My server is under attack (I think)

Robert Bonomi bonomi at mail.r-bonomi.com
Fri Aug 19 16:03:40 UTC 2011 

> From owner-freebsd-questions at freebsd.org  Fri Aug 19 10:02:30 2011
> Date: Fri, 19 Aug 2011 11:01:21 -0400
> From: Mark Moellering <mark at msen.com>
> To: FreeBSD <freebsd-questions at freebsd.org>
> Subject: My server is under attack (I think)
>
> I keep seeing a flood of messages when I run dmesg -a that look like this:
>
> mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify 
> hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed

This hostname has no IP address in the DNS.

> Is there anything I should be doing to make sure the server isn't 
> compromised?  It is a mail server running postfix / dovecot
> I have pf set up and am also running a program called sshguard.
> I am kind of at a loss.  It looks like I am under attack but I don't 
> know what to do about it.  Any help is greatly appreciated


Given that the look-up fails, the connection is automatically denied.

This is routine 'doorknob rattling' by bad guys.  if you're getting
a lot of this from a particular netblock, a 'deny all' rule for that
netblock may be indicated.  If it's coming from a locale that you expect
no legit traffic from (the Republic of China in this case), you aren't
likely to lose anything 'valuable' by agressive router-level blocking.

I get these kinds of messages all the time for various services -- notably
socks5 and SMTP.   I USed to get a lot for SSH, but they dropped to
virtually _zero_ when I move SSH to a 'non-standard' port.  This does _NOT_
materially increase the _actual_ security of the system, but it does wonders 
for reducing the 'noise' in the logs.  

I simply "don't worry" about the socks5 and/or SMTP 'rattling'.

Socks5 is configured to accept connections only from 'localhost', which is
used to support http tunneling in an SSH session -- *all* external connection
attempts are denied.  Unless an attacker can fake 127.0.0.1 packets -- *over*
the 'lo0' interface -- socks won't talk to them. <grin>

My SMTP daemon is sendmail, w,hich, in conjuction with some custom 'milters' 
is fully capable of protecting itself.  People that 'doorknob rattle' it
too heavily get manually added to the /etc/hosts.{allow/deny} file.

More information about the freebsd-questions mailing list