In the previous article, I have explained the Botnets and free sites which offer a list of infected sites. Repeated here for readability
"There are number of publicly available lists of known IP Addresses that are currently compromised. Various sites offer these lists for free. These hosts are running crimeware with Botnets. The attacker can use these machines to launch any attack on your applications hosted at your site. The file format is very simple, so you can also handcraft this list.
You can update the list to Access Manager Configuration through Administration Console. Access Manager blocks the addresses configured in the list. This capability is already available in 4.1 release"
This solution provides a custom risk based authentication rule to block all IP addresses from a URL hosted on another site or machine.
The previous solution depends on a text file download on the same host as Identity Server. You can directly edit that host file for adding any new IP address or delete them.
This new solution offers a way to directly configure a HTTP Url with contents of same format. This solution periodically refreshes the set of IP addresses download from that URL.
$ cp net-sk-nam-rules-4.1-0.1.jar /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
$ /etc/init.d/novell-idp restart
Now, all the users who are trying to login into NetIQ Access Manager system will go through this new Risk Based Authentication class after regular authentication. If the client’s IP address falls in this blocked list, then the authentication will be denied.
You can test/debug the result of Risk Based authentication by enabling logging in Identity Server and watching catalina.out output as described in section “https://www.netiq.com/documentation/access-manager-41/admin/data/b1dg0omz.html#b1f4rruj“.
You can use the Risk Based Authentication Test Servlet to check what is the result of the rule evaluation by following the steps at “https://www.netiq.com/documentation/access-manager-41/admin/data/b1dg0omz.html#b1f4fiip”