[BlueOnyx:16374] Re: Security measures in general

[George F. Nemeyer]

On Sun, 2 Nov 2014, Michael Stauber wrote:

> This is also in the light of some pretty heavy targeted attacks that
> we're seeing on our own servers at the moment. It's not just the usual
> "drive by" brute force login attempts, but something a bit more serious,
> more focused and targeted. /me waves at China.

Maybe the recent Drupal website issue?  That seems have been exploited
heavily immediately after the vulnerabilty was announced:
http://arstechnica.com/security/2014/10/drupal-sites-had-hours-to-patch-before-attacks-started/

We've seen a huge increase (2-3x) number of denyhosts notifications in the
last day or two, so the activity to look for vulnerable Drupal installs
may also try other things.

> As is the combination of APF Firewall and Dfix2 provide a pretty a
> pretty good level of protection. Yet: Parsing logfiles for "bad"
> activity and then creating firewall rules that deny further activity
> from the same IP is akin to locking the barn after the burglar has
> already started to pick the lock on your front door.

Yes.  But at least if they try to come back later for other doors or
windows, the'll find a brick wall.

> We block early enough to prevent more serious probes, but still: What if
> we could already have a screening at the fence of the property that only
> lets a selected crowd of people actually into our yard and to get as far
> as the front door? That would be a pretty drastic improvement.

Elsewhere, I'm actually proposing consideration of a trusted, global,
SpamHaus-like, DNS-based, reputation system whereby *any* connecting IP
could be queried against a Internet-wide database that returns some info
on that IP's reputation.  It wouldn't be 'instant' in it's assessments of
bad guys, but it would weed out chronic repeat offenders, and possibly
limit the number of hits a 'random' attacker could make before being
globally announced.

Ideally, it would become a standard part of what a normal DNS query
returns, but that would require a significant infrastructure change in
order to be transparent to and compatable with older systems out there.

Given what you've described below, I think what I've tossed out could be
useful, *particularly* for your data sharing among boxes/groups/all BX
people.   Since it's based on DNS lookups/responses, it would be fast and
with minimal traffic generated.

I'll post that as a seperate message for folks to see and mull over.

> To cope with my new "friends" in China I quickly patched something
> together that ties *all* Auth services into GeoIP and denies access too
> everyone that's not from a list of allowed countries. That puts a pretty
> heavy ban hammer onto the usual suspects from China, Russia, Romania and
> so forth. As a result the number of attacks that actually make it as far
> as seeing a login prompt dropped off by 95%. And the remaining 5% are
> then easily detected by Dfix2 and blocked by APF.

Ah!  I was wondering wy GeoIP got installed with the latest update. :)

Is it currently hooked into ProFTPd (it was listed as a dependency), or it
it just there by itself for us to use as desired?

> Greg also did some pretty nifty improvisations on his own boxes to deal
> with the attacks he gets and step by step worked them into nice solution
> that's ready for general usage.
>
> So the other day we spoke about a complete overhaul of our Security
> Package and have made plans take the things that worked exceptionally
> well for us to roll them into an updated and improved Security Package.
>
> What we want to do is this:

Fantastic!  I'd be glad to set up a test site if you need some external
input!