D%2BGET%2Bhttp://www.blocklist.de/en/register.htmlagreed=truesid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255B0,13411,13246%255D%2B-%253E%2B%255BR%255D%2BPOST%2Bhttp://www.blocklist.de/en/register.htmlagreed=truesid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255B0,0,13598%255D%2B-%253E%2B%255BL%255D%2BGET%2Bhttp://www.blocklist.de/en/login.html%2B%255BR=302%255D%255B0,0,223%255D%2B-%253E%2B%255BL%255D%2BGET%2Bhttp://www.blocklist.de/en/login.html%2B%255BR=302%255D%255B7123,0,12270%255D%2B-%253E%2B%255BL%255D%2BGET%2Bhttp://www.blocklist.de/en/login.htmlsid=29f0115bd34fa1cbc680a8e2a8f54da4%2B%255B0,12608,12316%255D%2B-%253E%2B%255BL%255D%2BPOST%2Bhttp://www.blocklist.de/en/login.htmlsid=29f0115bd34fa1cbc680a8e2a8f54da4&action=login%2B%255B7122,0,12426%255D?sid=ac7bdd463e38b425be22042f2d41bd39" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:41 +0100] "GET /en/register.html?agreed=true HTTP/1.0" 302 13252 "http://www.blocklist.de/en/register.html?agreed=true" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:41 +0100] "GET /en/register.htmlagreed=true?sid=ac7bdd463e38b425be22042f2d41bd39 HTTP/1.0" 200 13245 "http://www.blocklist.de/en/register.htmlagreed=true?sid=ac7bdd463e38b425be22042f2d41bd39" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:41 +0100] "POST /en/register.htmlagreed=true?sid=ac7bdd463e38b425be22042f2d41bd39 HTTP/1.0" 200 13597 "http://www.blocklist.de/en/register.htmlagreed=true?sid=ac7bdd463e38b425be22042f2d41bd39" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:41 +0100] "GET /en/login.html HTTP/1.0" 302 223 "http://www.blocklist.de/login.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:42 +0100] "GET /en/login.html HTTP/1.0" 302 16848 "http://www.blocklist.de/en/login.html" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:42 +0100] "GET /en/login.html?sid=ac7bdd463e38b425be22042f2d41bd39 HTTP/1.0" 200 16896 "http://www.blocklist.de/en/login.html?sid=ac7bdd463e38b425be22042f2d41bd39" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
31.184.238.23 - - [26/Feb/2012:12:46:42 +0100] "POST /en/login.html?sid=ac7bdd463e38b425be22042f2d41bd39&action=login HTTP/1.0" 200 17008 "http://www.blocklist.de/en/login.html?sid=ac7bdd463e38b425be22042f2d41bd39" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]"
Naja. Nach 4 Fehl-Logins beim Login ist die IP für weitere Aufrufe für 10 Stunden gesperrt, daher ist ein Brute-Force-Angriffe nicht erfolgreich, bzw. dauert so sehr lange oder man braucht sehr viele IP-Adressen.