From owner-freebsd-questions@freebsd.org Sat Mar 10 23:35:28 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D5F94F40182 for ; Sat, 10 Mar 2018 23:35:27 +0000 (UTC) (envelope-from carl@chave.us) Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 68A286BA4E for ; Sat, 10 Mar 2018 23:35:27 +0000 (UTC) (envelope-from carl@chave.us) Received: by mail-pf0-x231.google.com with SMTP id a16so2786155pfn.9 for ; Sat, 10 Mar 2018 15:35:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chave-us.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=I0IRHDcI5B8yY2klxdjZjzbgSidtxjbyzkaf09S0BUo=; b=GmVP3+aodpip25gy3zYtnvnA1BqLY4LbyIj/ftGM1wAFdUtwlej6lhDtPi8OvpGGs1 nh/GFd/ECNxARvMS9zaWhCqTtyxOsSK2FMJa6Chm77PIhUYZahMAw1I52BQVwa0M89+s IqEx2B+vFjY/FVaVL1sPw1gkmxZOru2YQ5TkAPDC6N7TQ473urPTvziXhTAlc7vwd4E8 +RKzry4/Qsdvenrdn3gcCtfcofiirajFf1UDGZIN579UCgyTbfsd26mEt6TBGkwqvRrH H0FZRhwVdxvrcl8KT/H4UjjkLXDAUAJYnT/5jeiPF9GXh8ZBWvzngndhlh5ucycHnVzJ UXLg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=I0IRHDcI5B8yY2klxdjZjzbgSidtxjbyzkaf09S0BUo=; b=ZOsBupKqtWDjfJifBQUrDy6xc65QVQZvtSqajLFaBcxNU1Tb0NwhUJyX7jA475Btld zOTtuAb+YcLnRb7M8QefkkF+OemcR7yIB8ltWOVzWjZiX23VFsaHoCefJCHS+hfYojhb D0cocwAxfM4qTb9jzI4nix+q75pTYrpY0mfw3RjPGrBOr7VxDWAo9YmtjIeYeHqWkBBU Z8ecRMFyDXbQWXYhfTC+5b0nROgDGbN7D/EyVmJvX99JjmfRsfLwU1qzG9HXr22UCH6p zUXxS7IjDhRd6+pW6MYseXCJJ3xvR5qt14DpSNJ/0O7Zlg5P5KvPywSMJ39O0EirN7J3 wMBw== X-Gm-Message-State: AElRT7GdIR/EpP55E67RZS4gasGAfmCB8MYiEzJjw7x+ou2PVgBhUQP6 NdVF798kzs1WpvuZx5IEDgUq7F7cww1mHAm+IShjZw== X-Google-Smtp-Source: AG47ELuwXQRPL1a+/royTB/B4WQ5VlvUpwoUfcFR+s+Da5VtwEpFOspTnhyKE4BkttYbHHxltUGSF1MANOh0UO8r+gA= X-Received: by 10.98.82.144 with SMTP id g138mr3169120pfb.239.1520724926145; Sat, 10 Mar 2018 15:35:26 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.255.149 with HTTP; Sat, 10 Mar 2018 15:35:25 -0800 (PST) In-Reply-To: <20180310104354.GA11201@ymer.bara1.se> References: <20180307071944.GA30971@ymer.bara1.se> <20180309123021.GA9355@gsp.org> <20180310104354.GA11201@ymer.bara1.se> From: Carl Chave Date: Sat, 10 Mar 2018 18:35:25 -0500 Message-ID: Subject: Re: Increased abuse activity on my server To: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Mar 2018 23:35:28 -0000 I always thought "port knocking" was a neat method to minimize port exposure. Never actually used it myself but maybe worth a mention here. On Sat, Mar 10, 2018 at 5:43 AM, User Hasse wrote: > Hello and thank you very much for your reply. > > Regarding the first part of your answer, I thought my question was > perfectly clear > and easy to answer. "Anybody else noticed increased abuse activity on your > servers ?" > and that was my sole and only question. > > But your answer was interresting to read. Specially the AWS part, that I > was not aware of. > > So, thank you very much for your time and effort to help. > > All the best > Geir Svalland. > > ------------------------------------------ > On Fri, Mar 09, 2018 at 07:30:21AM -0500, Rich Kulawiec wrote: > > On Wed, Mar 07, 2018 at 08:19:44AM +0100, User Hasse wrote: > > > I belive I see an increased amount of abuse attempt on my server by > several 100% > > > in the last couple of months. Anybody else noticed ? > > > > This is a question that can't be answered because it's not correctly > asked. > > > > "abuse" has many facets, and what you see on your server is totally > > different in character, source, volume, etc., from what everyone else > > sees. Yes, it's possible to collate many different reports from > > disparate operations and perhaps -- MAYBE -- arrive at some general > > conclusions about the overall state of abuse Internet-wide, and that's > > an interesting intellectual exercise...but it's not much help to you. > > > > Moreover, given the high degree of sophistication among some abusers, > > what you see today may have little or no relationship to what you see > > tomorrow. So reacting to recent events, while not necessarily bad, may > > not avail you much in the long term. > > > > A better approach is to be pro-active. Not only should you turn off > > all services that you don't need, but you should block access to them > > from every part of the world that doesn't have an operational need for > them. > > > > For example: > > > > Suppose you run an ssh server. And suppose that you only need to allow > > access to it from the US, Canada, and the UK. Then (a) put in a > firewall > > rule that denies access globally and (b0 add rules to allow access from > > only those three countries. (See ipdeny.com for the network blocks.) > > > > This does *nothing* to stop ssh abuse from the US/CA/UK, but it does > > *everything* to stop it from the rest of the world. (Yes, I'm aware > > of proxies and VPNs.) > > > > The next step is to look at the ssh abuse coming from cloud operations: > > for example, AWS is a notorious, chronic, systemic source of abuse and > > attacks because the people running it are incompetent and negligent. > > Block it. All of it. Because unless you have an operational need for > > personnel to ssh in from there, there's no reason not to. Repeat with > > other cloud operations that behave in a similarly hostile fashion. > > > > And then keep track of where further abuse comes from. Keep the logs > > and look at the statistics over a day/week/month/year. Other entries > > for firewalls will suggest themselves. Use them. > > > > This is a *vastly* better approach than attempting to react on the fly > > with things like fail2ban. It shuts down the abuse -- at least from > > the sources you enumerate -- permanently. After all, if someone out > > there insists on providing you with evidence of their malicious intent > > all day every day, how much evidence do you need to see before you > > believe them? And if you believe them, why in hell would you continue > > to provide them with services? > > > > The same approach works with pops and imaps and other services. Firewall > > out every place that will never need them, then start firewalling out > > every place that attacks them. If you're careful and diligent about > this, > > then over time you'll find that it gets easier -- because there's less > > and less to deal with. Of course it never stops entirely: there are > > always newly-emerging sources of abuse. But this approach drastically > > reduces the scale of the problem and makes it tractable. It works > > in nearly all production environments with a few exceptions -- and > > you're not one of those. > > > > ---rsk > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >