Re: EMERGENCY - need to secure my server against an ongoing SPAMMER

• Previous message: Bob Brennan: "Re: ftp windoze <- fc3 works fine, ftp fc3 <- fc3 doesn't work? (for me)"
• In reply to: Paul Howarth: "Re: EMERGENCY - need to secure my server against an ongoing SPAMMER"
• Next in thread: Bob Brennan: "Re: EMERGENCY - need to secure my server against an ongoing SPAMMER"
• Reply: Bob Brennan: "Re: EMERGENCY - need to secure my server against an ongoing SPAMMER"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Mon, 14 Mar 2005 11:03:06 -0500
To: For users of Fedora Core releases <fedora-list@redhat.com>

On Mon, Mar 14, 2005 at 11:31:41AM +0000, Paul Howarth wrote:
> Bob Brennan wrote:
> > Those are my own tests to see if I have closed the open relay, the
> > results of which I posted earlier in this thread. I'm closed up now,
> > unfortunately to my remote legitimate users as well. The next reply
> > from Jeff Kinz will help me shut down the boxes that have targeted me
> > and reduce the load on my box.
>
> This will help if they keep coming from the same IP addresses but if
> they're picking zombied hosts at random to attack you from then you're
> just playing whack-a-mole.

Hi Bob,
Paul's comments about playing whack-a-mole are quite correct for any
computer with a broadband connection. For example kinz.org is attacked
by zombie bots several thousand times daily on many different ports
(other than 25 (SMTP)). They are all dropped. see below.

Since you ARE being attacked (because they had success in the past) from
a spammer with bots coming from a specific IP range, denying access for
that IP range will prevent that spammer from wasting your systems
resources, but by blocking that entire range you can create "collateral
damage" so you should remove those blocks as soon as the spammer stops
trying. By then you will have solved your mail-auth problem and the
spammer's attempts to use you as a relay will fail.

As for the standard "whack-a-mole" nature of the attacks coming from
the Internet, there are many ways to handle that, one is to write a
"whack-a-mole" script which monitors log files for repeat attacks from
the same IP's and adds those IP's to your IPTables setup.

This approach eventually makes your firewall machine so busy it has
no resources left over for much else. Thats OK if your firewall is a
stand-alone machine dedicated to being just a firewall. However -

For most home users the firewall machine is also a personal workstation.
In that situation running an automated "Whack-a-mole" script eventually
slows your machine down so much it will become useless as a workstation.
(Like a Windows machine with adware and spyware on it).

A better approach is to use IPTables to deny ALL inbound attempts to
create new connections except those you know you want.

So to keep all outgoing connections you establish:
# IN the filter table (the default) Append a rule to the INPUT chain
# that says ACCEPT incoming packets which are part of an already
# established connection

 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

And to drop any inbound attempt to connect:
# IN the filter table (the default) Append a rule to the INPUT chain
# that says DROP incoming packets which are trying to establish
# a NEW connection.

 iptables -A INPUT -m state --state NEW -i eth0 -j DROP

(Notice the "-i eth0" which assumes that your workstation has its
Internet connection on the first ethernet card found by the kernel.
Unless you know the system in question personally this is a fragile
assumption. Change this to conform to your own machine. Ask questions
if you need to. We are here for you.)

But this will drop your inbound mail users who are trying to get their
mail so, you can open port 25 (or whatever port they are coming into to
get their mail):

 iptables -A INPUT -i eth0 -p TCP --dport 25 -j ACCEPT
   (replace "25" with the port used for mail, 110 for pop etc..)

As long as you have the IP block for that relaying spammer still blocked
they should not be able to connect to port 25 even with this rule in the
chain.

As a final thought, messing directly with your iptables setup is fun but
can become a distracting and wasteful time burner. If you are, or can
get comfortable with any of the GUI based firewall setup tools on Fedora
I urge you use them. They are not as flexible as direct manipulation
but they are less error prone and, unlike the advice I give above, they
are not based on someone else's iptables assumptions, which when unknown,
(as in this case), will eventually bite you.

If you want to use iptables directly please study some of the many good
tutorials available for using iptables and especially, copy and use
the good scripts that take a generalized approach to setting up a good
firewall.

http://yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html
http://www.linux.ie/articles/tutorials/firewall/

-- 
Jargon file, abridged.: The September that never ended. On the Internet,
every September's freshmen influx got their first accounts and, not
knowing how to post/email, always made a nuisance of themselves. Usually
they were trained in a few months. But in September 1993, AOL users
became able to post, overwhelming the capacity to acculturate them; to
those who recall the period before, this triggered a decline in the
quality of online communications. Syn. eternal September.
http://kinz.org
http://www.fedoranews.org
Jeff Kinz, Emergent Research, Hudson, MA.
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list

• Previous message: Bob Brennan: "Re: ftp windoze <- fc3 works fine, ftp fc3 <- fc3 doesn't work? (for me)"
• In reply to: Paul Howarth: "Re: EMERGENCY - need to secure my server against an ongoing SPAMMER"
• Next in thread: Bob Brennan: "Re: EMERGENCY - need to secure my server against an ongoing SPAMMER"
• Reply: Bob Brennan: "Re: EMERGENCY - need to secure my server against an ongoing SPAMMER"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]