Re: Mail relay attempts
On Tue, Aug 27, 2002 at 04:11:21PM +0300, Mika Bostr?m wrote:
> > Karl Breitner wrote:
> > >Welcome to the world of SPAMfighting
> > Our new server has an official IP since last saturday, and no domain
> > name pointing to it yet besides a dyndns-account I abused for testing
> > purpose. Within these three days of operation I had several persons
> > trying to get access to our (non-public) FTP service as well as some
> > probes for the usual IIS-holes that Nimda & Co. like to abuse. How will
> > that be if we will be publically online and "known" through our regular
> > domains? brrr.... :)
>
> Simple. Random IP-address block scans. Having the box live on the 'net
> alone guarantees that it will get some random hits. Prepare to see lot more
> of them from here-on.
>
> Script-kiddies, trying to find suitable hosts for their mass exploitation
> tools. Worms, eagerly propagating on their own means; And spammers
> (spammerbots?) trying to find open relays they could abuse.
>
> The only thing you can do is to make damn certain your box does not become
> part of the problem.
I'll add to that: make sure you actually check your logs. I use syslog-ng to
bring all essential realtime logging to a hardened server; I also run
logcheck for hourly reports; snort for attack detection; tiger for security
auditing; fascist iptables firewalling on all externally reachable machines;
and of course tripwire for after the fact intrusion detection.
It's a jungle out there lad.
Reply to: