Lately I’ve been focusing on Identity Management and have written a fair amount of articles on the subject. The ideas behind this originate from a conversation I had with somebody regarding VuurMuur, which is a neat open source firewall application to which I’ve contributed some code.
I’m running a mediawiki server to document some of my sysadmin chores and a long time ago I decided to open this up to the internet so other sysadmins with possibly the same problems could get some benefit from this. However, it wasn’t before long until the first botnet found my defenseless mediawiki and started spamming it with useless links. So after I joined the vuurmuur project, I decided to go block the IP addresses. That wasn’t all too bright because botnets are typically fairly large, so new IP addresses visited and I had to block more and more. However, a botnet also has IP addresses that change all the time. Typically they will be on the desktop computers of people that bumped into some form of malware and when they turn off their computer in the evening and turn it back on again in the morning, they will have another IP address and still be part of the botnet. Definitely not a good idea to block all spamming IP addresses!
So after adding some 2700 unique IP addresses that kept on trying to spam my wiki server, I gave up on the idea of blocking them all. There’s just no end to it. So what else can we do? Identity based firewalling!
