deflecting attacks

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

deflecting attacks

AMP Admin

Does anyone use iptables or something to defend against attacks?  Like if x amount of requests per x amount of time send away.  If so I would love some examples.  Thanks!

 

 

Reply | Threaded
Open this post in threaded view
|

RE: deflecting attacks

Dudi Goldenberg

>Does anyone use iptables or something to defend against attacks?  Like if x >amount of requests per x amount of time send away.  If so I would love some >examples.  Thanks!

Have a look at fail2ban, http://www.fail2ban.org/wiki/index.php/Main_Page

Regards,

D.

Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Martijn de Munnik-2
In reply to this post by AMP Admin

On Aug 22, 2009, at 7:53 PM, AMP Admin wrote:

Does anyone use iptables or something to defend against attacks?  Like if x amount of requests per x amount of time send away.  If so I would love some examples.  Thanks!

Hi,

I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx errors or sends to much spam it is banned in the firewall.

failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
ban time 1h

failregex = Passed SPAM, \[<HOST>\]
ban time 10m

When a host is banned multiple short times it gets banned for 1 day. It should be easy to get this working with iptables.

--
Martijn
 
 

Reply | Threaded
Open this post in threaded view
|

RE: deflecting attacks

AMP Admin
In reply to this post by AMP Admin

Ø  Does anyone use iptables or something to defend against attacks?  Like if x amount of requests per x amount of time send away.  If so I would love some examples.  Thanks!

 

 

Thanks for the tips guys.  How does that do with search engine bots?  It doesn’t block them, right?

Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Glenn English
In reply to this post by AMP Admin

On Aug 22, 2009, at 11:53 AM, AMP Admin wrote:

> Does anyone use iptables or something to defend against attacks?  
> Like if x amount of requests per x amount of time send away.  If so  
> I would love some examples.  Thanks!


There's also a cool feature in iptables called "recent". It allows you  
to specify the number of hits on a rule, in a specified length of  
time, from a single IP. If that's exceeded, it drops everything from  
that IP until they stop.

http://www.snowman.net/projects/ipt_recent/

--
Glenn English
[hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Martijn de Munnik-2
In reply to this post by AMP Admin

On Aug 22, 2009, at 8:16 PM, AMP Admin wrote:

Ø  Does anyone use iptables or something to defend against attacks?  Like if x amount of requests per x amount of time send away.  If so I would love some examples.  Thanks!
 
 
Thanks for the tips guys.  How does that do with search engine bots?  It doesn’t block them, right?

Not sure what you mean? I only block port 25 (smtp).

Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Roderick A. Anderson-4
In reply to this post by AMP Admin
AMP Admin wrote:
> Does anyone use iptables or something to defend against attacks?  Like
> if x amount of requests per x amount of time send away.  If so I would
> love some examples.  Thanks!

Probably based on Glenn English's work (in another email) I found this
during a brute force search with Google.  It blocks the ssh
script-kiddies really well.

You may be able to modify for your purposes.

I have used denyhosts and fail2ban but found this did the most good with
the least effort.  I'm thinking of modifying it to use TARPIT instead of
DROP to make the script-kiddies pay more for even trying.


-N SSH_WHITELIST

# Pretend this is my workstation's IP.  You can add similar liens for
# more IPs
-A SSH_WHITELIST -s 10.10.3.21 -m recent --remove --name SSH -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -j
SSH_WHITELIST

-A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

>
>  
>
>  
>

Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Jorey Bump
In reply to this post by Martijn de Munnik-2
Martijn de Munnik wrote, at 08/22/2009 02:06 PM:

> I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
> errors or sends to much spam it is banned in the firewall.
>
> failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
> ban time 1h
>
> failregex = Passed SPAM, \[<HOST>\]
> ban time 10m
>
> When a host is banned multiple short times it gets banned for 1 day. It
> should be easy to get this working with iptables.

While fail2ban is an excellent tool (as is the recent module in
iptables), don't go overboard. For example, keep in mind that SMTP is a
very different animal than SSH or HTTP when determining sane amounts of
time to block a host. It's relatively safe to block repeat offenders
from SSH/HTTP because they usually represent connections from individual
clients (although you might catch a proxy or network behind a NAT). But
legitimate SMTP connections tend to come from a shared resource, such as
an MTA representing thousands of clients. Don't set yourself up for a
DoS by allowing someone to easily block Gmail, AOL, etc. at your site
simply by sending a few spam messages.

Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Terry Carmen
In reply to this post by Roderick A. Anderson-4

> AMP Admin wrote:
>> Does anyone use iptables or something to defend against attacks?  Like
>> if x amount of requests per x amount of time send away.  If so I would
>> love some examples.  Thanks!
>
> Probably based on Glenn English's work (in another email) I found this
> during a brute force search with Google.  It blocks the ssh
> script-kiddies really well.
>
> You may be able to modify for your purposes.
>
> I have used denyhosts and fail2ban but found this did the most good with
> the least effort.  I'm thinking of modifying it to use TARPIT instead of
> DROP to make the script-kiddies pay more for even trying.
>

I've had excellent results with fail2ban, although I only use it for clearly
unwanted actions like relay attempts, extended dictionary attacks, or
bounce-back spam attempts.

