[gentoo-server] Iptables Changes

[gentoo-server] Iptables Changes

[Ajai Khattri]

After a recent kernel + iptables update I now find that iptables fails to 
start with my saved rules. All it says is that the final COMMiT 
line fails. Is there a way to troubleshoot this without typing each rule 
by hand? Maybe some debug / verbose flag?


-- 
A

Re: [gentoo-server] Iptables Changes

[Ryan Gibbons]

[-- Attachment #1: Type: text/plain, Size: 646 bytes --]

You should be able to find some information in your log files and possibily dmesg 

My guess is you are missing some modules for iptables in your kernel. 

----- Original Message ----- 
From: "Ajai Khattri" <ajai@bway.net> 
To: gentoo-server@lists.gentoo.org 
Sent: Monday, September 22, 2008 7:16:06 AM GMT -06:00 US/Canada Central 
Subject: [gentoo-server] Iptables Changes 


After a recent kernel + iptables update I now find that iptables fails to 
start with my saved rules. All it says is that the final COMMiT 
line fails. Is there a way to troubleshoot this without typing each rule 
by hand? Maybe some debug / verbose flag? 


-- 
A 


[-- Attachment #2: Type: text/html, Size: 885 bytes --]

Re: [gentoo-server] Iptables Changes

[Ajai Khattri]

On Mon, 22 Sep 2008, Ryan Gibbons wrote:

> You should be able to find some information in your log files and possibily dmesg
>
> My guess is you are missing some modules for iptables in your kernel.

I use connection-tracking and that has changed a lot over the past two 
years and become very confusing (as far as kernel configuration goes).


-- 
A

Re: [gentoo-server] Iptables Changes

[Kerin Millar]

2008/9/22 Ajai Khattri <ajai@bway.net>:
> On Mon, 22 Sep 2008, Ryan Gibbons wrote:
>
>> You should be able to find some information in your log files and
>> possibily dmesg
>>
>> My guess is you are missing some modules for iptables in your kernel.
>
> I use connection-tracking and that has changed a lot over the past two years
> and become very confusing (as far as kernel configuration goes).

2.6.25 provides a CONFIG_NETFILTER_ADVANCED option which, if not
selected, should ensure that the most commonly used netfilter options
are enabled.

If that option does not appeal then note that the NF_CONNTRACK option
has been renamed to NF_CONNTRACK_ENABLED as of 2.6.25. Here is a list
of options that constitute a set of reasonable/minimal defaults (that
will support connection tracking):

NF_CONNTRACK_IPV4
NF_CONNTRACK_MARK
IP_NF_IPTABLES
IP_NF_FILTER
IP_NF_TARGET_REJECT
IP_NF_TARGET_LOG
NF_NAT
IP_NF_TARGET_MASQUERADE
IP_NF_TARGET_REDIRECT
IP_NF_MANGLE
NF_CONNTRACK_ENABLED

I'd also suggest enabling the IP_NF_TARGET_ULOG option. This may be
used in conjunction with the ulogd package so as to avoid polluting
the kernel ring buffer with netfilter log messages.

Regards,

--Kerin

RE: [gentoo-server] Iptables Changes

[Mark]

Stop sending me these fucking e mails...I dont want them  so fuck
off!!!!

-----Oorspronkelijk bericht-----
Van: Kerin Millar [mailto:kerframil@gmail.com] 
Verzonden: maandag 22 september 2008 15:56
Aan: gentoo-server@lists.gentoo.org
Onderwerp: Re: [gentoo-server] Iptables Changes

2008/9/22 Ajai Khattri <ajai@bway.net>:
> On Mon, 22 Sep 2008, Ryan Gibbons wrote:
>
>> You should be able to find some information in your log files and
>> possibily dmesg
>>
>> My guess is you are missing some modules for iptables in your kernel.
>
> I use connection-tracking and that has changed a lot over the past two
years
> and become very confusing (as far as kernel configuration goes).

2.6.25 provides a CONFIG_NETFILTER_ADVANCED option which, if not
selected, should ensure that the most commonly used netfilter options
are enabled.

