July 2006 Archives

It makes me SICK!

By Lockheed on July 26, 2006 5:10 PM | | Comments (0)

AIEEEEEEE!!!!!!!

I makes me sick how many sysadmins DO NOT configure their mail servers properly for Internet usage.

One BASIC rule of mail server configuration: When you greet the other mail server (the HELO command), USE A VALID HOSTNAME!

SOOOOOOO many people don't do that. And to be honest, I don't necessarily blame the people (tho I have to blame them 30-40%), but I blame the PRODUCTS they use for not 1) being configured properly by default or 2) educating the customer on differentiating internal vs. external mail server configuration.

But still, it's the SysAdmin whose JOB it is to do thing RIGHT. The fact that they just "slack off" and go "well, no one else bothers, why should I?" - it kills me.

Why is this important? It helps reduce spam.

I'm so tempted to contact a network magazine journalist and see if he'd ever be interested in a story on it. Click MORE for more info on logs I recorded today. This is what OTHER SERVERS told MY SERVER (at work).

Continue reading It makes me SICK!.

On August 21st

By Lockheed on July 23, 2006 10:28 PM | | Comments (1)

A while ago I started writing a paper to debate the issue of homosexuality within Christianity. It was brought on by my mother.

I now post that document for public consideration. It's a work in progress, and I still review & add to it periodically.

Enjoy what I've titled On August 21st

Die Spammers, Die!

By Lockheed on July 18, 2006 9:03 AM | | Comments (0)

I hate spam. I do not like spam, I do not like it at all. I will not eat it, I will not read it.

I've had a bot net (only 1?) after my mail server doing dictionary attacks for the last few months (at least). I tightened down my postfix rules HARD. A little too hard, probably (I've had a couple "false positives" get blockrf).

I had an idea last night. I figured if I could get syslog to echo it's logs over to a PHP script, then it would be easy for PHP to parse those logs in REAL-TIME and dynamically and automagically add an IPFW rule to block those botnets.

So between last night, and some final tweaking this morning, it's working!!

Here's how it works...
I'm using netcat to echo syslog data to the socket I have the script listening on. The script looks for a "Recipient address rejected" error from syslog/postfix (I can alter, or add add'l errors as needed). Now it does a couple things:
- Parses the IP address the mail originated from.
- Inserts IP & syslog entry into a database (tracking is good!)
- Generates an IPFW DENY command & executes it.
---- All this is logged to a log file, for verification/auditting.

It's still rough, tho. I want to add a web interface for it to view/manipulate the database information. I'm going to add a whitelist - because this program is not very forgiving to humans who accidentally send email to the wrong address (eg. typo). I'll also add an option to fully re-generate the IPFW table.

I've had it running for 30 mins, and already have 63 IP's blocked.

WHY GO THRU THIS, you ask?
Easy. Money. I pay for bandwidth on my server. So I'm paying to have to deal with all this spam. The quicker I can cut off communications with these botnets & spammers, the less data there is that comes across, and thus the less I have to pay for.

The "attack" hits me with 4-10 spam-attemtps every minute, so it's not "fast" by DDoS standards, so it's not that it's generating a heavy load on the system either. It's really about turning my machine into a "void" that these botnets cannot communicate with. Basically each zombie gets 1 attempt. Once postfix blocks it, then they get blocked by ipfw as a result. "You are the weakest link, goodbye!"

It all makes me kinda smile inside :)

I figure as I build this up, I'll post it and open-source it. It's not the most elegant thing in the world, but it does do what it's designed to do.

Why PHP and not PERL? I'm not a perl-monkey. I can read perl (mostly), but don't know it enough to sit down & program in it. PHP I know, PHP is CLI'd, and works well for regex'ing and parsing and databasing and all that. If someone wanted to perl-ize this, great. I don't know what the pros/cons would be to bother with it. It might be better for systems with a much higher syslog load? But running this as a single instance isn't having any sort of impact on my server load thus far (tho as I said, it's not a "fast" attack by any means, either - I don't know how it would perform under heavy load).

Enough for now!
Cheers!

« June 2006 | Main Index | Archives | August 2006 »

About this Archive

This page is an archive of entries from July 2006 listed from newest to oldest.

June 2006 is the previous archive.

August 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Powered by Movable Type 4.1

Search