OTOH, I'd never use it for generally "spammy" looking mail, since some
legitimate emails get huge spam scores until the system "learns" them.

Terry


Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Roderick A. Anderson-4
In reply to this post by Jorey Bump
Jorey Bump wrote:

> Martijn de Munnik wrote, at 08/22/2009 02:06 PM:
>
>> I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
>> errors or sends to much spam it is banned in the firewall.
>>
>> failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
>> ban time 1h
>>
>> failregex = Passed SPAM, \[<HOST>\]
>> ban time 10m
>>
>> When a host is banned multiple short times it gets banned for 1 day. It
>> should be easy to get this working with iptables.
>
> While fail2ban is an excellent tool (as is the recent module in
> iptables), don't go overboard. For example, keep in mind that SMTP is a
> very different animal than SSH or HTTP when determining sane amounts of
> time to block a host. It's relatively safe to block repeat offenders
> from SSH/HTTP because they usually represent connections from individual
> clients (although you might catch a proxy or network behind a NAT). But
> legitimate SMTP connections tend to come from a shared resource, such as
> an MTA representing thousands of clients. Don't set yourself up for a
> DoS by allowing someone to easily block Gmail, AOL, etc. at your site
> simply by sending a few spam messages.

Good point.  I didn't think of it in this context.


Rod
--
>

Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

Luigi Rosa-2
Roderick A. Anderson said the following on 23/08/2009 1.04:

>>> I use fail2ban with ipf on Solaris 10. When a host produces to many 5xx
>>> errors or sends to much spam it is banned in the firewall.
>>>
>>> failregex = reject: RCPT from (.*)\[<HOST>\]: 5\d\d
>>> ban time 1h
>>>
>>> failregex = Passed SPAM, \[<HOST>\]
>>> ban time 10m
>>
>> While fail2ban is an excellent tool (as is the recent module in
>> iptables), don't go overboard. For example, keep in mind that SMTP is a
>> very different animal than SSH or HTTP when determining sane amounts of
>> time to block a host. It's relatively safe to block repeat offenders
>> from SSH/HTTP because they usually represent connections from individual
>> clients (although you might catch a proxy or network behind a NAT). But
>> legitimate SMTP connections tend to come from a shared resource, such as
>> an MTA representing thousands of clients. Don't set yourself up for a
>> DoS by allowing someone to easily block Gmail, AOL, etc. at your site
>> simply by sending a few spam messages.
>
> Good point.  I didn't think of it in this context.

In my personal experience is not like that. DoS and spam flood never come from
gmail, AOL, Yahoo! and sites like that.

The point is to write a good filter, not to filter connections.

I recently have been under SPAM and SMTP DoS attack in one of my servers.
Fail2Ban and some Postfix sttings were successful in deflecting such attacks.

Here the rules I implemented to block attacks and spammers:

failregex = reject: RCPT from (.*)\[<HOST>\]: 450

This rule (checked for 10 or more occurrences) blocks programs hammering the
server that has a greylisting protection (policyd in my case).


failregex = NOQUEUE: reject: RCPT from (.*)\[<HOST>\]: 5\d\d

This rule (checked for 3 occurrences) blocks IPs blocked bi RBL lookups that
keep connecting even if they receive a "permanent failure" kind of error.



In my (quite long) experience, there is no silver bullet, nor a rule that can be
applied to every SMTP server. I have customers that exchange legitimate mails
with Russia and other spam-intensive areas, in that case I have to relax rules
on their server.


My two cents.



Ciao,
luigi

--
/
+--[Luigi Rosa]--
\

Interface: The opposite of 'Get out of my face.'
Reply | Threaded
Open this post in threaded view
|

Re: deflecting attacks

lst_hoe02
In reply to this post by AMP Admin
Zitat von AMP Admin <[hidden email]>:

> Does anyone use iptables or something to defend against attacks?  Like if x
> amount of requests per x amount of time send away.  If so I would love some
> examples.  Thanks!
>

We use the following :

$IPTABLES -N SMTP-BLOCK
$IPTABLES -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG  
--log-level notice --log-prefix "iptables SMTP-BLOCK "
$IPTABLES -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP

$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTPBLOCK  --rcheck --seconds 360 -j SMTP-BLOCK
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTP --set
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent  
--name SMTP --rcheck --seconds 60 --hitcount 15 -j SMTP-BLOCK
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

It creates some trap for hosts which open too many connections in a  
short timeframe. Be aware of the limitations :
- The recent module can only handle a limited number of entries to  
compare so if you have high traffic this list may be overflow/cycled  
before the offender get caught.
- You must adjust the connection/time to match your needs.
- For larger sites you maybe have to adjust the size of the blocklist.

Regards

Andreas