Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Aug 2011 11:04:37 -0500 (CDT)
From:      Robert Bonomi <bonomi@mail.r-bonomi.com>
To:        freebsd-questions@freebsd.org, mark@msen.com
Subject:   Re: My server is under attack (I think)
Message-ID:  <201108191604.p7JG4bqi070704@mail.r-bonomi.com>
In-Reply-To: <4E4E7AC1.5000904@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> From owner-freebsd-questions@freebsd.org  Fri Aug 19 10:02:30 2011
> Date: Fri, 19 Aug 2011 11:01:21 -0400
> From: Mark Moellering <mark@msen.com>
> To: FreeBSD <freebsd-questions@freebsd.org>
> Subject: My server is under attack (I think)
>
> I keep seeing a flood of messages when I run dmesg -a that look like this:
>
> mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify 
> hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed

This hostname has no IP address in the DNS.

> Is there anything I should be doing to make sure the server isn't 
> compromised?  It is a mail server running postfix / dovecot
> I have pf set up and am also running a program called sshguard.
> I am kind of at a loss.  It looks like I am under attack but I don't 
> know what to do about it.  Any help is greatly appreciated


Given that the look-up fails, the connection is automatically denied.

This is routine 'doorknob rattling' by bad guys.  if you're getting
a lot of this from a particular netblock, a 'deny all' rule for that
netblock may be indicated.  If it's coming from a locale that you expect
no legit traffic from (the Republic of China in this case), you aren't
likely to lose anything 'valuable' by agressive router-level blocking.

I get these kinds of messages all the time for various services -- notably
socks5 and SMTP.   I USed to get a lot for SSH, but they dropped to
virtually _zero_ when I move SSH to a 'non-standard' port.  This does _NOT_
materially increase the _actual_ security of the system, but it does wonders 
for reducing the 'noise' in the logs.  

I simply "don't worry" about the socks5 and/or SMTP 'rattling'.

Socks5 is configured to accept connections only from 'localhost', which is
used to support http tunneling in an SSH session -- *all* external connection
attempts are denied.  Unless an attacker can fake 127.0.0.1 packets -- *over*
the 'lo0' interface -- socks won't talk to them. <grin>

My SMTP daemon is sendmail, w,hich, in conjuction with some custom 'milters' 
is fully capable of protecting itself.  People that 'doorknob rattle' it
too heavily get manually added to the /etc/hosts.{allow/deny} file.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108191604.p7JG4bqi070704>