SIGforum
Internet Server Operators: Heads Up

This topic can be found at:
https://sigforum.com/eve/forums/a/tpc/f/320601935/m/9800098094

April 03, 2022, 11:00 AM
ensigmatic
Internet Server Operators: Heads Up
This will come as no surprise to any who've been paying attention.

I just saw an automatic block on an abusive IP address lifted after over sixty hours. Without putting too fine a point on it: It takes a lot of repeated abuse to get listed for that long.

I've been operating servers exposed to the Internet since about the time the Internet first became accessible to non-Government-related entities. I've operated an Internet-facing server at home for eighteen years, and additional virtual servers for seven and three+ years, respectively.

In all that time I have never seen the aggressiveness and persistence of attacks on smtp and submission I've seen over the last couple weeks, and particularly over the last few days.

Most of these have originated from Baltic state and Hong Kong networks. The sixty-hour one, well...
$ whois 92.255.85.237
...
inetnum:        92.255.85.0 - 92.255.85.255
netname:        HK-CHANGWAY-20071224
country:        RU

A twofer: An HK company with network space in Russia.

(smtp and submission are about the only "attackable" services I expose to the 'net. Everything else is pretty-tightly locked-down with router ingress and egress rules.)

ETA: He just did it again: Now listed for 120 hours. I guess I'll just dump that entire netblock into a permanent deny listing...


"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
April 03, 2022, 11:36 AM
architect
From curiosity, are these SYN floods or fully-opened TCP connection attacks? What SW are you using to recognize these and adjust the blocklists? Assuming you are running Postfix as your SMTP server, what messages does it log before the block kicks in?

With the originator on a /24 allocation, I would not think they are a particularly large organization. Or maybe space is not as tight in APNIC. (I think actually the opposite is true.)
April 03, 2022, 11:40 AM
SIGnified
Things that make you go “hmmmn“




"Pacifism is a shifty doctrine under which a man accepts the benefits of the social group without being willing to pay - and claims a halo for his dishonesty." ~Robert A. Heinlein
April 03, 2022, 11:44 AM
Gustofer
quote:
Originally posted by SIGnified:
Things that make you go “hmmmn“

I'm sure it's just a coincidence. Big Grin


________________________________________________________
"Great danger lies in the notion that we can reason with evil." Doug Patton.
April 03, 2022, 12:17 PM
mark123
Anything us normies need to check? The only thing that I’ve got that’s internet facing is a pfsense box. I’m running snort and haven’t seen anything strange yet.
April 03, 2022, 12:18 PM
ensigmatic
quote:
Originally posted by architect:
From curiosity, are these SYN floods or fully-opened TCP connection attacks?
The latter.

quote:
Originally posted by architect:
What SW are you using to recognize these and adjust the blocklists?
I'm using sshguard, along with a regexp extension I'm writing for it.

quote:
Originally posted by architect:
Assuming you are running Postfix as your SMTP server, what messages does it log before the block kicks in?
A variety of them. Rapid and repeated connect/disconnect and auth fail attempts, for example.

Though, on closer examination, the foregoing IP address was blocked for persistent, aggressive attacks against sshd (Secure Shell), not smtp/submission (mail server). (Those have also ramped-up significantly.)

quote:
Originally posted by architect:
With the originator on a /24 allocation, I would not think they are a particularly large organization.
The sshd attacks have been widely-distributed for several years now. Since I use only Public Key Authentication for my SSH servers, these don't particularly concern me. (They're more annoying for the logging noise than anything else.)

As for the attacks from small netblocks: The attackers of all types are beginning to employ they same methods the SSH attackers have been using: Low-frequency attacks from distributed IPs (bot nets) in order to avoid automatic detection-and-blocking.

E.g.: On Mar 31 my home server experienced 3300 attempts from 762 unique IPs, 730 unique /24's.

quote:
Originally posted by mark123:
Anything us normies need to check?
That you're not using default accounts (e.g.: "admin") on any IoT devices, that anything that doesn't need exposure to the 'net is blocked at your Internet router, and that any passwords you use are complex and not re-used anywhere.

That's the easy stuff.


"America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe
"If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher
April 03, 2022, 12:27 PM
mark123
quote:
Originally posted by ensigmatic:
quote:
Originally posted by mark123:
Anything us normies need to check?
That you're not using default accounts (e.g.: "admin") on any IoT devices, that anything that doesn't need exposure to the 'net is blocked at your Internet router, and that any passwords you use are complex and not re-used anywhere.

That's the easy stuff.
I think the only IoT things are there security cameras, garage door opener and TVs. They’re all isolated on a separate VLAN. No default usernames or passwords.

Edit - oh, the automobiles will also connect to IoT VLAN for updates and such.