Spamdyke sits on the interface of the host machine and watches those tcp
connections for mail.
There are several list you can turn on off on the fly without disrupting
service.
I use a combo of RBL and RHbls with ip black and grey listing alongside
whitelists. I started using it and never looked back.
I believe they now have it ported for microsoft apps as well. At least
they talked about it a while back.
On 12/04/2014 08:15 AM, Mike Hammett via Af wrote:
*nods* I know that port knocking, VPNs, etc. are more secure for entry
(most things I have aren't on public IPs, so VPns are the way in. But
I'm looking to block them from everything. You try something you're
not supposed to, get off my lawn.
I haven't heard of SPAMdyke before. I'll check it out. The more
integrated I can have SPAM systems with my existing Zimbra
installation, the better. I'm not a fan of additional front-ends and
outside services.
A machine that's trying to get my web server for a Linksys ShellShock
vulnerability likely is churning out SPAM or going to try to
participate in DNS amplification or whatever. Stop everything.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
------------------------------------------------------------------------
*From: *"David via Af" <[email protected]>
*To: *[email protected]
*Sent: *Thursday, December 4, 2014 8:04:30 AM
*Subject: *Re: [AFMUG] 1. Netflix 2. Hacking
Mike,
Do you use spamdyke on your mail servers?
We have used it for years in combo with our spamd on qmail toaster
plus machines
Very affective and easy to manage list
I do something similar with honey pot but only for analysis. I take
the ips that are in the Denied log of our DNS servers and add them
to a 30day timed list on our edges to blackhole. This alone has
stopped most of the BS spam and malware issues we see.
We started this about a year ago and the network has been very clean
and quiet in fact I hardly ever see any DNS query related problems.
The brute force attacks on ports 20-25 are shut down with a simple
rule that add the offending IP to a dropall list for 24hrs.
In order to access the internals of our net via those ports from
outside you have to be on our secure VPN and use port knock sequence.
On 12/02/2014 10:34 AM, Mike Hammett via Af wrote:
I haven't decided to integrate my idea with SPAM prevention, but
I've been thinking about it. ;-) I'll get the other stuff
working first.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
------------------------------------------------------------------------
*From: *"Ken Hohhof via Af" <[email protected]>
*To: *[email protected]
*Sent: *Tuesday, December 2, 2014 10:24:59 AM
*Subject: *Re: [AFMUG] 1. Netflix 2. Hacking
I've had a similar discussion with customers who manually block
the email
address of everyone who sends them spam. So they have a blacklist of
thousands of random fictitious email addresses that sound like the
real
names of Batman villains. They feel good blocking the spammers,
so I've
given up trying to talk them out of it.
-----Original Message-----
From: Mike Hammett via Af
Sent: Tuesday, December 02, 2014 9:36 AM
To: [email protected]
Subject: Re: [AFMUG] 1. Netflix 2. Hacking
I can't force the abuse contact to do anything.
If you don't try something, you're just as complicit.
Fail2Ban with custom rules and actions is what I'm working on.
Just because it is a dynamic pool doesn't mean people don't
perpetually have
the same IP.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: Ken Hohhof via Af <[email protected]>
To: [email protected]
Sent: Tue, 02 Dec 2014 09:27:58 -0600 (CST)
Subject: Re: [AFMUG] 1. Netflix 2. Hacking
Just when you put all that effort into it, and talk about throwing
violators
into a BGP blackhole, and forcing abuse contacts to take action,
it seemed
inconsistent with the reality. Plus the fact that a lot of those
will be
dynamic pool addresses. If you’re talking about something like
Fail2ban and
blocking SSH for 60 minutes, that makes sense. SSH and RDP dictionary
attacks are a big problem, as are DNS amplification attacks. But
rarely does
the source IP actually identify who is behind the attack, just one of
millions of bots. It seems a futile exercise to block them one IP
address at
a time.
From: Mike Hammett via Af
Sent: Tuesday, December 02, 2014 9:10 AM
To: [email protected]
Subject: Re: [AFMUG] 1. Netflix 2. Hacking
Yes and I stated so in that e-mail.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
--------------------------------------------------------------------------------
From: "Ken Hohhof via Af" <[email protected]>
To: [email protected]
Sent: Tuesday, December 2, 2014 8:46:23 AM
Subject: Re: [AFMUG] 1. Netflix 2. Hacking
You do understand most of those IPs will be infected computers
with a bot
doing the scanning, not a bad guy sitting at his own computer, right?
As far as customers, we tell them they need to at a minimum have
Microsoft
Security Essentials or the free version of a commercial AV. If
they ask for
a recommendation of a commercial AV product, we tell them we use
ESET.
Nothing will protect someone who engages in risky online activity
or clicks
before thinking. Those people need a good local computer shop (not
Geek
Squad) to rescue their computer and data and to install security
software.
And amazingly, I still need to tell people that securing their
WiFi is not
optional, and 1234 is not an acceptable email password.
From: Mike Hammett via Af
Sent: Tuesday, December 02, 2014 8:39 AM
To: [email protected]
Subject: Re: [AFMUG] 1. Netflix 2. Hacking
No bursting anywhere for anything.
Currently I firewall all IPs that touch my honey pot IPs or
attempt SSH at
my edge. No need to have any of them on my network. I'm
implementing a
method to bring all servers, routers, switches, etc. back to a
central
syslog where I run my analysis there. That will then capture the more
distributed scansattacks. Other than a whitelist, violators will
be thrown
into a BGP blackhole. It'll also fire off an e-mail to the RIR
registered
abuse contact. If you're doing any sort of trickery or trickeration
(intentional via script kiddieworse or unintentional via malware),
I don't
want simple scans escalating into something more complex and
possibly more
damaging. You do the simple stuff, into the blackhole you go. I do
understand that the abuse contact on the other side isn't likely
to do much,
but for the networks that will take action, I'd like to give them the
information to do so. Plus if enough people do it, the abuse
contacts are
going to have to do something.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
--------------------------------------------------------------------------------
From: "Tyson Burris @ Internet Communications Inc via Af"
<[email protected]>
To: [email protected]
Cc: [email protected]
Sent: Tuesday, December 2, 2014 8:28:16 AM
Subject: [AFMUG] 1. Netflix 2. Hacking
Two questions for the group this am.
1. Are you setting burst limits for Netflix or other streaming video
services on your network routers? If so, what rate are you
limiting it at?
2. With 97% of the US networks now Hackable, what are you doing on
your side
and advising customers to do? Meaning… what front line defenses
are you
taking and what software and/or hardware protection are you
recommending to
your customers?
(It would appear that the majority of hacks these days are
actually Malware
infections inside the network - Employee related errors)
Put your 2 cents in.
Tyson Burris, President
Internet Communications Inc.
739 Commerce Dr.
Franklin, IN 46131
317-738-0320 Daytime #
317-412-1540 Cell/Direct #
Online: www.surfici.net
What can ICI do for you?
Broadband Wireless - PtP/PtMP Solutions - WiMax - Mesh
Wifi/Hotzones - IP
Security - Fiber - Tower - Infrastructure.
CONFIDENTIALITY NOTICE: This e-mail is intended for the
addressee shown. It contains information that is
confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by
unauthorized organizations or individuals is strictly
prohibited.
