From owner-freebsd-questions@FreeBSD.ORG Fri Aug 19 16:03:40 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1980106566B for ; Fri, 19 Aug 2011 16:03:40 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id A79C78FC08 for ; Fri, 19 Aug 2011 16:03:40 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id p7JG4bqi070704; Fri, 19 Aug 2011 11:04:37 -0500 (CDT) Date: Fri, 19 Aug 2011 11:04:37 -0500 (CDT) From: Robert Bonomi Message-Id: <201108191604.p7JG4bqi070704@mail.r-bonomi.com> To: freebsd-questions@freebsd.org, mark@msen.com In-Reply-To: <4E4E7AC1.5000904@msen.com> Cc: Subject: Re: My server is under attack (I think) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 16:03:40 -0000 > From owner-freebsd-questions@freebsd.org Fri Aug 19 10:02:30 2011 > Date: Fri, 19 Aug 2011 11:01:21 -0400 > From: Mark Moellering > To: FreeBSD > Subject: My server is under attack (I think) > > I keep seeing a flood of messages when I run dmesg -a that look like this: > > mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify > hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed This hostname has no IP address in the DNS. > Is there anything I should be doing to make sure the server isn't > compromised? It is a mail server running postfix / dovecot > I have pf set up and am also running a program called sshguard. > I am kind of at a loss. It looks like I am under attack but I don't > know what to do about it. Any help is greatly appreciated Given that the look-up fails, the connection is automatically denied. This is routine 'doorknob rattling' by bad guys. if you're getting a lot of this from a particular netblock, a 'deny all' rule for that netblock may be indicated. If it's coming from a locale that you expect no legit traffic from (the Republic of China in this case), you aren't likely to lose anything 'valuable' by agressive router-level blocking. I get these kinds of messages all the time for various services -- notably socks5 and SMTP. I USed to get a lot for SSH, but they dropped to virtually _zero_ when I move SSH to a 'non-standard' port. This does _NOT_ materially increase the _actual_ security of the system, but it does wonders for reducing the 'noise' in the logs. I simply "don't worry" about the socks5 and/or SMTP 'rattling'. Socks5 is configured to accept connections only from 'localhost', which is used to support http tunneling in an SSH session -- *all* external connection attempts are denied. Unless an attacker can fake 127.0.0.1 packets -- *over* the 'lo0' interface -- socks won't talk to them. My SMTP daemon is sendmail, w,hich, in conjuction with some custom 'milters' is fully capable of protecting itself. People that 'doorknob rattle' it too heavily get manually added to the /etc/hosts.{allow/deny} file.