Go | New | Find | Notify | Tools | Reply | |
Nullus Anxietas |
This will come as no surprise to any who've been paying attention. I just saw an automatic block on an abusive IP address lifted after over sixty hours. Without putting too fine a point on it: It takes a lot of repeated abuse to get listed for that long. I've been operating servers exposed to the Internet since about the time the Internet first became accessible to non-Government-related entities. I've operated an Internet-facing server at home for eighteen years, and additional virtual servers for seven and three+ years, respectively. In all that time I have never seen the aggressiveness and persistence of attacks on smtp and submission I've seen over the last couple weeks, and particularly over the last few days. Most of these have originated from Baltic state and Hong Kong networks. The sixty-hour one, well... $ whois 92.255.85.237 ... inetnum: 92.255.85.0 - 92.255.85.255 netname: HK-CHANGWAY-20071224 country: RU A twofer: An HK company with network space in Russia. (smtp and submission are about the only "attackable" services I expose to the 'net. Everything else is pretty-tightly locked-down with router ingress and egress rules.) ETA: He just did it again: Now listed for 120 hours. I guess I'll just dump that entire netblock into a permanent deny listing...  "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | ||
|
Optimistic Cynic |
From curiosity, are these SYN floods or fully-opened TCP connection attacks? What SW are you using to recognize these and adjust the blocklists? Assuming you are running Postfix as your SMTP server, what messages does it log before the block kicks in? With the originator on a /24 allocation, I would not think they are a particularly large organization. Or maybe space is not as tight in APNIC. (I think actually the opposite is true.) | |||
|
Fire begets Fire |
Things that make you go “hmmmn“ "Pacifism is a shifty doctrine under which a man accepts the benefits of the social group without being willing to pay - and claims a halo for his dishonesty." ~Robert A. Heinlein | |||
|
| Staring back from the abyss  |
I'm sure it's just a coincidence.  ________________________________________________________ "Great danger lies in the notion that we can reason with evil." Doug Patton. | |||
|
W07VH5 |
Anything us normies need to check? The only thing that I’ve got that’s internet facing is a pfsense box. I’m running snort and haven’t seen anything strange yet. | |||
|
| Nullus Anxietas |
The latter. I'm using sshguard, along with a regexp extension I'm writing for it. A variety of them. Rapid and repeated connect/disconnect and auth fail attempts, for example. Though, on closer examination, the foregoing IP address was blocked for persistent, aggressive attacks against sshd (Secure Shell), not smtp/submission (mail server). (Those have also ramped-up significantly.) The sshd attacks have been widely-distributed for several years now. Since I use only Public Key Authentication for my SSH servers, these don't particularly concern me. (They're more annoying for the logging noise than anything else.) As for the attacks from small netblocks: The attackers of all types are beginning to employ they same methods the SSH attackers have been using: Low-frequency attacks from distributed IPs (bot nets) in order to avoid automatic detection-and-blocking. E.g.: On Mar 31 my home server experienced 3300 attempts from 762 unique IPs, 730 unique /24's. That you're not using default accounts (e.g.: "admin") on any IoT devices, that anything that doesn't need exposure to the 'net is blocked at your Internet router, and that any passwords you use are complex and not re-used anywhere. That's the easy stuff. "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| W07VH5 |
I think the only IoT things are there security cameras, garage door opener and TVs. They’re all isolated on a separate VLAN. No default usernames or passwords. Edit - oh, the automobiles will also connect to IoT VLAN for updates and such. | |||
|
| Powered by Social Strata |
 | Please Wait. Your request is being processed... |
|
© SIGforum 2024