[lug] keeping up with attacks

Michael J. Hammel mjhammel at graphics-muse.org
Sat May 4 08:56:39 MDT 2019

I have a colo that I keep watch with logwatch (tummy.com also watches
it for me, doing security updates).  I have ipsets and iptables in play
to keep out most of the baddies.  And I run fail2ban.  So for the most
part it's protected.  At least as much as I know.

One thing that's been happening lately is a lot of attempts to access
the mail server.  It's a botnet, coming with single attempts from many
addresses using the same set of usernames:  hopa, oiqkgntuw, pqqgvdx,
etc.  These are not all from a single country.  I already ban Russia,
China and a couple of others.  So the only way I know to stop these -
what appear to be DoS - attacks is by username in the mail server.

The good news is these don't really seem to be affecting anything. 
Service is not degraded as far as I can tell.  

What I want to know is if there is a site that tracks these kinds of
events and offers mitigation ideas.  Surely others have seen this stuff
and someone may have ideas on how to make their use less desirable to
the other end.

Also:  Is there a way to prevent probing of my web sites?  Logwatch
reports sites that probe my servers but I can't tell what I can do to
reject such probes.  Logwatch also reports lots of 404's, 403's and
400's.  I'm wondering if there is anything I can do about those if I
notice a pattern (same URL, same sub-URL, etc.).  Maybe add them to the
fail2ban configs?

Michael J. Hammel
mjhammel at graphics-muse.org
michaelhammel at acm.org

More information about the LUG mailing list