[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mail relay attempts

On Tue, Aug 27, 2002 at 04:11:21PM +0300, Mika Bostr?m wrote:
> > Karl Breitner wrote:
> > >Welcome to the world of SPAMfighting
> > Our new server has an official IP since last saturday, and no domain 
> > name pointing to it yet besides a dyndns-account I abused for testing 
> > purpose. Within these three days of operation I had several persons 
> > trying to get access to our (non-public) FTP service as well as some 
> > probes for the usual IIS-holes that Nimda & Co. like to abuse. How will 
> > that be if we will be publically online and "known" through our regular 
> > domains? brrr.... :)
>   Simple. Random IP-address block scans. Having the box live on the 'net
> alone guarantees that it will get some random hits. Prepare to see lot more
> of them from here-on.
>   Script-kiddies, trying to find suitable hosts for their mass exploitation
> tools. Worms, eagerly propagating on their own means; And spammers
> (spammerbots?) trying to find open relays they could abuse.
>   The only thing you can do is to make damn certain your box does not become
> part of the problem.

I'll add to that: make sure you actually check your logs. I use syslog-ng to
bring all essential realtime logging to a hardened server; I also run
logcheck for hourly reports; snort for attack detection; tiger for security
auditing; fascist iptables firewalling on all externally reachable machines;
and of course tripwire for after the fact intrusion detection.

It's a jungle out there lad.

Reply to: