[BlueOnyx:01728] Re: Sendmail attack, again (ideas for a more permanent solution)

Greg Kuhnert greg.kuhnert at theanchoragesylvania.com
Wed Jul 15 20:52:03 -05 2009 

Rodrigo Ordonez Licona wrote:
> Maybe we should get a quick startup guide for users, 
> Just a set of notes that should be checked after a clean install, to avoid
> the most frequent attacks,
>   
Here are a few thoughts to add to the discussion about spam relay attack 
prevention... and cure.

PREVENTION...

 From the recent sendmail "attack" messages I have seen - so far, they 
have all involved compromised accounts. If we're going to survive, we 
need to be protected against this type of attack. Most accounts are 
compromised by poor password selection. Sometimes, there may be an 
account that is compromised by brute force attack, but even then - brute 
force attacks are often based on dictionary attacks to make them work 
faster.

BlueOnyx has helped greatly with the strong password enforcement. Old 
migrated accounts however may still have weak passwords. In other 
systems I look after, the solution is often to enforce password changes. 
Thats OK in a corporate environment, but not operationally practical in 
an ISP /webhosting environment. So whats the answer? If you have done a 
BQ -> BX migration, you will want to at least ensure your users all have 
strong passwords. New users are OK, but old former BQ users will still 
often have weak passwords.

The command below will show you when a user last changed their password. 
Run this, and look for users who's password is old, and ask them to 
change it. The new BlueOnyx strong password enforcement will make sure 
their password will be secure. (And yes, I do enjoy doing things in one 
line commands - its a habit of mine)...

locate .md5_password | xargs --replace=DIR ksh -c 'echo -n "`ls -l DIR | 
cut -b28-39` "; cat `dirname DIR`/.name; echo'

CURE...

The only cure once you've been hit, is to identify the problem quickly, 
and to lock the vulnerable account. Automated detection and response is 
a cool idea, but at the moment - the best advice is to review reports on 
your system regularly. I regularly talk to people who dont monitor their 
admin email account. I cannot emphasise how important this is for a good 
system administrator. Your admin email account will have warnings about 
cron tasks failing, information from dfix, active monitor alerts, 
denyhosts alerts, quota warnings, yum.... and many more. I know there 
can also be a lot of noise in your admin account. My best advice there 
is to setup email rules in your mail client to sort these alerts to make 
it easier to manage the information.

There is a really good howto page that describes a good way to do mail 
filtering in procmail that I've used for years. Have a look here for 
details.

http://john.fremlin.org/linux/howto/procmail.html

I hope these suggestions are helpful...

Regards,
Greg Kuhnert

--
+---------------------------------------------------------------------+
|   / \   Greg Kuhnert, gkuhnert at compassnetworks.com.au               |
| <  o  > Compass Networks - Pointing you in the right direction      |
|   \ /   Come see us for BlueQuartz / BlueOnyx modules & Support.    |
+---------------------------------------------------------------------+

More information about the Blueonyx mailing list