On 12/23/23 22:16, Timothy M Butterworth wrote:
On Sat, Dec 23, 2023 at 8:58 PM David Christensen wrote:
I believe Debian includes packages for various intrusion detection
systems. Does anyone have any comments or recommendations?
Debian has SNORT and Suricata. I use Suricata. It works well
On Sat, Dec 23, 2023 at 8:58 PM David Christensen
wrote:
> On 12/23/23 01:29, Tim Woodall wrote:
> > The fact that the OP is not sending a SYN+ACK (according to the
> > tcpdumps that I saw) means that this is already blackholed.[2]
> >
> > There are three options at this point:
> > 1. Ignore it
On 12/23/23 16:15, Dan Ritter wrote:
David Christensen wrote:
Does Debian and/or Linux support SYN cookies?
Yes.
Put
net.ipv4.tcp_syncookies=1
in an appropriate sysctl.d/ file.
To check on current settings:
sysctl -n net.ipv4.tcp_syncookies
It looks like SYN cookies are enabled by
David Christensen wrote:
> Does Debian and/or Linux support SYN cookies?
Yes.
Put
net.ipv4.tcp_syncookies=1
in an appropriate sysctl.d/ file.
To check on current settings:
sysctl -n net.ipv4.tcp_syncookies
Sent from my iPhone
> On Dec 23, 2023, at 4:53 PM, Tim Woodall wrote:
>
> On Sat, 23 Dec 2023, David Christensen wrote:
>> Sending a RST to a falsified IP address would make the sending host into an
>> attacker by proxy. Why do you suggest it?
>>
> Because the OP wants it to stop. And
On Sat, 23 Dec 2023, David Christensen wrote:
Sending a RST to a falsified IP address would make the sending host into an
attacker by proxy. Why do you suggest it?
Because the OP wants it to stop. And the OP is running a server on this
port that is clearly not responding properly or we'd at
On 12/23/23 01:29, Tim Woodall wrote:
The fact that the OP is not sending a SYN+ACK (according to the
tcpdumps that I saw) means that this is already blackholed.[2]
There are three options at this point:
1. Ignore it - my "EVILSYN[1]" blacklist is right at the top of my iptables
rules and drops
On Thu, 21 Dec 2023, David Christensen wrote:
Perhaps you could set up a DMZ, move services into the DMZ, and provide a
VPN connection to the DMZ for your Internet users. Then you could close all
of the incoming WAN ports except VPN.
It might be possible to put the VPN endpoint into a
On 12/21/23 04:00, Alain D D Williams wrote:
My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.
This does not show up in the Apache log files - the
On 12/21/23 07:45, Tim Woodall wrote:
On Thu, 21 Dec 2023, Alain D D Williams wrote:
My home PC is receiving, for hours at a time, 12-30 kB/s input
traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no
good. It
is also eating my broadband allowance.
This
Alain D D Williams wrote:
> On Thu, Dec 21, 2023 at 10:11:08AM -0500, Pocket wrote:
>
> > Use a firewall and set it up correctly.
>
> That I have done.
>
> The issue is broadband usage - ie before it hits the firewall.
IIUC you have a residential system with an ISP connection with a
On 21/12/2023 15:11, Pocket wrote:
On 12/21/23 09:58, Alain D D Williams wrote:
[cut]
Use a firewall and set it up correctly.
Assuming a residential environment.
Firewall the router and server(s) as well as all the client machines.
I have nginx, dovecot and exim4 and other daemons running
On 12/21/23 13:04, Alain D D Williams wrote:
On Thu, Dec 21, 2023 at 11:39:40AM -0500, Pocket wrote:
On 12/21/23 10:50, Alain D D Williams wrote:
It is NOT a firewall issue.
If I am correct you don't want any thing from the outside to hit your web
server?
The words "web server" is
On Thu, Dec 21, 2023 at 11:39:40AM -0500, Pocket wrote:
>
> On 12/21/23 10:50, Alain D D Williams wrote:
> > It is NOT a firewall issue.
>
>
> If I am correct you don't want any thing from the outside to hit your web
> server?
The words "web server" is ambiguous. It can mean my machine, ie can
On 12/21/23 10:50, Alain D D Williams wrote:
On Thu, Dec 21, 2023 at 10:31:06AM -0500, Pocket wrote:
All you should be seeing is scans which you can not prevent.
