Date: Fri, 9 Mar 2018 07:30:21 -0500 From: Rich Kulawiec <rsk@gsp.org> To: freebsd-questions@freebsd.org Subject: Re: Increased abuse activity on my server Message-ID: <20180309123021.GA9355@gsp.org> In-Reply-To: <20180307071944.GA30971@ymer.bara1.se> References: <20180307071944.GA30971@ymer.bara1.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 07, 2018 at 08:19:44AM +0100, User Hasse wrote: > I belive I see an increased amount of abuse attempt on my server by several 100% > in the last couple of months. Anybody else noticed ? This is a question that can't be answered because it's not correctly asked. "abuse" has many facets, and what you see on your server is totally different in character, source, volume, etc., from what everyone else sees. Yes, it's possible to collate many different reports from disparate operations and perhaps -- MAYBE -- arrive at some general conclusions about the overall state of abuse Internet-wide, and that's an interesting intellectual exercise...but it's not much help to you. Moreover, given the high degree of sophistication among some abusers, what you see today may have little or no relationship to what you see tomorrow. So reacting to recent events, while not necessarily bad, may not avail you much in the long term. A better approach is to be pro-active. Not only should you turn off all services that you don't need, but you should block access to them from every part of the world that doesn't have an operational need for them. For example: Suppose you run an ssh server. And suppose that you only need to allow access to it from the US, Canada, and the UK. Then (a) put in a firewall rule that denies access globally and (b0 add rules to allow access from only those three countries. (See ipdeny.com for the network blocks.) This does *nothing* to stop ssh abuse from the US/CA/UK, but it does *everything* to stop it from the rest of the world. (Yes, I'm aware of proxies and VPNs.) The next step is to look at the ssh abuse coming from cloud operations: for example, AWS is a notorious, chronic, systemic source of abuse and attacks because the people running it are incompetent and negligent. Block it. All of it. Because unless you have an operational need for personnel to ssh in from there, there's no reason not to. Repeat with other cloud operations that behave in a similarly hostile fashion. And then keep track of where further abuse comes from. Keep the logs and look at the statistics over a day/week/month/year. Other entries for firewalls will suggest themselves. Use them. This is a *vastly* better approach than attempting to react on the fly with things like fail2ban. It shuts down the abuse -- at least from the sources you enumerate -- permanently. After all, if someone out there insists on providing you with evidence of their malicious intent all day every day, how much evidence do you need to see before you believe them? And if you believe them, why in hell would you continue to provide them with services? The same approach works with pops and imaps and other services. Firewall out every place that will never need them, then start firewalling out every place that attacks them. If you're careful and diligent about this, then over time you'll find that it gets easier -- because there's less and less to deal with. Of course it never stops entirely: there are always newly-emerging sources of abuse. But this approach drastically reduces the scale of the problem and makes it tractable. It works in nearly all production environments with a few exceptions -- and you're not one of those. ---rsk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180309123021.GA9355>