[lug] keeping up with attacks

Rob Nagler nagler at bivio.biz
Sun May 5 14:20:07 MDT 2019 

On Sun, May 5, 2019 at 12:10 PM Michael J. Hammel  wrote:

> Interesting discussion.  To summarize:  there don't appear to be any
> sites that track the email attacks I'm seeing - no one mentioned any
> and I can't google any.
>

There are blacklist sites: https://en.wikipedia.org/wiki/DNSBL  Some are
free, some you have to pay for.

There are sites that offer "milter" services:
https://en.wikipedia.org/wiki/Milter  Again, some free, some not.

There are many simple ways to stop some bots. For example, adding a sleep
of a few seconds <https://wiki.apache.org/spamassassin/OtherTricks#line-1-3>
before transmitting EHLO reduced our spam count by about 80%. Greylisting
is useful, but it annoys users so we don't run it on all domains. In your
case, it might be a useful tool. If you really don't care about being too
restrictive, you can enforce TLS, and a few other things. We can't, because
many (most?) sites don't support SMTPS. The big ones do. Again, depends on
how much mail you are receiving, and your relationship to your users.

There are concerns over iptables affecting performance of the server,
> but I really only use ipsets (despite what I said originally).


I have never noticed a load on my servers due to iptables. If you have long
lists of IPs, I could imagine that would be a problem. That's why we block
IPs (greylist, for example) at the application level, since iptables runs
on every packet.

I find
> it funny that anyone tries to get into my servers because the really
> good info is already public.
>

It's a fact of life of having a public IP address. All our services are
under constant attack.


> I still don't have a good way to determine if "probing" my web servers
> is bad or not.


Depends on what services you are running. If you are running PHP and/or
WordPress, you should be concerned. I run our WordPress in a Docker
container, because I don't trust WP. If you are running static content from
Apache or Nginx, you are probably fine with stock installs on modern
distros. If you are running Tomcat, I would containerize it. As far as
logwatch is concerned, it's "barndoorish" to expect anything that gets into
a distro's logwatch to be of any use in stopping an attack. It might be
useful for forensics, but again, it depends on what you are running.

Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20190505/6041e0c6/attachment.html>

More information about the LUG mailing list