On 2023-08-15 17:36, Brian Schenkenberger wrote:
> On 2023-08-14 11:12:32 +0000, Johnny Billquist said:
>
>> Examples:
>>
>> . GET /wp-login.php
>>
>> (seems to be just lots of these probing if wordpress is running on the
>> host, so lots of variations on this one...)
>
> ERROR 404
> We're sorry but it looks like you're lost.
> The requested paged does not exist.

Oh. Definitely. But just by looking at the amount of such attempts, it
tells me that wp is a really bad idea to have running anywhere.
But it would never even be possible to run under RSX in the first place,
so I'm not too worried about it.

Yes. 404. And if they insist on 20 more variants, they get blocked for a
while so I don't have them DOSing my web server with stupidity.

Johnny

On 8/14/2023 5:59 PM, Stephen Hoffman wrote:
>
> Put a three or so second delay ahead of each ssh connection prior to the
> password processing, and put a five or ten second delay after a failed
> password, and then a delay again before dropping the connection when
> disconnecting from a failed login.
>
> Make the delays adjustable via configuration file or via (gag) logical
> names or such, if following OpenVMS app configuration UI norms.  I've
> met a few of these that build the delay within the text shown while
> stalling, so the characters will dribble back to the originating host.

Nice suggestions, but bots don't really care how long it takes, from
what I've seen. Depends on the bots, of course.

> Adding support for fail2ban into ssh would be a nice addition if not
> already present, but adding it is probably more work than adding delays,
> and less able to handle botnet brute-force and DDoS shenanigans.

That's effectively what MultiNet's Intrusion Prevention Service is doing.

>
> That's usually either a resource leak, or resource exhaustion when
> things get too busy and all this as you are well aware, of course.

Yep. I'm just not sure where. The filtering stuff should not be using
paged pool. The search continues.

> The mail server should probably check the incoming mail server
> connection DNS for DANE or SPF or such, and force incoming connections
> to STARTTLS, and quite possibly add an RBL check.

Some of that is being done already. SPF checks are made, but that
doesn't stop connections. RBL lists are checked, but they're
surprisingly not very effective (at least the ones I'm using).

> There are a half-dozen or so settings in POSTFIX related to this
> anti-spam and related processing that can really slow the malicious
> traffic. (I'd expect OpenSMTPd has some similarities, but haven't had
> the opportunity to implement that in production.)

PreciseMail does a great job of handling the spam. The problem isn't
incoming mail, but just the connections that issue AUTH commands
repeatedly, trying to find something that works. The IPS stops them, but
there are so many from so many different IP addresses....

> Another option I've used—may or may not be an option here, and that for
> various reasons—is to relay incoming and outgoing messages via whatever
> mail server VSI is using, depending on the anti-spam and related
> capabilities of the VSI mail server. (Yeah, my suggestion around all of
> this reply including using relay is probably impolitic here, and, yeah,
> VSI might not want to "share" their mail server.)

Again, the problem isn't mail coming in. It's bots trying to find
accounts that are valid.

As I said before, blocking certain countries would go a long to stopping
the problem....

Thanks for your comments!

--
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
goathunter@goatley.com http://hunter.goatley.com/

On 8/14/2023 9:29 PM, Steven Schweda wrote:
>> [...] dictionary attacks via SSH [...]
>
> Don't listen at port 22? Since I stopped port-forwarding port 22, I
> see approximately none of these. I don't see adding "-p xxxx" to a
> command as a hardship.
>
> If you want strangers to use it, then you would need to publish the
> actual port number someplace, of course, but I would expect the robots
> not to read much.

Historically, EISNER management hasn't wanted to make things difficult
for people---which I understand---otherwise, I'd have moved it from port
22 years ago. But I'm lobbying again to make that change.

--
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
goathunter@goatley.com http://hunter.goatley.com/

On 8/16/2023 4:18 PM, Hunter Goatley wrote:
> Historically, EISNER management hasn't wanted to make things difficult for
> people---which I understand---otherwise, I'd have moved it from port 22 years
> ago. But I'm lobbying again to make that change.

+1!

--

--- Rob

On 8/16/2023 7:30 PM, Robert A. Brooks wrote:
> On 8/16/2023 4:18 PM, Hunter Goatley wrote:
>> Historically, EISNER management hasn't wanted to make things difficult
>> for people---which I understand---otherwise, I'd have moved it from
>> port 22 years ago. But I'm lobbying again to make that change.
>
> +1!
>
And done:

https://eisner.decus.org/online/ssh

--
Hunter
------
Hunter Goatley, Process Software, http://www.process.com/
goathunter@goatley.com http://hunter.goatley.com/