If that option does not appeal then note that the NF_CONNTRACK option
has been renamed to NF_CONNTRACK_ENABLED as of 2.6.25. Here is a list
of options that constitute a set of reasonable/minimal defaults (that
will support connection tracking):

NF_CONNTRACK_IPV4
NF_CONNTRACK_MARK
IP_NF_IPTABLES
IP_NF_FILTER
IP_NF_TARGET_REJECT
IP_NF_TARGET_LOG
NF_NAT
IP_NF_TARGET_MASQUERADE
IP_NF_TARGET_REDIRECT
IP_NF_MANGLE
NF_CONNTRACK_ENABLED

I'd also suggest enabling the IP_NF_TARGET_ULOG option. This may be
used in conjunction with the ulogd package so as to avoid polluting
the kernel ring buffer with netfilter log messages.

Regards,

--Kerin

Re: [gentoo-server] Iptables Changes

[Andrew Gaffney]

Mark wrote:
> Stop sending me these fucking e mails...I dont want them  so fuck
> off!!!!

Woah there. Can you remove the stick from your ass and calm down a bit? You're 
receiving these emails because you signed up for the mailing list. If you don't 
want to be on this mailing list any longer, unsubscribe instead of being an ass.

The address to send an email to in order to unsubscribe is in the headers of 
every "fucking e mail" you get from this list. If you still can't figure it out, 
please visit http://www.gentoo.org/main/en/lists.xml which has more detailed 
instructions.

Thank you, and have a great day.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer            Catalyst/Genkernel + Release Engineering Lead

Re: [gentoo-server] Iptables Changes

[Kerin Millar]

2008/9/22 Mark <atlee@planet.nl>:
> Stop sending me these fucking e mails...I dont want them  so fuck
> off!!!!

I've got a better idea. As this is a subscription-based list, how
about actually taking the advice that you were given upon the first
occasion that you so eloquently complained and unsubscribing yourself,
thereby avoiding the opportunity to achieve a hat-trick by making a
complete and utter ass of yourself in public for the third time
running? The fact is that you - or someone else using your mail
account - subscribed your account to this list. As such, it's your
responsibility to unsubscribe according to the instructions at
http://www.gentoo.org/main/en/lists.xml. Please do feel free to carry
out this procedure at the earliest available opportunity.

Cheers,

--Kerin

Re: [gentoo-server] Iptables Changes

[Marko Reiner]

Kerin Millar schrieb:
> 2008/9/22 Mark <atlee@planet.nl>:
>> Stop sending me these fucking e mails...I dont want them  so fuck
>> off!!!!
> 
> I've got a better idea. As this is a subscription-based list, how
> about actually taking the advice that you were given upon the first
> occasion that you so eloquently complained and unsubscribing yourself,
> thereby avoiding the opportunity to achieve a hat-trick by making a
> complete and utter ass of yourself in public for the third time
> running? The fact is that you - or someone else using your mail
> account - subscribed your account to this list. As such, it's your
> responsibility to unsubscribe according to the instructions at
> http://www.gentoo.org/main/en/lists.xml. Please do feel free to carry
> out this procedure at the earliest available opportunity.
> 
> Cheers,
> 
> --Kerin

thank you!


MR

RE: [gentoo-server] Iptables Changes

[Mark]

Blow it out yer arse cunt

-----Oorspronkelijk bericht-----
Van: Marko Reiner [mailto:marko_reiner@hoppix.org] 
Verzonden: maandag 22 september 2008 18:32
Aan: gentoo-server@lists.gentoo.org
Onderwerp: Re: [gentoo-server] Iptables Changes

Kerin Millar schrieb:
> 2008/9/22 Mark <atlee@planet.nl>:
>> Stop sending me these fucking e mails...I dont want them  so fuck
>> off!!!!
> 
> I've got a better idea. As this is a subscription-based list, how
> about actually taking the advice that you were given upon the first
> occasion that you so eloquently complained and unsubscribing yourself,
> thereby avoiding the opportunity to achieve a hat-trick by making a
> complete and utter ass of yourself in public for the third time
> running? The fact is that you - or someone else using your mail
> account - subscribed your account to this list. As such, it's your
> responsibility to unsubscribe according to the instructions at
> http://www.gentoo.org/main/en/lists.xml. Please do feel free to carry
> out this procedure at the earliest available opportunity.
> 
> Cheers,
> 
> --Kerin

thank you!


