Could someone tell me how to switch off identd in 8.1? I tested my firewall at www.grc.com and all of my ports are in stealth mode except identd, which is closed but still visible. As it is a potential source of information and only used for irc, which I don't need, I'd like to get rid of it. I found several articles on the web concerning this problem, but they are all for earlier versions and suggest shutting the service in etc/rc.config or etc/services, none of which exist in 8.1. I can't find anything in the new etc/sysconfig. How can I shut identd down? Fiona
* fin; <fbissett@blueyonder.co.uk> on 30 Oct, 2002 wrote:
Could someone tell me how to switch off identd in 8.1? I tested my firewall at www.grc.com and all of my ports are in stealth mode except identd, which is closed but still visible. As it is a potential source of information and only used for irc, which I don't need, I'd like to get rid of it.
You need it also for mail sending. Here is the code from SuSEfirewall2-3.1 # If port 113 (auth/identd) will not allowed below, outgoing mail would # be delayed most of the time. Hence we put a hardcoded reject line # in. $IPTABLES -I input_ext 1 -j "$REJECT" -p tcp --dport 113 --syn 2> /dev/null if you are using older version is 2.1 then # If port 113 (auth/identd) was not allowed above, outgoing mail would # be delayed most of the time. Hence we put a hardcoded reject line in. for CHAIN in input_ext input_dmz input_int; do $LDA $IPTABLES -A $CHAIN -j LOG ${LOG}"-REJECT " -p tcp --dport 113 --syn $IPTABLES -A $CHAIN -j "$REJECT" -p tcp --dport 113 --syn --reject-with tcp-reset 2> /dev/null done So that means you are rejecting requests to port 113 and you are safe as far as port 113 goes for more detail about SuSEfirewall2 have look at http://dinamizm.ath.cx/articles/firewall2.pdf if you haven't yet -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Circa Thu. Oct. 31, 2002 at 00:32:42 +0200, a lone cry was heard from Togan Muftuoglu <toganm@users.sourceforge.net> in the wasteland called the Internet:
You need it also for mail sending.
That is why it is best to install a fake identd that gives out false info. Here is a list to choose from: http://freshmeat.net/search?q=fake+identd Charles -- "However, complexity is not always the enemy." -- Larry Wall (Open Sources, 1999 O'Reilly and Associates)
On Wednesday 30 October 2002 23.47, Charles Philip Chan wrote:
That is why it is best to install a fake identd that gives out false info. Here is a list to choose from:
Why is that better than not sending any info at all, the way SuSEfirewall2 is configured to do? Anders
On Wed, Oct 30, 2002 at 09:40:00PM +0000, fin wrote:
Could someone tell me how to switch off identd in 8.1? I tested my firewall at www.grc.com and all of my ports are in stealth mode except identd, which is closed but still visible. As it is a potential source of information and only used for irc, which I don't need, I'd like to get rid of it.
I found several articles on the web concerning this problem, but they are all for earlier versions and suggest shutting the service in etc/rc.config or etc/services, none of which exist in 8.1. I can't find anything in the new etc/sysconfig. How can I shut identd down?
You say that identd by default is "closed by still visible" - which probably means it is not enabled, but you get a TCP RST when trying to connect to it. This means the ident port has a netfilter rule that says REJECT all incoming connections; every other port is configured as DROP by default. This is intentional. Otherwise you will get long long delays when trying to connect to a service that will first do an IDENT lookup before processing your connection. Most IRC servers do that, and some FTP servers as well. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Hi List, i am having a security issue sort of, and was wondering if you know any solutions to this. Someone is bombarding my server with mail, forcing sendmail to run the max allowed child processes and start to reject requests to send mail. what techniques could i use to filter the traffic to sendmail before it acctually hits the daemon, and therefor prevent the high load on it? regards Evert Smit
On Friday 01 November 2002 11:55 pm, Evert Smit wrote:
Hi List,
i am having a security issue sort of, and was wondering if you know any solutions to this. Someone is bombarding my server with mail, forcing sendmail to run the max allowed child processes and start to reject requests to send mail. what techniques could i use to filter the traffic to sendmail before it acctually hits the daemon, and therefor prevent the high load on it?
