On Mon, Mar 14, 2005 at 11:31:41AM +0000, Paul Howarth wrote: > Bob Brennan wrote: > > Those are my own tests to see if I have closed the open relay, the > > results of which I posted earlier in this thread. I'm closed up now, > > unfortunately to my remote legitimate users as well. The next reply > > from Jeff Kinz will help me shut down the boxes that have targeted me > > and reduce the load on my box. > > This will help if they keep coming from the same IP addresses but if > they're picking zombied hosts at random to attack you from then you're > just playing whack-a-mole. Hi Bob, Paul's comments about playing whack-a-mole are quite correct for any computer with a broadband connection. For example kinz.org is attacked by zombie bots several thousand times daily on many different ports (other than 25 (SMTP)). They are all dropped. see below. Since you ARE being attacked (because they had success in the past) from a spammer with bots coming from a specific IP range, denying access for that IP range will prevent that spammer from wasting your systems resources, but by blocking that entire range you can create "collateral damage" so you should remove those blocks as soon as the spammer stops trying. By then you will have solved your mail-auth problem and the spammer's attempts to use you as a relay will fail. As for the standard "whack-a-mole" nature of the attacks coming from the Internet, there are many ways to handle that, one is to write a "whack-a-mole" script which monitors log files for repeat attacks from the same IP's and adds those IP's to your IPTables setup. This approach eventually makes your firewall machine so busy it has no resources left over for much else. Thats OK if your firewall is a stand-alone machine dedicated to being just a firewall. However - For most home users the firewall machine is also a personal workstation. In that situation running an automated "Whack-a-mole" script eventually slows your machine down so much it will become useless as a workstation. (Like a Windows machine with adware and spyware on it). A better approach is to use IPTables to deny ALL inbound attempts to create new connections except those you know you want. So to keep all outgoing connections you establish: # IN the filter table (the default) Append a rule to the INPUT chain # that says ACCEPT incoming packets which are part of an already # established connection iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT And to drop any inbound attempt to connect: # IN the filter table (the default) Append a rule to the INPUT chain # that says DROP incoming packets which are trying to establish # a NEW connection. iptables -A INPUT -m state --state NEW -i eth0 -j DROP (Notice the "-i eth0" which assumes that your workstation has its Internet connection on the first ethernet card found by the kernel. Unless you know the system in question personally this is a fragile assumption. Change this to conform to your own machine. Ask questions if you need to. We are here for you.) But this will drop your inbound mail users who are trying to get their mail so, you can open port 25 (or whatever port they are coming into to get their mail): iptables -A INPUT -i eth0 -p TCP --dport 25 -j ACCEPT (replace "25" with the port used for mail, 110 for pop etc..) As long as you have the IP block for that relaying spammer still blocked they should not be able to connect to port 25 even with this rule in the chain. As a final thought, messing directly with your iptables setup is fun but can become a distracting and wasteful time burner. If you are, or can get comfortable with any of the GUI based firewall setup tools on Fedora I urge you use them. They are not as flexible as direct manipulation but they are less error prone and, unlike the advice I give above, they are not based on someone else's iptables assumptions, which when unknown, (as in this case), will eventually bite you. If you want to use iptables directly please study some of the many good tutorials available for using iptables and especially, copy and use the good scripts that take a generalized approach to setting up a good firewall. http://yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html http://www.linux.ie/articles/tutorials/firewall/ -- Jargon file, abridged.: The September that never ended. On the Internet, every September's freshmen influx got their first accounts and, not knowing how to post/email, always made a nuisance of themselves. Usually they were trained in a few months. But in September 1993, AOL users became able to post, overwhelming the capacity to acculturate them; to those who recall the period before, this triggered a decline in the quality of online communications. Syn. eternal September. http://kinz.org http://www.fedoranews.org Jeff Kinz, Emergent Research, Hudson, MA.
