[NBLUG/talk] Need advice on intrusion detection systems, etc.

Jacob Appelbaum jake at nblug.org
Tue Aug 2 13:26:20 PDT 2005


On Tue, 2005-08-02 at 09:40 -0700, Linford Mark wrote:
> Good Morning, NBLUG-ites.
> 
> I'm looking for some intrusion detection system advice. In the past few months, I've noticed a drastic increase in the number of "attacks" against our network. Checking our logs from each evening, I see a variety of suspicious activity hitting our computers, including:
> 
> 1. Numerous attempts to access many different ssh accounts from the same IP address over a short period of time
> 2. Email sent from a singular server to (mostly) non-existing addresses, some based on dictionary words (tom@, dick@, harry@, etc.), others obviously random (00s54qqq@, etc.).
> 3. Continuous attempts from particular IP addresses to run exploits against our web servers.
> 
> Unfortunately, these mostly happen in the middle of the night or over the weekend, when I'm (in theory) blissfully unaware. Of course, I only find these attacks out after the fact, when there's not much else I can do but clean up the damage and clear my logs.
> 
> So, I'm looking for something that can detect these types of network behaviors and can act on them automatically. Now, I'm peripherally familiar with Snort, but I think I need something a bit more flexible.
> 
> Here's an example: Let's say I have a email server that sends me 50 emails, to non-existing email addresses, within a short period of time. Obviously, this isn't a mistake - either someone's trying to mail bomb us, or they're running a dictionary attack and trying to harvest real email addresses. So, instead of letting this jerk continue to hammer our servers, I'd like to automatically block them from my network, either temporarily or until I can act on it (say, when I arrive the next morning). I don't think Snort can handle this type of request (though I could be wrong).

Regarding issues with ssh, I suggest you read this thread:
http://it.slashdot.org/article.pl?sid=05/07/16/1615233&from=rss

I normally find slashdot useless (http://yak.net/fqa/417.html) but a few
of those posts are actually helpful. You do need to exercise extreme
caution though, messing with sshd can give you some massive head aches
when you make a mistake...

Regarding email, does this seem like it's bouncing *to* a valid address?
Or does the bounce bounce?

I think that's a pretty simple way to get your server to deliver spam
and the net result is a possible blacklist of your server. Depending on
your mailer and your interest in not crippling SMTP, you may have some
options. Slippery slope ahoy! (I know that's not very helpful but I
don't know what your MTA is...)

Regarding the web service:
Ignore it or find a way to automatically block it.

If it's possible, I'd setup a snort box, perhaps as a transparent
bridging IPS firewall-ish box. But it really depends on how you're able
to do this and you really really need to tune it. Oh and beware of any
zeroday exploits against it because it will have the ability to cripple
your network...

-- 
Jacob Appelbaum <jake at nblug.org>




More information about the talk mailing list