HUGE SPAM Attack

[KrazyBob]

All of my 100+ servers have been under constant attack since last week. zen.spamhaus.org is catching much of the incoming SPAM but they are slamming the servers. But the other issue appears to be an attack on port 25 SMTP. lsof -i :25 shows 50-100 simultaneous connections to port 25 from different IP's. I have blocked entire subnets in our hardware firewall from around the globe from which the attacks are coming but I can't get all of them. They are sequenctial blocks as well: 114.x.x.x, 115.x.x.x, 116.x.x.x -- 189.x.x.x, 190.x.x.x -- and are hitting all of my servers at one time. Our alarming systems keep sending alert after alert that SMTP is stopping and restarting. I have edited MAXDAEMONS=160 and MAXPERIP=80 just to keep the service from shutting down.

But what I need is more of a solution to stop the overall problem. Looking at the logs in /var/log shows me that what appears to be brute force attacks on all passworded services are not stopping. FTP, mysql, POP3, SMTP.

I am running Plesk 8.6 inside of Virtuozzo. Because we're behind a firewall I haven't installed APF or BFD but do have IPTABLES installed.

Suggestions?

 

[lvalics]

I still suggest to install APF and DBF on Virtuozzo as well.

 

[KrazyBob]

Thank you. But as I recall BFD requires that APF be installed first and APF wants to see a physical eth port. This KB article discusses the Plesk firewall: http://kb.odin.com/en/875

But can BFD be installed without APF? What about the Plesk firewall?

 

[KrazyBob]

I guess an even better question is whether or not APF and BFD can just be installed on the hardware node and therefore, any VE's are automatically protected. The HN sees the IP traffic anyway.

 

[lvalics]

I have installed APF on Virtuozzo environment, with some small errors, but I know that IF the Virtuozzon is not configured well, then you will get some errors, what usually you can ignore. We just study how to configure Virtuozzo to work well with APF.

 

[64bithost.com]

Watchgaurd

Get a Watchgaurd x-peak 8500 and install it above your Router.

Take your inbound Ethernet line and put it in port 1

connect the green cable to your Ethernet switch port 48

Your spam attack will drop off after you configure your profile

 

[KrazyBob]

Thank you, but we already have a Watchguard X but do not pay the high annual fee for SPAM protection. It also cannot handle the load but does well as a firewall. With all of the other attacks coming in we need a dedicated SPAM appliance, but they too are very expensive. We rely an Spam Assassin and it does well enough. With so many servers trying to get too much out of a firewall just means trouble. I can say that Watchguard makes an excellent product. We can handle a couple millions Packets/s when we get flodded from time to time Our providers Cisco craps out first

The question at hand remains whether or not to put APF and BFD on the Virtuozzo hardware node since it sees all network traffic on the NIC, or to put APF and BFD on the container and not use the Plesk firewall at all. We don't anyway -- the Watchguard contains our policies. It seems that our real issue is brute force attacks that the Watchguard does not see as attacks. It sees them as traffic to port 80, or 8080, or even 8443. But it doesn't see dictionary attacks on 25 or 110. I worry about adding anything to Virtuozzo because after about 5 years of using it with some distaste for their terrible support I don't want to jack things up too bad. APF and BFD are easy enough to remove. But add Plesk to the mix and I wonder...

But I thank you for a decent attempt at answering the question., It gets frustrating asking only to get someone that doesn't answer the question but tells you to go buy this or that. Or why are you doing that. I like straight answers and you gave one.