MR

Re: [gentoo-server] Iptables Changes

[Roger Bumgarner]

then use the unsubscribe feature. I'm lazy, so google it, or wait for
someone else to send it to you.  its also supposedly in the email
headers.

-rb

On Mon, Sep 22, 2008 at 9:43 AM, Mark <atlee@planet.nl> wrote:
> Blow it out yer arse cunt
>
> -----Oorspronkelijk bericht-----
> Van: Marko Reiner [mailto:marko_reiner@hoppix.org]
> Verzonden: maandag 22 september 2008 18:32
> Aan: gentoo-server@lists.gentoo.org
> Onderwerp: Re: [gentoo-server] Iptables Changes
>
> Kerin Millar schrieb:
>> 2008/9/22 Mark <atlee@planet.nl>:
>>> Stop sending me these fucking e mails...I dont want them  so fuck
>>> off!!!!
>>
>> I've got a better idea. As this is a subscription-based list, how
>> about actually taking the advice that you were given upon the first
>> occasion that you so eloquently complained and unsubscribing yourself,
>> thereby avoiding the opportunity to achieve a hat-trick by making a
>> complete and utter ass of yourself in public for the third time
>> running? The fact is that you - or someone else using your mail
>> account - subscribed your account to this list. As such, it's your
>> responsibility to unsubscribe according to the instructions at
>> http://www.gentoo.org/main/en/lists.xml. Please do feel free to carry
>> out this procedure at the earliest available opportunity.
>>
>> Cheers,
>>
>> --Kerin
>
> thank you!
>
>
> MR
>
>
>
>

Re: [gentoo-server] Iptables Changes

[Thilo Bangert]

[-- Attachment #1: Type: text/plain, Size: 596 bytes --]

Andrew Gaffney <agaffney@gentoo.org> said:

> because you signed up for the mailing 
> list.

maybe he didnt.

i've heard of cases, where spammers used the subscribe address of 
mailinglists as envelope sender. an out-of-office reply is sent to the 
subscribe address from the target of the spam - the mailing list software 
sends a confirmation mail - the autoresponder correctly authorises the 
the subscription request.

...but then again, thats what you get for sending out-of-office 
autoresponses.

nevertheless, no reason to make a fool of oneself.

best regards
Thilo

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-server] Iptables Changes

[Jozef [jonyii] Svec]

[-- Attachment #1: Type: text/plain, Size: 888 bytes --]

Thilo Bangert wrote:
> Andrew Gaffney<agaffney@gentoo.org>  said:
>    
>> because you signed up for the mailing
>> list.
>>      
>
> maybe he didnt.
>
> i've heard of cases, where spammers used the subscribe address of
> mailinglists as envelope sender. an out-of-office reply is sent to the
> subscribe address from the target of the spam - the mailing list software
> sends a confirmation mail - the autoresponder correctly authorises the
> the subscription request.
>    
Yea,

... and he can be unsubscribed the same way ...
I think email from fake address (eg. from his) will work too for 
unsubscribing..
> ...but then again, thats what you get for sending out-of-office
> autoresponses.
>
> nevertheless, no reason to make a fool of oneself.
>
> best regards
> Thilo
>    
S pozdravom / Best regards / Met vriendelijke groet
-------------------------------
Jozef [jonyii] Svec



[-- Attachment #2: Type: text/html, Size: 1512 bytes --]

[gentoo-server] SPAM protection by requesting confirmation

[Alex Efros]

Hi!

On Mon, Sep 22, 2008 at 07:53:57PM +0200, Thilo Bangert wrote:
> i've heard of cases, where spammers used the subscribe address of 
> mailinglists as envelope sender. an out-of-office reply is sent to the 
> subscribe address from the target of the spam - the mailing list software 
> sends a confirmation mail - the autoresponder correctly authorises the 
> the subscription request.
> 
> ...but then again, thats what you get for sending out-of-office 
> autoresponses.