I am looking at incoming packets with tcpdump. This sees packets *before* they
are filtered by iptables.
What are you using for
On Thu, Dec 21, 2023 at 10:51 AM Alain D D Williams wrote:
>
> On Thu, Dec 21, 2023 at 10:31:06AM -0500, Pocket wrote:
> [...]
> > Amazon AWS system. should not be able to hit your http server, unless you
> > want it to.
>
> How do I distinguish between wanted & unwanted connections. The only
On Thu, Dec 21, 2023 at 10:31:06AM -0500, Pocket wrote:
> All you should be seeing is scans which you can not prevent.
I am looking at incoming packets with tcpdump. This sees packets *before* they
are filtered by iptables.
> What are you using for a firewall?
Something hand rolled. Reasonably
On 12/21/23 10:24, Alain D D Williams wrote:
On Thu, Dec 21, 2023 at 10:11:08AM -0500, Pocket wrote:
Use a firewall and set it up correctly.
That I have done.
The issue is broadband usage - ie before it hits the firewall.
All you should be seeing is scans which you can not prevent.
What
On Thu, Dec 21, 2023 at 10:11:08AM -0500, Pocket wrote:
> Use a firewall and set it up correctly.
That I have done.
The issue is broadband usage - ie before it hits the firewall.
> Assuming a residential environment.
>
> Firewall the router and server(s) as well as all the client machines.
>
On 12/21/23 09:58, Alain D D Williams wrote:
On Thu, Dec 21, 2023 at 01:39:53PM +, Andy Smith wrote:
Okay well 30KiB/s is only about 78GiB/month which isn't really a
lot. I think we're both in UK and it's been hard to find a domestic
Internet connection that you'd run a web server on that
On Thu, Dec 21, 2023 at 01:39:53PM +, Andy Smith wrote:
> Okay well 30KiB/s is only about 78GiB/month which isn't really a
> lot. I think we're both in UK and it's been hard to find a domestic
> Internet connection that you'd run a web server on that can't cope
> with 78G/mo. So ignoring it
On Thu, Dec 21, 2023 at 12:44:33PM +, Tim Woodall wrote:
> On Thu, 21 Dec 2023, Alain D D Williams wrote:
[...]
> You can try sending RST. That might make them give up.
And then, there's tarpit [1] . But then I'd make double-sure you aren't
hurting legitimate traffic.
Cheers
[1]
On 2023-12-21, Alain D D Williams wrote:
> Yes: I do run a web server at home, but there is only a little/personal stuff,
> it does not receive much real traffic, I do not want it to. Most of my web
> presence is hosted elsewhere.
If you open a port (80 or something else), not on your server but
Hello,
On Thu, Dec 21, 2023 at 01:10:59PM +, Alain D D Williams wrote:
> Yes: I do run a web server at home, but there is only a little/personal stuff,
> it does not receive much real traffic, I do not want it to. Most of my web
> presence is hosted elsewhere.
Okay well 30KiB/s is only about
On Thu, Dec 21, 2023 at 07:50:42AM -0500, Greg Wooledge wrote:
> If your home Internet service has an "allowance", you probably shouldn't
> run a web server on it.
Yes: I do run a web server at home, but there is only a little/personal stuff,
it does not receive much real traffic, I do not want
On Thu, Dec 21, 2023 at 12:00:55PM +, Alain D D Williams wrote:
> My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This
> is
> unsolicited. I do not know what it is trying to achieve but suspect no good.
> It
> is also eating my broadband allowance.
> 11:08:56.354303
On Dec 21, 2023, Alain D D Williams wrote:
> My home PC is receiving, for hours at a time, 12-30 kB/s input
> traffic. This is unsolicited. I do not know what it is trying to
> achieve but suspect no good. It is also eating my broadband
> allowance.
>
> Questions:
>
> • What is going on ?
Looks
On Thu, 21 Dec 2023, Alain D D Williams wrote:
My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.
This does not show up in the Apache log files -
My home PC is receiving, for hours at a time, 12-30 kB/s input traffic. This is
unsolicited. I do not know what it is trying to achieve but suspect no good. It
is also eating my broadband allowance.
This does not show up in the Apache log files - the TCP connection does not
succeed.
Sometimes
29 matches
Mail list logo