Over the weekend one of our servers at a remote location was hammered by an IP originating in mainland China. This attack was only noteworthy in that it attempted to connect to our pop3 service. We have long had an IP throttle on ssh connections to discourage this sort of thing. But I had not considered the possibility that other services were equally at risk. Researching this on the web does not reveal any comprehensive list of vulnerable ports or services. Most discussion centres on ssh, then some on ftp, and relatively few regarding pop3. So, my questions are these: 1. Should I throttle all new connections regardless of destination ports? In other words: are there any legitimate reasons that a single IP would require more than one new connection every 30 seconds or so? 2. Moving pass the obvious and unhelpful "everything", what services are particularly vulnerable to these types of attacks? Does a list exist anywhere? Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On May 14, 2009, at 9:46 AM, James B. Byrne wrote:> 2. Moving pass the obvious and unhelpful "everything", what services > are particularly vulnerable to these types of attacks? Does a list > exist anywhere?If it's reachable over the 'net, it will eventually get pounded. POP, IMAP, SMTP Auth, FTP, SSH are obvious targets. Movable Type / Wordpress blogs are popular targets for link spammers. Cpanel, webmin, phpMyAdmin and similar applications get pounded on less often, but you'll still get hit. --Chris
On Thu, May 14, 2009, James B. Byrne wrote:>Over the weekend one of our servers at a remote location was >hammered by an IP originating in mainland China. This attack was >only noteworthy in that it attempted to connect to our pop3 service.You might look at fail2ban which can automatically create iptables blocks when things like this happen. Bill -- INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax: (206) 232-9186 Skype: jwccsllc (206) 855-5792 Manual, n.: A unit of documentation. There are always three or more on a given item. One is on the shelf; someone has the others. The information you need is in the others. -- Ray Simard
James B. Byrne <byrnejb at ...> writes:> > Over the weekend one of our servers at a remote location was > hammered by an IP originating in mainland China. This attack was > only noteworthy in that it attempted to connect to our pop3 service. > > We have long had an IP throttle on ssh connections to discourage > this sort of thing. But I had not considered the possibility that > other services were equally at risk. Researching this on the web > does not reveal any comprehensive list of vulnerable ports or > services. Most discussion centres on ssh, then some on ftp, and > relatively few regarding pop3. > > So, my questions are these: > > 1. Should I throttle all new connections regardless of destination > ports? In other words: are there any legitimate reasons that a > single IP would require more than one new connection every 30 > seconds or so? > > 2. Moving pass the obvious and unhelpful "everything", what services > are particularly vulnerable to these types of attacks? Does a list > exist anywhere? > > Regards, >Hi - I went though a similar process back when the DNS cache poisoning attacks were coming fast and furious. The question to answer is, "Are there legitimate reasons why the same IP address will apparently make multiple connection requests for a particular service?" For DNS the answer was a resounding "no" since the source nameserver should cache the results of the query. For POP3 the answer is more dependent on your particular organization. As an example, is there a remote office that will generate a number of connection requests when everyone egts to work in the morning; all apparently from the same IP address? If there are no such legit reasons why a number of requests could occur in a short period of time, a simple firewall throttling rule may be sufficient. I have an article on my blog describing the firewall rules I used to throttle and then block DNS cache poisoning attacks at: http://davenjudy.org/davesBlog/node/41 One of the other replies also suggested "fail2ban" which may be more appropriate anyway since you really want to look at failed logins; not just connection attempts. Cheers, Dave
On Thu, May 14, 2009 at 9:46 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:> Over the weekend one of our servers at a remote location was > hammered by an IP originating in mainland China. ?This attack was > only noteworthy in that it attempted to connect to our pop3 service.About 6 years ago, the POP3 port on one of our web sites (on a shared server at OLM) was attacked. OLM discovered this when I couldn't download my email and filed a trouble ticket. Someone was accessing it 60 times a minute. Whatever OLM did, to prevent it worked. :-)
On: Thu, 14 May 2009 08:48:36 -0700, Bill Campbell <centos at celestial.com> wrote:> > You might look at fail2ban which can automatically create > iptables blocks when things like this happen. >I went to the source forge website, but the rh rpm is inaccessible. I really do not wish to join yet another mailing list simply to report this so if anyone here is a member there as well please let them know. Regards, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On: Thu, 14 May 2009 13:00:09 -0700, Scott Silva <ssilva at sgvwater.com> wrote:> > http://packages.sw.be/fail2ban/ >Thank you, got it. In the meantime I revised my existing iptables rules to throttle connections to ssh, pop3, imap and ftp (which service is not running in any case). Thanks for all the help from everybody. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3