Sorry for OT, but I wanna install spam-protection tool based on
confirmation email request (somebody send me email, my tool delay that
email and automatically reply requesting confirmation, he confirm, my tool
receive that confirmation and: 1) add his email to while-list; 2) deliver
his initial email to my mailbox). I'm aware about several such tools, but
I'm not sure how they handle incoming emails from other robots - like mail
lists, or some news subscriptions and notifications from websites.

I just don't wanna put myself in position like other people who spam
maillists I read with senseless messages from their tools like
autoresponders or so...

Can anybody recommend me tool which is able to correctly handle these cases?
To be honest, I don't see a way to realize this feature... :(
Ability to protect all accounts at our email domain is good to have, but
personal-only tool is acceptable too. (I use qmail, if this is important.)

-- 
			WBR, Alex.

Re: [gentoo-server] SPAM protection by requesting confirmation

[Ramon van Alteren]

Alex Efros wrote:
> Hi!
> 
> On Mon, Sep 22, 2008 at 07:53:57PM +0200, Thilo Bangert wrote:
>> i've heard of cases, where spammers used the subscribe address of 
>> mailinglists as envelope sender. an out-of-office reply is sent to the 
>> subscribe address from the target of the spam - the mailing list software 
>> sends a confirmation mail - the autoresponder correctly authorises the 
>> the subscription request.
>>
>> ...but then again, thats what you get for sending out-of-office 
>> autoresponses.
> 
> Sorry for OT, but I wanna install spam-protection tool based on
> confirmation email request (somebody send me email, my tool delay that
> email and automatically reply requesting confirmation, he confirm, my tool
> receive that confirmation and: 1) add his email to while-list; 2) deliver
> his initial email to my mailbox). I'm aware about several such tools, but
> I'm not sure how they handle incoming emails from other robots - like mail
> lists, or some news subscriptions and notifications from websites.
> 
> I just don't wanna put myself in position like other people who spam
> maillists I read with senseless messages from their tools like
> autoresponders or so...
> 
> Can anybody recommend me tool which is able to correctly handle these cases?
> To be honest, I don't see a way to realize this feature... :(
> Ability to protect all accounts at our email domain is good to have, but
> personal-only tool is acceptable too. (I use qmail, if this is important.)
> 

I would recommend not to implement such a tool.

1) I wouldn't send you mail anymore if you made me jump through hoops to
confirm that me is actually I.
2) I personally think it's a stupid way of dealing with the problem
3) I can't see any way to get them to work with lists

1) and 2) are obviously very personally biased & opinionated :-)

Judging from the mail/spam volumes at my work, you might be very happy
if you just implemented grey-listing. This basically tells every new
sender of email (or email-address, depends on implementation) to go and
come back in 5 minutes. It sends a 4xx status code, which tells the
sender that the mailserver is currently unable to accept mail, but will
do so in a short while.

Most greylisting tools automaically whitelist senders if they come back
for a configurable period of time.

Since most spammers, virii and other bogus mailsenders do not implement
a full queue-ing system to redeliver mail at a later time if they
receive a 4xx response they bugger off to harass other poor souls on the
internet.

Since most legit mailsenders actually use a mailserver with a queueing
system they resend the mail within the specified period and mail gets
delivered.

As a bonus, it's absolutely low-impact on your mailserver wrt performance.

Dropped spam ratio with > 60% for me, the rest is taken care of by the
usual combination of (automated) blacklisting and spamassasin.

If you use postfix it is as simple as emerge postgrey and go read the
manual.