regards Evert Smit
If you have a firewall installed, simply block that IP. Iptables can do this for you. I use www.shorewall.net to set it up but I suspece susefirewall will do it too. You could also do this with the access.db but its better to block them with iptables. -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska
John, since the attache is comming from multiple servers, i cannot blcok a single IP. and the acess.db file would still require sendmail to at least look at the incomming mail.i.e starting aprocess for it. i need something that happends before the mail reaches the sendmail process... sort of like a gate keeper, that checks the mail recipient and checks if it's aviable or not, before it hads it to sendmail for delivery. regards -----Original Message----- From: John Andersen [mailto:jsa@pen.homeip.net] Sent: Saturday, November 02, 2002 10:23 AM To: Evert Smit; suse-security@suse.com Subject: Re: [suse-security] DOS on sendmail daemon On Friday 01 November 2002 11:55 pm, Evert Smit wrote:
Hi List,
i am having a security issue sort of, and was wondering if you know any solutions to this. Someone is bombarding my server with mail, forcing sendmail to run the max allowed child processes and start to reject requests to send mail. what techniques could i use to filter the traffic to sendmail before it acctually hits the daemon, and therefor prevent the high load on it?
regards Evert Smit
If you have a firewall installed, simply block that IP. Iptables can do this for you. I use www.shorewall.net to set it up but I suspece susefirewall will do it too. You could also do this with the access.db but its better to block them with iptables. -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Evert Smit wrote:
John,
since the attache is comming from multiple servers, i cannot blcok a single IP. and the acess.db file would still require sendmail to at least look at the incomming mail.i.e starting aprocess for it. i need something that happends before the mail reaches the sendmail process... sort of like a gate keeper, that checks the mail recipient and checks if it's aviable or not, before it hads it to sendmail for delivery.
But you can block an IP range ie. 192 REJECT will block all network 192.x.x.x. -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch
Unfortunately it is not, migual, here is how the attack happends. Some iditot is sending thousands of mails with the wrong header to other mail servers. those reject the mail because the user is unkown and send the notify to my domain, and this is how the sendmail get's overloaded. stupid but simple, so i need an agent checking all mails before they come to sendmail, basically same idea as inetd mamaging port 25 and handing it to sendmail. this agent should allow to define some rules like, accept for this and this mail adress, but deny all the rest. and since i am running miltiple domains on this server, it should only affect one domain. regards -----Original Message----- From: Miguel Albuquerque [mailto:mfoacs@e-workshop.ch] Sent: Saturday, November 02, 2002 9:49 AM To: Evert Smit Cc: suse-security@suse.com Subject: Re: [suse-security] DOS on sendmail daemon Evert Smit wrote:
John,
since the attache is comming from multiple servers, i cannot blcok a single IP. and the acess.db file would still require sendmail to at least look at the incomming mail.i.e starting aprocess for it. i need something that happends before the mail reaches the sendmail process... sort of like a gate keeper, that checks the mail recipient and checks if it's aviable or not, before it hads it to sendmail for delivery.
But you can block an IP range ie. 192 REJECT will block all network 192.x.x.x. -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch
here an example heder of how such a post looks like. because the mails are comming from various server, like ibm.com, compaq, yahoo, companies all over the world, blocking IP's will not make sence. i think we should call this a bounce attack, because that is eventually what happends... send out mails with wrong adresses to millions of computers and give a wrong adress and mail heder with... what happends.. it bounces and the attack heads it's way to the requiret target. here now the example. he send the mail to the stanford mailserver and it bounces.. to me.
