[Info-vax] Anti-virus ?

Mark Daniel mark.daniel at wasd.vsm.com.au
Mon Aug 14 21:52:57 EDT 2023 

On 15/8/2023 6:40 am, Hunter Goatley wrote:
> On 8/14/2023 8:39 AM, Simon Clubley wrote:
>>
>> Every so often, Eisner's network services (including SSH) simply stop
>> working. Sometimes, basic stuff such as ICMP continues to work, but
>> anything involving process creation is utterly stuffed.
> 
> Lately, it's been a problem of EISNER seeing an unprecedented (per 
> EISNER's history) level of dictionary attacks via SSH and SMTP. I've had 
> to increase quotas for MultiNet's Intrusion Prevention Service process 
> to try to keep up with the events. Each time, I've thought, "Well, that 
> should be enough," and then the number of attacks grows, and it's not.
> 
> Something in all of that is eating up paged memory, and when the system 
> runs out of that, pretty much everything stops, and the system has to be 
> rebooted.
> 
> I thought EISNER was getting hit hard before the recent relocation, but 
> the number of SSH and SMTP connections trying bogus usernames or trying 
> to guess passwords has shot up dramatically since the relocation. 
> Apparently, EISNER's new IP address makes it a bigger target than the 
> previous address for some reason.
> 
> Over the past three days, over 21,000 IP address filters were 
> automatically created in response to the attempts. That's not the total 
> number of connections, just the connections that triggered IPS to create 
> a filter. While I was checking that number, I saw five more get created 
> in the 20 seconds I was looking.
> 
> If I could block certain countries, a lot of the problem would be 
> alleviated. But that doesn't really work for a system like EISNER, which 
> aims to be open to everyone.

VSM was plagued by similar issues with lots of similar attempts.

A filter added to WASD rejection list immediately drops connections from 
IPs / domains listed.

|46.148.32.0-46.148.47.255
|*.ir

Once added it took two or three weeks before connections in the range 
46.148.32.0-46.148.47.255 (Iranian IP space) ceased completely.

Problem (largely) solved (for this case).

PS. VSM gateways incoming/outgoing mail through WASD (TLS wrapper).
     More fraught (but not impossible) with SSH.
     But introduces one more dependency - WASD.

> So we learn, adjust, reboot, and repeat.
> 
> Oh, and since EISNER is no one's full-time job, that process is taking 
> longer than it might otherwise. I sometimes see that EISNER is not 
> answering before anyone else---but not always.

-- 
Anyone, who using social-media, forms an opinion regarding anything 
other than the relative cuteness of this or that puppy-dog, needs 
seriously to examine their critical thinking.

More information about the Info-vax mailing list