Just my 2 cts

Ramon

Re: [gentoo-server] SPAM protection by requesting confirmation

[Lindsay Haisley]

On Tue, 2008-09-23 at 23:45 +0200, Ramon van Alteren wrote:
> > Can anybody recommend me tool which is able to correctly handle
> these cases?
> > To be honest, I don't see a way to realize this feature... :(
> > Ability to protect all accounts at our email domain is good to have,
> but
> > personal-only tool is acceptable too. (I use qmail, if this is
> important.)
> > 
> 
> I would recommend not to implement such a tool.
> 
> 1) I wouldn't send you mail anymore if you made me jump through hoops
> to
> confirm that me is actually I.
> 2) I personally think it's a stupid way of dealing with the problem
> 3) I can't see any way to get them to work with lists

Be that as it may, many people use this "circle the wagons" approach to
spam management.  I used it for a long time, with good success, although
I had problems with things such as automated replies to online orders
and the like.  I had very little problem with people refusing to confirm
their addresses.  I used a bypass cookie in my address (e.g.
fmouse-n44xyz@fmp.com) as my Reply-To address which allowed replies
through without encountering the confirmation process.  Only people who
cold-emailed me got the confirmation request, which was politely worded
and fairly innocuous.  A few technophobic folks were put off by it,
mainly by misunderstanding the clearly worded confirmation request and
thinking their email had been identified as spam.

Check out Tagged Message Delivery Agent (TMDA).  It's a python-based
system that may do what you need.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |

Re: [gentoo-server] SPAM protection by requesting confirmation

[Homer Parker]

On Tue, 2008-09-23 at 22:25 +0300, Alex Efros wrote:

> Sorry for OT, but I wanna install spam-protection tool based on
> confirmation email request (somebody send me email, my tool delay that
> email and automatically reply requesting confirmation, he confirm, my tool
> receive that confirmation and: 1) add his email to while-list; 2) deliver
> his initial email to my mailbox). I'm aware about several such tools, but
> I'm not sure how they handle incoming emails from other robots - like mail
> lists, or some news subscriptions and notifications from websites.
> 
> I just don't wanna put myself in position like other people who spam
> maillists I read with senseless messages from their tools like
> autoresponders or so...
> 
> Can anybody recommend me tool which is able to correctly handle these cases?
> To be honest, I don't see a way to realize this feature... :(
> Ability to protect all accounts at our email domain is good to have, but
> personal-only tool is acceptable too. (I use qmail, if this is important.)

	Challenge Response sucks, don't do that... Google for more info.. 

-- 
Homer Parker <hparker@gentoo.org>

Re: [gentoo-server] SPAM protection by requesting confirmation

[Oliver Schad]

[-- Attachment #1: Type: text/plain, Size: 807 bytes --]

Am Dienstag, 23. September 2008 schrieb mir Alex Efros:
> Sorry for OT, but I wanna install spam-protection tool based on
> confirmation email request (somebody send me email, my tool delay that
> email and automatically reply requesting confirmation, he confirm, my
> tool receive that confirmation and: 1) add his email to while-list; 2)
> deliver his initial email to my mailbox). 

Assume both partys use this mechanism. It's pretty funny, every party 
waits for confirmation and waits for confirmation of the confirmation 
request and waits for the confirmation of the confirmation of the 
confirmation request ...

And I don't want to confirm you anything, what a spam robot couldn't do, 
too.

You could make a whitelist in your spam filter if you know your opposite.

Regards
Oli

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] SPAM protection by requesting confirmation

[Thilo Bangert]

[-- Attachment #1: Type: text/plain, Size: 1432 bytes --]

Alex Efros <powerman@powerman.asdfgroup.com> said:
> Hi!
>
> Sorry for OT, but I wanna install spam-protection tool based on
> confirmation email request (somebody send me email, my tool delay that
> email and automatically reply requesting confirmation, he confirm, my
> tool receive that confirmation and: 1) add his email to while-list; 2)
> deliver his initial email to my mailbox). I'm aware about several such
> tools, but I'm not sure how they handle incoming emails from other
> robots - like mail lists, or some news subscriptions and notifications
> from websites.
>
> I just don't wanna put myself in position like other people who spam
> maillists I read with senseless messages from their tools like
> autoresponders or so...
>
> Can anybody recommend me tool which is able to correctly handle these
> cases? To be honest, I don't see a way to realize this feature... :(
> Ability to protect all accounts at our email domain is good to have,
> but personal-only tool is acceptable too. (I use qmail, if this is
> important.)

