[BlueOnyx:01723] Re: Sendmail attack, again (ideas for a more permanent solution)

Rodrigo Ordonez Licona rodrigo at xnet.com.mx
Wed Jul 15 19:10:34 -05 2009 

On this regard, 

Maybe we should get a quick startup guide for users, 

Just a set of notes that should be checked after a clean install, to avoid
the most frequent attacks,

Relaying, Tips about securing sendmail, dfix maybe...

-- Thank you for the new log entries on the User interface, 

We really appreciate your efforts.

Regards

Rodrigo O
Xnet

 

-----Original Message-----
From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of Michael Stauber
Sent: Miércoles, 15 de Julio de 2009 04:52
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:01718] Re: Sendmail attack,again (ideas for a more
permanent solution)

Hi Gerald and Paul,

Gerald wrote:
> > I suggest not having a user info, maybe OK as an alias.
> > Else give user info a strong password

Paul wrote:
> This was EXACTLY the same problem as i has a week or so ago - and it 
> was indeed the user "info". Removed the user, and problem gone 
> (blocked the spammer's ip for good measure)!!

I'm currently re-thinking certain security aspects of BlueOnyx while I'm
working on an improved (commercial) firewall package for BlueOnyx.

As is the add-ons (free or paid) that are around to counter these problems
all have their shortcommings.

They may be able to cope with some brute force or dictionary attacks, but
there is always the odd one that slips through and hits you squarely over
the head. 

Even then there is more that can be done - like monitoring logging behaviour
and typical usage which usually is not done by anything.

For example: You have that user "info". He's been on the server for several
months. During that time he logged in by POP3 from dynamic IP addresses in
the UK like three times a week and sends maybe 20 emails on the average per
week. 
Sometime in February he logged in from a dynamic IP in the US and over the
easter weekend from somewhere in France.

Now all of the sudden he logs in to SMTP-Auth from Romania, the Ukraine or
China every minute and sends like 2000 emails per hour.

That doesn't really fit the typical behaviour of that user and should be a
dead give away that there is something wrong. With some creative logfile
parsing and Perl scripting it's fairly easy to catch, too.

It could even be possible to set site or user specific limits through the
BlueOnyx GUI. Like: User can only use network services (SMTP-Auth, POP3,
IMAP,
FTP) if the connections come from certain countries, a certain continent or
region. Or one could set limits for sites and users about how many emails
they are allowed to send in a given time period. Either one of those should
be able to catch these kind of abuse and either stop it early, or notify you
that something out of the ordinary is going on that may require your
attention. 
Without causing undue troubles for the average users - with the exception of
restricting allowed traffic to certain countries - of course. Even then you
could throw in something like this:

If he connects from a country in the "non-suspicious" list, he can send 500
emails a day, but if he connects from one in the "suspicious list", he can
only send 50 a day, plus an alarm is raised anyway.

Reactions to suspicious login activity or suspicious usage activity
(especially related to sending emails!) could also be defined on a per site
or per user basis. 

Like: 

- Ignore and do nothing
- Log and report only
- Log, report and impose stricter limits on allowed activity
- Suspend the account temporarily (by locking it)
- Block the offending IP with a firewall rule and lock the account

I got a very rough draft of that code in the cooker at the moment, but it's
still a few weeks away from being ready.

Certain features of the new firewall package will probably be included for
free in BlueOnyx, like the ability to monitor accounts for unusual login
activity and usage behaviours, but the rest will be a paid add-on. That also
makes sure that there won't be problems with other third party security
tools like Dfix, APF, BFD or whatever else may already be present.

-- 
With best regards

Michael Stauber

_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list