11 Oct
2015
11 Oct
'15
6:05 a.m.
Hi,
for you experts on the matter concerned: how should be the
minimal best setup (or how about schools of thought, if any)
to protect at best our linux systems?
In particular, as impelling request, how to prevent the following
'non ampr' host to be indefinitely connected to my system?
----------------
i0ojj:~$ nslookup 81.174.235.131
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
131.235.174.81.in-addr.arpa name = a.comgw.net.
---------------
Very TNX!
73, gus
On 10/10/2015 09:15 PM, Brian wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Rob;
On Sat, 2015-10-10 at 21:06 +0200, Rob Janssen wrote:
Please MAKE SURE that you block all incoming SNMP
traffic from internet to amprnet!
(especially when you are using community names like "public")
Of course
I have that filtered.
The bad guys use SNMP as an attack amplifier.
One time I moved a switch to another address and it became exposed, and within 3 days I
had an abuse report.
Now I have a general rule that drops all SNMP at our gateway.
That's what I do
here, drop all SNMP out however it doesn't prevent the
incoming floods of frames. You have to actually receive them in order to
drop them... like amps need to pass 100% through a fuse/breaker to blow
it.
I found the source host and it's been halted. The device was a firewall
of all things.
(of course the real problem is the ISPs that
refuse to implement BCP38, source address filtering)
In this case, the ISP was
behind granting their client permission to
attack. Nice policy eh? Reason: *I* was not their paying customer.
I could pursue negligence if I wanted to push the issue.