From MAILER-DAEMON@lagu.sidhe.net Sat Nov 2 09:33:47 2002 Return-Path: <MAILER-DAEMON@lagu.sidhe.net> Received: from bouncemail.stanford.edu (bouncemail.Stanford.EDU [171.64.14.35]) by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319 for <lobo@0-8-15.ch>; Sat, 2 Nov 2002 09:33:46 +0100 Received: (qmail 13328 invoked by uid 80); 2 Nov 2002 03:46:34 -0000 Date: 2 Nov 2002 03:46:34 -0000 Message-ID: <20021102034634.13324.qmail@bouncemail.stanford.edu> To: lobo@0-8-15.ch From: Stanford Bounce Mail Daemon <nobody@stanford.edu> Subject: Undelivered mail for boe@stanford.edu Precedence: junk MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="13292.1036208794/bouncemail.stanford.edu" X-Bounce-Agent: Stanford Email Bounce
--13292.1036208794/bouncemail.stanford.edu Your message to: boe@stanford.edu regarding: Be Bold And Courageous could not be delivered because it is not a valid Stanford email address. Perhaps you're trying to reach: Robert Boeninger, Prin Systems Software <mailto:boe@SLAC.Stanford.EDU> You might be able to find the email address you need by looking through Stanford's online Directory: WWW: http://stanfordwho.stanford.edu/ finger: finger user@whois.stanford.edu whois: whois -h whois.stanford.edu user If this doesn't work, note that at Stanford people are in charge of maintaining their own email information. Those you seek may have chosen not to make their Directory information public, or may have committed a typo when entering their email address(es) into the system. We recommend that you attempt to contact them via other means. This note was generated automatically by a computer program. Please do not reply to it. Responses will be discarded. If you wish to communicate with someone about your bounced message, please send mail to postmaster@stanford.edu. Your original message has been appended below. --13292.1036208794/bouncemail.stanford.edu Content-Type: message/delivery-status Reporting-MTA: dns; bouncemail.stanford.edu Received-From-MTA: dns; stanford.edu Final-Recipient: rfc822; boe@stanford.edu Action: failed Status: 5.1.1 --13292.1036208794/bouncemail.stanford.edu Content-Type: message/rfc822 Received: (qmail 13286 invoked from network); 2 Nov 2002 03:46:30 -0000 Received: from leland3.stanford.edu (171.64.14.90) by bouncemail.stanford.edu with SMTP; 2 Nov 2002 03:46:30 -0000 Received: from leland3.Stanford.EDU (localhost [127.0.0.1]) by leland3.Stanford.EDU (8.11.6/8.11.6) with ESMTP id gA23kSs24136; Fri, 1 Nov 2002 19:46:29 -0800 (PST) Received: from 1012privat.at (ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br [200.170.149.113]) by leland3.Stanford.EDU (8.11.6/8.11.6) with SMTP id gA23i3U23625; Fri, 1 Nov 2002 19:44:39 -0800 (PST) From: lobo@0-8-15.ch X-Priority: 3 Received: from 1012privat.at by 0AEO3V.1012privat.at with SMTP for nephron@leland.stanford.edu; Fri, 01 Nov 2002 22:39:54 -0500 Message-Id: <1VCK7GOQ28UQJ5I56.0PY9VQ1UBY7OI.lobo@0-8-15.ch> Reply-To: nephron@24hours.gr To: nephron@Stanford.EDU Date: Fri, 01 Nov 2002 22:39:54 -0500 Content-Type: text/plain; charset="iso-8859-1" Subject: Be Bold And Courageous Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 PARENTS OF 15 - YEAR OLD - FIND $71,000 CASH HIDDEN IN HIS CLOSET!= any ideas? -----Original Message----- From: Miguel Albuquerque [mailto:mfoacs@e-workshop.ch] Sent: Saturday, November 02, 2002 9:49 AM To: Evert Smit Cc: suse-security@suse.com Subject: Re: [suse-security] DOS on sendmail daemon Evert Smit wrote:
John,
since the attache is comming from multiple servers, i cannot blcok a single IP. and the acess.db file would still require sendmail to at least look at the incomming mail.i.e starting aprocess for it. i need something that happends before the mail reaches the sendmail process... sort of like a gate keeper, that checks the mail recipient and checks if it's aviable or not, before it hads it to sendmail for delivery.
But you can block an IP range ie. 192 REJECT will block all network 192.x.x.x. -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Evert Smit wrote:
here an example heder of how such a post looks like. because the mails are comming from various server, like ibm.com, compaq, yahoo, companies all over the world, blocking IP's will not make sence.
i think we should call this a bounce attack, because that is eventually what happends... send out mails with wrong adresses to millions of computers and give a wrong adress and mail heder with... what happends.. it bounces and the attack heads it's way to the requiret target.
here now the example. he send the mail to the stanford mailserver and it bounces.. to me.
From MAILER-DAEMON@lagu.sidhe.net Sat Nov 2 09:33:47 2002 Return-Path: <MAILER-DAEMON@lagu.sidhe.net> Received: from bouncemail.stanford.edu (bouncemail.Stanford.EDU [171.64.14.35])
See this:
by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319
^^^^^^^^^^^^^^^ Your server is an open relay, close it. Try adding an REJECT access rule for this domain: ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br or his IP/Network:
[200.170.149.113])
-- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch
On Saturday 02 November 2002 10:17 am, Miguel Albuquerque wrote: Hi,
Your server is an open relay, close it.
Of course this is the most important action.
Try adding an REJECT access rule for this domain:
ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br
or his IP/Network:
[200.170.149.113])
Please be very careful with adding reject rules. Basically this leads to blocking many innocent people and is potentially a partial DOS. (the above address looks to me like a dynamic dial up / DSL number) Regards, --martin -- -- Dipl.-Phys. Martin Konold e r f r a k o n Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker Germanenstrasse 15, 70563 Stuttgart, Germany email: martin.konold@erfrakon.de
On Saturday 02 November 2002 10:17, Miguel Albuquerque wrote:
Evert Smit wrote:
See this:
by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319
^^^^^^^^^^^^^^^ Your server is an open relay, close it.
I don't understand how you conclude that his server is an open relay from that line, to me that line and the previous one (see below) only says that the bounce message is received from stanford by his domain and not that the original (spam) message was sent by his domain.
Received: from bouncemail.stanford.edu (bouncemail.Stanford.EDU [171.64.14.35]) by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319 for <lobo@0-8-15.ch>; Sat, 2 Nov 2002 09:33:46 +0100
Furthermore if he was an open relay his domain should have been in the lines below, but I only see that the original mail was received by stanford from that 200.170.149.113 ip-address.
Received: from 1012privat.at (ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br [200.170.149.113]) by leland3.Stanford.EDU (8.11.6/8.11.6) with SMTP id gA23i3U23625; Fri, 1 Nov 2002 19:44:39 -0800 (PST) From: lobo@0-8-15.ch --
GertJan
GertJan Spoelman wrote:
On Saturday 02 November 2002 10:17, Miguel Albuquerque wrote:
Evert Smit wrote:
See this:
by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319
^^^^^^^^^^^^^^^ Your server is an open relay, close it.
I don't understand how you conclude that his server is an open relay from that line, to me that line and the previous one (see below) only says that the bounce message is received from stanford by his domain and not that the original (spam) message was sent by his domain.
Received: from bouncemail.stanford.edu (bouncemail.Stanford.EDU [171.64.14.35]) by lagu.sidhe.net (8.11.6/8.11.6/SuSE Linux 0.5) with SMTP id gA28XcA00319 for <lobo@0-8-15.ch>; Sat, 2 Nov 2002 09:33:46 +0100
Furthermore if he was an open relay his domain should have been in the lines below, but I only see that the original mail was received by stanford from that 200.170.149.113 ip-address.
Received: from 1012privat.at (ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br [200.170.149.113]) by leland3.Stanford.EDU (8.11.6/8.11.6) with SMTP id gA23i3U23625; Fri, 1 Nov 2002 19:44:39 -0800 (PST) From: lobo@0-8-15.ch
Yes, you're right, I remember now few mounths ago I had the same problem (it was an open relay), and it took about 5 days until all the bouces finished. I had more than 1600 per hour in 2 days. What I did was, closing the relay and flush the mailq to prevent more traffic. In my case was easy, the server had just been installed and pulling the plug off was harmless. I try body_checks with procmail, that might work for your, smth like : /^From: MAILER-DAEMON\.*/ REJECT You will need FEATURE loca_procmail enabled in your sendmail.cf, means rebuild M4...(I love Postfix). ... -- .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-securenet.ch http://www.e-securenet.ch "Was Sind und was Sollen die Zahlen?" Dedekind. ____________________________________________________________
Hi! To the relay: Only allow your own subnet so send mail through the server. Disallow Mails send through it by users or faked users not in your domain. To the access.db Fill in the users to reject and you will have your piece. Using the firewall is useless if they change ip and someone is sending you a mail from there it will be blocked. Find the spammers ip if the header is not broken. If you don't inform the provider he will still send you spam and your server will be overloaded. Mail to abuse@provider.net of that provider. If they are not acting force them by saying you inform higher privileged institutions. We got a spammer that mailed each 5 minutes a virus infected mail to our server. I got rid of him by doing so. We use postfix because there are some settings to get rid of such spammers. Philippe
On Saturday 02 November 2002 12:40 am, Evert Smit wrote:
here an example heder of how such a post looks like. because the mails are comming from various server, like ibm.com, compaq, yahoo, companies all over the world, blocking IP's will not make sence.
i think we should call this a bounce attack, because that is eventually what happends... send out mails with wrong adresses to millions of computers and give a wrong adress and mail heder with... what happends.. it bounces and the attack heads it's way to the requiret target.
