[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

OSF for an ISP (was Re: ..idea; ddos spam hosts off Internet?)

To kind of get back to the ISP world a little bit, has anyone used this in the
way that's being recommended?  (Using the OS Fingerprint Netfilter patch to
block Windows machines sending to port 25).

We're currently getting slammed by Windows viruses and have thought about doing
exactly that, but it seemed to us that there are enough people using Exchange or
Sendmail.com's windows sendmail (let alone ftgate, etc, etc.) that doing this
would block legitimate mail almost instantly.

We've just been blocking hosts manually after the first virus.  I'm thinking
about writing a little script to:

1.  Get the offending IP address from amavis's logfile
2.  Check against a whitelist (like our own backup mx's)
3.  Do something like tcpping to the IP to see if it is a valid mx host
4.  If it doesn't pass checks 2 or 3, block the IP in netfilter for 72 hours

Other than the 72 hour checks it's pretty straightforward and seems (at least to
me) very unlikely to stop legitimate mail, while cutting those guys who send
40-50 viruses a day down to 1 every three.  

Does anyone see any problems with the above?  The major issue is bandwidth, some
of our customers host their mail servers on 32K links with 200+ users.

Sorry, it's not really about the spam issue discussed before, but it's strange
the synchronicity (os fingerprinting anyway) between my work and this list


Afe.to ANTS
POB 1478
Nuku'alofa, Tonga
Ph: Country code 676 - 27946 or 878-1332

Quoting Russell Coker <russell@coker.com.au>:

> On Fri, 9 Apr 2004 21:32, Arnt Karlsen <arnt@c2i.net> wrote:
> > On Fri, 9 Apr 2004 15:27:03 +1000, Russell wrote in message
> > > http://www.netfilter.org/patch-o-matic/pom-base.html
> > >
> > > See the section on "osf" in the above URL for a better solution.
> > > Simply block Windows machines from accessing your port 25.
> >
> > ..if only all isp's did it...
> Not all ISPs need to do it.  Only your ISP and the ISPs that host mailing 
> lists that you subscribe to.
> If you are interested in this then the best thing you can do is to build 
> yourself a kernel with osf and try it out.  If it works well create a Debian
> kernel-patch package for it so that other Debian users can conveniently use
> it.  The more accessible you make this to Debian people the closer it comes
> to being installed on Debian list servers...
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> -- 
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

This mail sent from Tonga's Premiere Internet Cafe
Visit us online at http://www.cafe.afe.to 
discussions @ http://www.nomoa.com/index.php
generic info @  http://www.tongatapu.net.to

Reply to: