Ticket #589 (closed maintenance: fixed)

Opened 3 years ago

Last modified 3 years ago

Blocking spammers at a firewall level

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: ed, jim Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.9

Description

At the meeting on 5th September ticket:585 one thing we discussed was that for August 2013:

More data is transferred for /user/register than the front page, 5.1GB compared to 3.6GB.

Most of this will be spam bots trying to register to post spam. Jim suggested that we could look at blocking some of these spam bots at a firewall level to save on resources. This ticket is to follow up on this suggestion.

Change History

comment:1 Changed 3 years ago by jim

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

The place to enable this is /etc/csf/csf.conf in the section labelled:

# SECTION:Global Lists/DYNDNS/Blocklists

It's a case of settings some false/0 to 1/true... Also you should set _CUSTOM_CONFIG_CSF=YES in #~/.barracuda.cnf so these settings aren't overwritten by BOA updates.

I'd recommend doing this one AFTER the #586 New Relic install so we get the latest BOA version of csf.conf before locking updates to it.

Version 0, edited 3 years ago by jim (next)

comment:2 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.7
  • Total Hours changed from 0.1 to 0.8

The /etc/csf/csf.blocklists contains configs for the following lists, I have noted which ones have been enabled.

The firewall was restarted:

csf -r

And the documentation updated, wiki:PuffinServer#CSFLDF

Spamhaus Don't Route Or Peer List (DROP)

Details: http://www.spamhaus.org/drop/

DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers. DROP and EDROP are a tiny subset of the SBL designed for use by firewalls and routing equipment.

This looks safe to enable.

DShield.org Recommended Block List

Details: http://dshield.org

This list summarized the top 20 attacking class C (/24) subnets over the last three days.

This looks safe to enable.

TOR Exit Nodes

Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList

I'm strongly opposed to this being enabled.

BOGON list

Details: http://www.team-cymru.org/Services/Bogons/

A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.

This looks safe to enable.

Project Honey Pot Directory of Dictionary Attacker IPs

Details: http://www.projecthoneypot.org

Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website.

This looks safe to enable.

C.I. Army Malicious IP List

Details: http://www.ciarmy.com

Based on information from our network of Sentinel devices deployed around the world, we compile a list of known bad IP addresses. How do we know their bad? We utilize DPAM (read more about DPAM here), and part of that is proprietary, but here's a hint: Sentinel devices are uniquely positioned to pick up traffic from bad guys without requiring any type of signature-based or rate-based identification. If an IP is identified in this way by a significant number of Sentinels, we feel confident the IP is malicious and should be blocked.

Not sure about this one, not enabling it for now, the list isn't that long.

BruteForceBlocker IP List

Details: http://danger.rulez.sk/index.php/bruteforceblocker/

block SSH bruteforce attacks via firewall

Makes sense, I have enabled this one.

Emerging Threats - Russian Business Networks List

Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

IP address ranges from which the former customers of the RBN ISP, their malware marketing affiliate networks, emulators, and other organized crime groups exploit consumers. Block at will. Test for your production environment prior to utilization.

Not sure about this one, not enabling it for now.

OpenBL.org 30 day List

Details: http://www.openbl.org

The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.

Enabled.

Autoshun Shun List

Details: http://www.autoshun.org/

AutoShun? is a Snort plugin that allows you to send your Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world.

With the Autoshun plugin installed you can contribute alerts from your IDS/IPS Sensors to the assist the fight against bots, worms, spam engines, and zombies!

Enabled.

MaxMind GeoIP Anonymous Proxies

Details: https://www.maxmind.com/en/anonymous_proxies

This is another one which we should not use.

comment:3 Changed 3 years ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Status changed from new to closed
  • Resolution set to fixed
  • Total Hours changed from 0.8 to 0.9

This ticked has been linked to from the server documentation, wiki:PuffinServer#Blocklists and I can't see any reason not to now close it.

Note: See TracTickets for help on using tickets.