Date: Fri, 19 Aug 2011 11:04:37 -0500 (CDT) From: Robert Bonomi <bonomi@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, mark@msen.com Subject: Re: My server is under attack (I think) Message-ID: <201108191604.p7JG4bqi070704@mail.r-bonomi.com> In-Reply-To: <4E4E7AC1.5000904@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> From owner-freebsd-questions@freebsd.org Fri Aug 19 10:02:30 2011 > Date: Fri, 19 Aug 2011 11:01:21 -0400 > From: Mark Moellering <mark@msen.com> > To: FreeBSD <freebsd-questions@freebsd.org> > Subject: My server is under attack (I think) > > I keep seeing a flood of messages when I run dmesg -a that look like this: > > mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify > hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed This hostname has no IP address in the DNS. > Is there anything I should be doing to make sure the server isn't > compromised? It is a mail server running postfix / dovecot > I have pf set up and am also running a program called sshguard. > I am kind of at a loss. It looks like I am under attack but I don't > know what to do about it. Any help is greatly appreciated Given that the look-up fails, the connection is automatically denied. This is routine 'doorknob rattling' by bad guys. if you're getting a lot of this from a particular netblock, a 'deny all' rule for that netblock may be indicated. If it's coming from a locale that you expect no legit traffic from (the Republic of China in this case), you aren't likely to lose anything 'valuable' by agressive router-level blocking. I get these kinds of messages all the time for various services -- notably socks5 and SMTP. I USed to get a lot for SSH, but they dropped to virtually _zero_ when I move SSH to a 'non-standard' port. This does _NOT_ materially increase the _actual_ security of the system, but it does wonders for reducing the 'noise' in the logs. I simply "don't worry" about the socks5 and/or SMTP 'rattling'. Socks5 is configured to accept connections only from 'localhost', which is used to support http tunneling in an SSH session -- *all* external connection attempts are denied. Unless an attacker can fake 127.0.0.1 packets -- *over* the 'lo0' interface -- socks won't talk to them. <grin> My SMTP daemon is sendmail, w,hich, in conjuction with some custom 'milters' is fully capable of protecting itself. People that 'doorknob rattle' it too heavily get manually added to the /etc/hosts.{allow/deny} file.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108191604.p7JG4bqi070704>