From owner-freebsd-questions Sun Nov 10 19:15:27 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C9C337B401 for ; Sun, 10 Nov 2002 19:15:22 -0800 (PST) Received: from mail2.sea.registeredsite.com (mail2.sea.registeredsite.com [66.111.73.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id B244F43E6E for ; Sun, 10 Nov 2002 19:15:21 -0800 (PST) (envelope-from WD@US-Webmasters.com) Received: from us-webmasters.com (us-webmasters.com [207.159.139.240]) by mail2.sea.registeredsite.com (8.12.5/8.12.5) with ESMTP id gAB3FBKm020532; Sun, 10 Nov 2002 22:15:13 -0500 Received: from xyz.netins.net (desm-04-069.dialup.netins.net [167.142.11.198]) by us-webmasters.com (8.9.3/8.9.3) with ESMTP id TAA04372; Sun, 10 Nov 2002 19:15:07 -0800 (PST) Message-Id: <5.1.0.14.2.20021110210555.046f49d0@us-webmasters.com> X-Sender: wd@us-webmasters.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 10 Nov 2002 21:15:01 -0600 To: Stephen Hovey From: "W. D." Subject: Re: How to stop SPAMMER??! Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: References: <5.1.0.14.2.20021110034425.04b7c9d0@us-webmasters.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi Stephen, I hope you don't mind, I've CC'd the list as well: Guys: I locked myself out of my server using the "hosts.allow" script below. I couldn't get in with SSH, FTP, and *ALL* email was blocked. I changed back to the old "hosts.allow" and I can get back in, but so are the slimy spammers. It seems that "hosts.allow" is very powerfull--perhaps the way to go. However, I can't shut off FTP and email for all the other users. Does anyone have "ready-to-go" hosts.allow file? At 08:39 11/10/2002, Stephen Hovey, wrote: > >Its a tuffy - why do you have both a sendmail and a qmail entry? you run >both? Nope. Nor EXIM. I just wanted them there for the time being. I was=20 going to delete them once I was sure the script worked. > >the only thing I can think of is that ALL: paranoid line if you tried to >connect from an ip with bad in-addr.arpa/ident - and I dont think this is >correct form: > > ALL : 209.152.117.190 192.0.2.35 : allow=20 What would work? > > > >On Sun, 10 Nov 2002, W. D. wrote: > >> At 01:14 11/10/2002, Stephen Hovey, wrote: >> > >> >Put an entry in /etc/hosts.allow with that domain and DENY.. it will= give >> >them a 550 denied no matter what they try, and/or an entry in >> >/etc/mail/access >>=20 >>=20 >> Hi Stephen, >>=20 >> Well, I tried the 'hosts.allow' route. It seems I've disallowed SSH >> & FTP for myself now! Assuming I can get into the ISP tomorrow, which= are=20 >> the offending lines below? How can I get back into my own server???? I had to go to the colo and switch back to the old "hosts.allow" >>=20 >>= +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++= + >> # >> # hosts.allow access control file for "tcp wrapped" applications. >> # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone= Exp $ >> # >> # NOTE: The hosts.deny file is deprecated. >> # Place both 'allow' and 'deny' rules in the hosts.allow file. >> # See hosts_options(5) for the format of this file. >> # hosts_access(5) no longer fully applies. >>=20 >> # _____ _ _=20 >> # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | >> # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | >> # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| >> # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) >> # |_| =20 >> # !!! This is an example! You will need to modify it for your specific >> # !!! requirements! >>=20 >>=20 >> # Start by allowing everything (this prevents the rest of the file >> # from working, so remove it when you need protection). >> # The rules here work on a "First match wins" basis. >> # Commented out 2002 Nov 10 - WD: >> # ALL : ALL : allow >>=20 >> # Wrapping sshd(8) is not normally a good idea, but if you >> # need to do it, here's how >> #sshd : .evil.cracker.example.com : deny=20 >>=20 >> # Protect against simple DNS spoofing attacks by checking that the >> # forward and reverse records for the remote host match. If a mismatch >> # occurs, access is denied, and any positive ident response within >> # 20 seconds is logged. No protection is afforded against DNS poisoning, >> # IP spoofing or more complicated attacks. Hosts with no reverse DNS >> # pass this rule. >> ALL : PARANOID : RFC931 20 : deny >>=20 >> # Allow anything from localhost. Note that an IP address (not a host >> # name) *MUST* be specified for portmap(8). >> ALL : localhost 127.0.0.1 : allow >> #ALL : my.machine.example.com 192.0.2.35 : allow >> # Added 2002 Nov. 10 - WD: >> ALL : 209.152.117.190 192.0.2.35 : allow >>=20 >>=20 >> # To use IPv6 addresses you must enclose them in []'s >> ALL : [fe80::%fxp0]/10 : allow >> ALL : [fe80::]/10 : deny >> ALL : [3ffe:fffe:2:1:2:3:4:3fe1] : deny >> ALL : [3ffe:fffe:2:1::]/64 : allow >>=20 >>=20 >> # Added 2002 Nov. 10 - WD: >> # Qmail >> qmail : localhost : allow >> #qmail : .nice.guy.example.com : allow >> #qmail : .evil.cracker.example.com : deny >> # Added 2002 Nov. 10 - WD >> qmail : .spaelegance.com : deny >> qmail : .SpaWeb1.spaelegance.com : deny >> qmail : .testargeted.com : deny >> qmail : .tesdaily.com : deny >> qmail : ALL : allow >>=20 >>=20 >> # Sendmail can help protect you against spammers and relay-rapers >> sendmail : localhost : allow >> sendmail : .nice.guy.example.com : allow >> sendmail : .evil.cracker.example.com : deny >> # Added 2002 Nov. 10 - WD >> sendmail : .spaelegance.com : deny >> sendmail : .SpaWeb1.spaelegance.com : deny >> sendmail : .testargeted.com : deny >> sendmail : .tesdaily.com : deny >> sendmail : ALL : allow >>=20 >>=20 >> # Exim is an alternative to sendmail, available in the ports tree >> exim : localhost : allow >> # exim : .nice.guy.example.com : allow >> # exim : .evil.cracker.example.com : deny >> # Added 2002 Nov. 10 - WD >> exim : .spaelegance.com : deny >> exim : .SpaWeb1.spaelegance.com : deny >> exim : .testargeted.com : deny >> exim : .tesdaily.com : deny >> exim : ALL : allow >>=20 >> # Portmapper is used for all RPC services; protect your NFS! >> # (IP addresses rather than hostnames *MUST* be used here) >> portmap : 192.0.2.32/255.255.255.224 : allow >> portmap : 192.0.2.96/255.255.255.224 : allow >> portmap : ALL : deny >>=20 >> # Provide a small amount of protection for ftpd >> ftpd : localhost : allow >> ftpd : .nice.guy.example.com : allow >> ftpd : .evil.cracker.example.com : deny >> ftpd : ALL : allow >>=20 >> # You need to be clever with finger; do _not_ backfinger!! You can easily >> # start a "finger war". >> fingerd : ALL \ >> : spawn (echo Finger. | \ >> /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ >> : deny >>=20 >> # ntalkd for local chatting >> ntalkd : 206.40.55.68 : allow >> ntalkd : 127.0.0.1 : allow >> # The rest of the daemons are protected. >> ALL : ALL \ >> : severity auth.info \ >> : twist /bin/echo "You are not welcome to use %d from %h." >>= +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++= + >>=20 >>=20 >> > >> >On Sat, 9 Nov 2002, W. D. wrote: >> > >> >> Hi folks, >> >>=20 >> >> I've got some bozo from: >> >>=20 >> >> SpaWeb1.spaelegance.com..auth >> >>=20 >> >> doing all kinds of SMTP activity on my FreeBSD server. Does anyone >> >> know how to stop this? What kind of entry would I add to ipfw? >> >>=20 >> >> Does anyone know what vulnerability this might be? How to stop >> >> permanently? >> >>=20 >> >> Here's what I am running: >> >> FreeBSD 4.4-RELEASE >> >> Apache/1.3.27 (Unix) >> >> mod_perl/1.26 >> >> mod_throttle/3.1.2 >> >> PHP/4.2.2 >> >> FrontPage/4.0.4.3 >> >> mod_ssl/2.8.11 >> >> OpenSSL/0.9.6f=20 Start Here to Find It Fast!=A9 -> http://www.US-Webmasters.com/best-start-pa= ge/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message