[lug] keeping up with attacks

Sun May 5 12:10:06 MDT 2019

Interesting discussion.  To summarize:  there don't appear to be any
sites that track the email attacks I'm seeing - no one mentioned any
and I can't google any.  The attacks seem to fall under the DoS or DDoS
category.  My email server is really the only place to prevent these
types of attacks from getting very far since the userid that identifies
the attack isn't really seen by any of the network stack before the
email server.

There are concerns over iptables affecting performance of the server,
but I really only use ipsets (despite what I said originally).  And I
ban the heck of IPs.  Three strikes and your out, permanently, and that
usually happens all at once which is how I make you a candidate for
banning.  Doesn't bother me cuz I'm not running a commercial venture on
my servers and anyone getting banned was probably bot'd anyway.  I find
it funny that anyone tries to get into my servers because the really
good info is already public.  So all that's left is trying to use my
machines as another attack bot.

There is a difference of opinion about ssh and vpn, but that's not one
of my questions so I'll let others discuss that further.  

I still don't have a good way to determine if "probing" my web servers
is bad or not.  Logwatch, at least, thinks its worth noting.  I don't
know what to do with that information yet.  I need to find what
logwatch uses to identify a probe and then determine if I need a
fail2ban rule for it.

On Sat, 2019-05-04 at 08:56 -0600, Michael J. Hammel wrote:
> I have a colo that I keep watch with logwatch (tummy.com also watches
> it for me, doing security updates).  I have ipsets and iptables in
> play
> to keep out most of the baddies.  And I run fail2ban.  So for the
> most
> part it's protected.  At least as much as I know.
> 
> One thing that's been happening lately is a lot of attempts to access
> the mail server.  It's a botnet, coming with single attempts from
> many
> addresses using the same set of usernames:  hopa, oiqkgntuw, pqqgvdx,
> etc.  These are not all from a single country.  I already ban Russia,
> China and a couple of others.  So the only way I know to stop these -
> what appear to be DoS - attacks is by username in the mail server.
> 
> The good news is these don't really seem to be affecting anything. 
> Service is not degraded as far as I can tell.  
> 
> What I want to know is if there is a site that tracks these kinds of
> events and offers mitigation ideas.  Surely others have seen this
> stuff
> and someone may have ideas on how to make their use less desirable to
> the other end.
> 
> Also:  Is there a way to prevent probing of my web sites?  Logwatch
> reports sites that probe my servers but I can't tell what I can do to
> reject such probes.  Logwatch also reports lots of 404's, 403's and
> 400's.  I'm wondering if there is anything I can do about those if I
> notice a pattern (same URL, same sub-URL, etc.).  Maybe add them to
> the
> fail2ban configs?
> 
-- 
Michael J. Hammel
mjhammel at graphics-muse.org
michaelhammel at acm.org