1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

HUGE SPAM Attack

Discussion in 'Plesk for Linux - 8.x and Older' started by KrazyBob, Aug 10, 2009.

  1. KrazyBob

    KrazyBob Regular Pleskian

    27
    40%
    Joined:
    Nov 28, 2006
    Messages:
    141
    Likes Received:
    0
    All of my 100+ servers have been under constant attack since last week. zen.spamhaus.org is catching much of the incoming SPAM but they are slamming the servers. But the other issue appears to be an attack on port 25 SMTP. lsof -i :25 shows 50-100 simultaneous connections to port 25 from different IP's. I have blocked entire subnets in our hardware firewall from around the globe from which the attacks are coming but I can't get all of them. They are sequenctial blocks as well: 114.x.x.x, 115.x.x.x, 116.x.x.x -- 189.x.x.x, 190.x.x.x -- and are hitting all of my servers at one time. Our alarming systems keep sending alert after alert that SMTP is stopping and restarting. I have edited MAXDAEMONS=160 and MAXPERIP=80 just to keep the service from shutting down.

    But what I need is more of a solution to stop the overall problem. Looking at the logs in /var/log shows me that what appears to be brute force attacks on all passworded services are not stopping. FTP, mysql, POP3, SMTP.

    I am running Plesk 8.6 inside of Virtuozzo. Because we're behind a firewall I haven't installed APF or BFD but do have IPTABLES installed.

    Suggestions?
     
  2. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    I still suggest to install APF and DBF on Virtuozzo as well.
     
  3. KrazyBob

    KrazyBob Regular Pleskian

    27
    40%
    Joined:
    Nov 28, 2006
    Messages:
    141
    Likes Received:
    0
    Thank you. But as I recall BFD requires that APF be installed first and APF wants to see a physical eth port. This KB article discusses the Plesk firewall: http://kb.odin.com/en/875

    But can BFD be installed without APF? What about the Plesk firewall?
     
  4. KrazyBob

    KrazyBob Regular Pleskian

    27
    40%
    Joined:
    Nov 28, 2006
    Messages:
    141
    Likes Received:
    0
    I guess an even better question is whether or not APF and BFD can just be installed on the hardware node and therefore, any VE's are automatically protected. The HN sees the IP traffic anyway.
     
  5. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    965
    Likes Received:
    32
    Location:
    Romania
    I have installed APF on Virtuozzo environment, with some small errors, but I know that IF the Virtuozzon is not configured well, then you will get some errors, what usually you can ignore. We just study how to configure Virtuozzo to work well with APF.
     
  6. 64bithost.com

    64bithost.com Regular Pleskian

    25
    57%
    Joined:
    Jul 30, 2007
    Messages:
    182
    Likes Received:
    0
    Watchgaurd

    Get a Watchgaurd x-peak 8500 and install it above your Router.

    Take your inbound Ethernet line and put it in port 1

    connect the green cable to your Ethernet switch port 48

    Your spam attack will drop off after you configure your profile
     
  7. KrazyBob

    KrazyBob Regular Pleskian

    27
    40%
    Joined:
    Nov 28, 2006
    Messages:
    141
    Likes Received:
    0
    Thank you, but we already have a Watchguard X but do not pay the high annual fee for SPAM protection. It also cannot handle the load but does well as a firewall. With all of the other attacks coming in we need a dedicated SPAM appliance, but they too are very expensive. We rely an Spam Assassin and it does well enough. With so many servers trying to get too much out of a firewall just means trouble. I can say that Watchguard makes an excellent product. We can handle a couple millions Packets/s when we get flodded from time to time :) Our providers Cisco craps out first :)

    The question at hand remains whether or not to put APF and BFD on the Virtuozzo hardware node since it sees all network traffic on the NIC, or to put APF and BFD on the container and not use the Plesk firewall at all. We don't anyway -- the Watchguard contains our policies. It seems that our real issue is brute force attacks that the Watchguard does not see as attacks. It sees them as traffic to port 80, or 8080, or even 8443. But it doesn't see dictionary attacks on 25 or 110. I worry about adding anything to Virtuozzo because after about 5 years of using it with some distaste for their terrible support I don't want to jack things up too bad. APF and BFD are easy enough to remove. But add Plesk to the mix and I wonder...

    But I thank you for a decent attempt at answering the question., It gets frustrating asking only to get someone that doesn't answer the question but tells you to go buy this or that. Or why are you doing that. I like straight answers and you gave one.
     
Loading...