A fantastic resource was passed along to me called DShield – which bills itself as a distributed intrusion detection system.
What it is really is a powerful live reporting resource on the most attacked ports, types of attacks and who the attackers are. As the folks at DShield put it – “DShield.org is an attempt to collect data about cracker activity from all over the internet. This data will be cataloged and summarized. It can be used to discover trends in activity and prepare better firewall rules.”
I recently wrote about building a firewall using iptables, and with a source such as this, one can tailor packet filtering rules to block new ports and tighten the net around your servers.
The site’s home page provides a global map showing patterns of attack types as well as a “stock” ticker of ports that breakdown types of attacks by those ports and what applications commonly use the same port.
DShield also offers an “are you cracked” search function to see if a machine you use or manage has been cracked via an IP search of the group’s database.
Finally – firewall administrators can upload their logs and contribute to the coverage data DShield offers. Admins can always contact the site to discuss further if logs should be edited previous to submission or as to how the data would be used.
DShield’s creators suggest they are exploring how they can expand beyond packet filtering to also cover more sophisticated application level firewalls in the future.