Need help!

[D. Hageman]

On Sat, 30 Apr 2005, Jack wrote:

> --- "D. Hageman" wrote:
>> On Sat, 30 Apr 2005, Jack wrote:
>>>
>>> Taking the box offline would take down my mail
>> server.
>>> I use this yahoo account for kclug, but I get all
>> my
>>> regular mail through accounts on my mail server. I
>>> didn't say the box has been compromised, I just
>> want
>>> advice on blocking these attacks as much as
>> possible.
>>> But I don't want to bring my box to a crawl to do
>> it.
>>>
>>
>> You should consider getting a secondary MX server.
>> There will be times
>> where you just can't avoid having the box be
>> inaccessible.  If you had a
>> secondary MX this would be a non-issue.
>>
> I would like to add a secondary MX box. It's on my
> wish list. However, I don't see how that would make it
> a non-issue. If I take one box down, then the second
> one would become the attack target. I'm looking for
> solution to reduce the attacks. The box is a "busy
> box", that is running several services. It runs the
> firewall, webserver, mail server and of course is also
> hosting ssh access. The primary attack is focused on
> the sshd. The system is running stable with one or two
> services apt-pinned to testing and has the latest
> patches. I've analysed the system remotely a little
> and didn't see any indications of the system actually
> getting cracked. I'm primarily looking for techniques
> and suggesstions on ways to further lock out these
> crackers, without bogging down the box. Also on the
> remote checking of the system, what are some favorite
> tools for this?


I think your analysis of them changing their attack to a secondary would 
be incorrect.  You stated that the primary attack was against SSHD.  It 
sounds to me they did a basic port scan on the box and started attack the 
various pieces of software for which they had exploits/attacks.  At this 
point if you dropped the box making it look like the box crashed, then 
they would probably give up and move on.  This is assuming that you didn't 
do something to tick off someone or that you don't have something that 
someone really really wants.  At any rate, the mail would spool up on your 
secondary (preferably on some other network) and become available again 
once your primary was back up.

In truth, there is only so much you can do against a large number of 
attacks - hence the whole slashdot effect. ;-)  The main thing you can do 
is reduce the number of services on each box and add more machines with 
the services to spread out the number of targets.   Firewall as many 
services you can to specific networks that you will know you will use. 
Obviously, some services have to be more open (mail), but those usually 
have rate limiters to help against DoS attacks.  If they are probe 
attacks, well ... what can you do?  If your services are spread out then 
doing things like dropping routes to networks and auto setting up 
firewalls rules isn't so hard on the individual machines.

You could also run a script periodically that would look for attacks and 
auto-magically mail the owner of the IP address block with an abuse 
complaint.  Make sure you send the log information to them as well.

Good Luck!

//========================================================\\
||  D. Hageman                    <dhageman at dracken.com>  ||
\\========================================================//