But it will take as much resource to examine the headers as to allow sendmail to handle it. The job is the same, whether sendmail does it or the thing you want to put in front of sendmail. If you don't relay, sendmail gets rid of these very quickly. Still there are other MTAs that may be a bit more efficient than sendmail, but the process of changing may be not something you want to do on the fly. -- _________________________________________________ No I Don't Yahoo! And I'm getting pretty sick of being asked if I do. _________________________________________________ John Andersen / Juneau Alaska
On Sam, 02 Nov 2002, Evert Smit wrote:
since the attache is comming from multiple servers, i cannot blcok a single IP. and the acess.db file would still require sendmail to at least look at the incomming mail.i.e starting aprocess for it. i need something that happends before the mail reaches the sendmail process... sort of like a gate keeper, that checks the mail recipient and checks if it's aviable or not, before it hads it to sendmail for delivery.
This could be easily configured in POSTFIX ;) Greetings, -- Jörg Henner Fon: +49 (7 11) 48 90 83 - 0 ETES - EDV-Systemhaus GbR Fax: +49 (7 11) 48 90 83 - 50 Libanonstrasse 58 A * D-70184 Stuttgart Web: http://www.etes.de ______________________________________ Inflex - eMail Scanning and Protection Queries to: postmaster@etes.de
Quoting Evert Smit <admin@sidhe.net>:
Hi List,
i am having a security issue sort of, and was wondering if you know any solutions to this. Someone is bombarding my server with mail, forcing sendmail to run the max allowed child processes and start to reject requests to send mail. what techniques could i use to filter the traffic to sendmail before it acctually hits the daemon, and therefor prevent the high load on it?
Hi, I have read 19 messages in this thread from which I understand: lobo@0-8-15.ch was forged by the attacker. at Fri, 1 Nov 2002 19:46:29 -0800, the attacker's host was: 200.170.149.113 ip-170-149-113.xdsl-fixo.ctbcnetsuper.com.br. (assuming the clock at leland3.Stanford.EDU is accurate) There is no evidence of your host being an open relay, just a victim of a mail bomb attack. Blocking 200.170.149.113 will have no effect as the attacker is not coming in directly. Blocking any other IP is futile as the attacker could use any mail server as a source and all you will achieve is potentially blocking valid mails. You should complain loudly but politely to the attacker's isp, abuse@ctbctelecom.net.br and/or security@ctbctelecom.net.br presenting a sample of the evidence ie logs and a few bounced messages. If a particular mail server is being heavily used to bounce messages to you, it may be worth advising the postmaster at that site of the abuse of his server. You can protect your server by dropping the load sendmail can place on the system. Reducing the value of "O RefuseLA=nn" will lower the threshold at which connections are refused. Setting "O ConnectionRateThrottle=nn" will limit the number of connections per second. You could achieve a similar rate limiting in iptables with: iptables -N THROTTLE iptables -A THROTTLE -p tcp --dport 25 -m limit --limit nn/sec --limit-burst mm -j ACCEPT iptables -I INPUT xx -p tcp --dport 25 -m state NEW -j THROTTLE (see iptables -m limit --help) Both these measures will reduce your mail throughput but its better than have the server keel over. HTH John
Just realised I had assumed the key statement in the iptables definition. iptables -N THROTTLE iptables -A THROTTLE -p tcp --dport 25 -m limit --limit nn/sec --limit-burst mm -j ACCEPT # You can throttle other services here too. iptables -A THROTTLE -j REJECT # Uses REJECT to be fair on valid servers. Remember the servers sending you mail are victims too. iptables -I INPUT xx -p tcp --dport 25 -m state NEW -j THROTTLE John
participants (13)
-
Anders Johansson -
Charles Philip Chan -
Evert Smit -
fin -
GertJan Spoelman -
Joerg Henner -
John Andersen -
John Trickey -
Martin Konold -
Miguel Albuquerque -
Olaf Kirch -
Philippe Vogel -
Togan Muftuoglu