[BlueOnyx:16376] Re: Security measures in general

Michael Stauber mstauber at blueonyx.it
Sun Nov 2 16:14:58 -05 2014 

Hi George,

> Maybe the recent Drupal website issue?  That seems have been exploited
> heavily immediately after the vulnerabilty was announced:

I've seen that one too in the usual "drive by shootings", but I'm not
using Drupal anywhere. No, in my case someone used my holiday to run a
pretty massive brute force login attack against all my boxes using a
certain username that can be guessed from my first and last name. If SSH
wasn't open or accepting password-auth they tried SMTP-Auth, Dovecot or
(if active) FTP instead. As soon as one IP got blocked, the next took
over where the previous one had left off.

> Elsewhere, I'm actually proposing consideration of a trusted, global,
> SpamHaus-like, DNS-based, reputation system whereby *any* connecting IP
> could be queried against a Internet-wide database that returns some info
> on that IP's reputation.  It wouldn't be 'instant' in it's assessments of
> bad guys, but it would weed out chronic repeat offenders, and possibly
> limit the number of hits a 'random' attacker could make before being
> globally announced.

Yeah, I was thinking about something like this as well. Doing it via DNS
has certain benefits.

> Ah!  I was wondering wy GeoIP got installed with the latest update. :)

Yeah, the AV-SPAM v6 uses it. So I had built the GeoIP RPMs for all
BlueOnyx versions. Later on when I tossed together my first GeoIP
protection mechanism I used these RPMs as well. When I now rebuilt
ProFTPd I just shoved the GeoIP RPMs into the general BlueOnyx YUM
repositories, as I expect that we make a much wider use of it in the
near future.

> Is it currently hooked into ProFTPd (it was listed as a dependency), or it
> it just there by itself for us to use as desired?

A bit of both. The newest ProFTPd for BlueOnyx has the GeoIP provisions
in /etc/proftpd.conf and /etc/proftpds.conf:

  # GeoIP:
  # Do not activate unless you have all pre-requisites.
  GeoIPEngine          off
  GeoIPLog             /var/log/proftpd/geoip.log
  GeoIPTable           /usr/share/GeoIP/GeoIP.dat MemoryCache UTF8
  GeoIPDenyFilter CountryCode
(AE|BG|BY|CN|HK|IN|IR|KP|MN|MM|MK|ME|MD|PH|PK|PS|RO|RS|RU|SG|SI|SK|SY|TH|TJ|TM|TR|TW|UA|UZ|VE|VN)

If you change ...

  GeoIPEngine          off

... to ...

  GeoIPEngine          on

... it'll work right away once your restart xinetd. Configured as is
it'll block access to anyone from the listed countries.

I'm using it and I've seen a fair share of blocks in the last 24 hours.
I didn't enable it by default, as I think any blocking (such as this)
should cover more than just one service, should be more centralized and
configurable via the GUI.

I'm currently experimenting with this:

https://blog.grimneko.de/?p=228
http://ankh-morp.org/code/pam_geoip/

It's a PAM GeoIP module that plugs into the general authentication
mechanism. It works fine on my test box, but has its limits. Certain
daemons (SMTP-Auth & CCEd) are not reporting the RHOST information from
the connection to PAM, so PAM_geoip then can't do a lookup. For SSH,
Dovecot and FTP I have it working w/o issues, though.

It's just one option that I'm currently exploring, because ideally we
want to fiddle in our own blacklist (or a reputation service) as well.
PAM is one place where this can go, but there are also other ways.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list