On Sat, 30 Apr 2005, Jack wrote:
--- "D. Hageman" wrote:
On Sat, 30 Apr 2005, Jack wrote:
Taking the box offline would take down my mail
server.
I use this yahoo account for kclug, but I get all
my
regular mail through accounts on my mail server. I didn't say the box has been compromised, I just
want
advice on blocking these attacks as much as
possible.
But I don't want to bring my box to a crawl to do
it.
You should consider getting a secondary MX server. There will be times where you just can't avoid having the box be inaccessible. If you had a secondary MX this would be a non-issue.
I would like to add a secondary MX box. It's on my wish list. However, I don't see how that would make it a non-issue. If I take one box down, then the second one would become the attack target. I'm looking for solution to reduce the attacks. The box is a "busy box", that is running several services. It runs the firewall, webserver, mail server and of course is also hosting ssh access. The primary attack is focused on the sshd. The system is running stable with one or two services apt-pinned to testing and has the latest patches. I've analysed the system remotely a little and didn't see any indications of the system actually getting cracked. I'm primarily looking for techniques and suggesstions on ways to further lock out these crackers, without bogging down the box. Also on the remote checking of the system, what are some favorite tools for this?
I think your analysis of them changing their attack to a secondary would be incorrect. You stated that the primary attack was against SSHD. It sounds to me they did a basic port scan on the box and started attack the various pieces of software for which they had exploits/attacks. At this point if you dropped the box making it look like the box crashed, then they would probably give up and move on. This is assuming that you didn't do something to tick off someone or that you don't have something that someone really really wants. At any rate, the mail would spool up on your secondary (preferably on some other network) and become available again once your primary was back up.
In truth, there is only so much you can do against a large number of attacks - hence the whole slashdot effect. ;-) The main thing you can do is reduce the number of services on each box and add more machines with the services to spread out the number of targets. Firewall as many services you can to specific networks that you will know you will use. Obviously, some services have to be more open (mail), but those usually have rate limiters to help against DoS attacks. If they are probe attacks, well ... what can you do? If your services are spread out then doing things like dropping routes to networks and auto setting up firewalls rules isn't so hard on the individual machines.
You could also run a script periodically that would look for attacks and auto-magically mail the owner of the IP address block with an abuse complaint. Make sure you send the log information to them as well.
Good Luck!
//========================================================\ || D. Hageman [email protected] || \========================================================//