perhaps qconfirm is what you are looking for:
http://smarden.org/qconfirm/

generally you should ignore all mail which sets the Precedence: bulk 
header. as this is non-standard you should also check for some other 
stuff explained here: http://www.rfc-editor.org/rfc/rfc3834.txt

IMHO, though, concepts like you describe are a bad idea...

kind regards
Thilo

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-server] SPAM protection by requesting confirmation

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 1907 bytes --]

Hi Ramon,
on Tue, Sep 23, 2008 at 11:45:41PM +0200, you wrote:
> I would recommend not to implement such a tool.
> 
> 1) I wouldn't send you mail anymore if you made me jump through hoops to
> confirm that me is actually I.
> 2) I personally think it's a stupid way of dealing with the problem
> 3) I can't see any way to get them to work with lists

I agree that this is not a good solution, however there is a pretty
simple rule that would make any such autoresponding tool work with
mailing lists: just don't reply to anything with a "Precedence: bulk"
header. Of course while that's a failsafe way for out-of-office
programs, you'd need to effectively whitelist bulk mails, giving
spammers the possibility of bypassing your filter. They're not very
likely to do that but it's a small part of why this "solution" is
bad.
Once in a while we come across a customer with such a system at work
(ISP abuse dept.), and it's usually not very nice. Our ticket system
sends some notification (like "You've probably been hacked/have a
trojan, check this and that"), the autoresponder comes back with "please
confirm your mail by doing XY") which a) pisses off the operator because
they have to manually check the ticket and b) probably doesn't work
anyway because that the ticket system (having an automatically-set
subject and stuff like that) can't do it anyway. So the account will
likely be locked and we just wait for the customer to call.
What you can easily do, in order of personal (well, I don't run my own
mail server any more) preference:
- block dialup ranges
- use IP blacklists like SORBS
- use SpamAssassin, possibly with more blacklists like SURBL
- check DomainKeys and/or SPF headers for scoring
- use greylisting

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-server] SPAM protection by requesting confirmation

[Lindsay Haisley]

On Wed, 2008-09-24 at 10:51 +0200, Oliver Schad wrote:
> Assume both partys use this mechanism. It's pretty funny, every party 
> waits for confirmation and waits for confirmation of the confirmation 
> request and waits for the confirmation of the confirmation of the 
> confirmation request ...

TMDA is quite smart enough to prevent such infinite loops.  Check out
the documentation on it if you're interested at
<http://wiki.tmda.net/TmdaDocumentation>.

-- 
Lindsay Haisley       |  "We are all broken  |     PGP public key
FMP Computer Services |   toasters, but we   |      available at
512-259-1190          | still manage to make |<http://pubkeys.fmp.com>
http://www.fmp.com    |        toast"        |
                      |    (Cheryl Dehut)    |

Re: [gentoo-server] Iptables Changes

[Ajai Khattri]

On Mon, 22 Sep 2008, Kerin Millar wrote:

I figured this out: I needed the "helper" module enabled and an update of 
the iptables packages to load my rules successfully.


-- 
A

Re: [gentoo-server] SPAM protection by requesting confirmation

[Alex Efros]

[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]

Hi!

To everybody in this thread who said "C/R is bad idea":

While qconfirm and TMDA will work in most cases, I've read C/R critique 
here http://en.wikipedia.org/wiki/Challenge-response_spam_filtering and
agree it's bad idea in general. I unlike tools like SpamAssassin because
if there just a "X% chance" something is spam, then it's mean there always
"Y% chance" I'll lose non-spam email. C/R systems have same issues, but
it's harder to find out that fact.

On Wed, Sep 24, 2008 at 05:40:50PM +0200, Matthias Bethke wrote:
> What you can easily do, in order of personal (well, I don't run my own
> mail server any more) preference:
> - block dialup ranges
> - use IP blacklists like SORBS
> - use SpamAssassin, possibly with more blacklists like SURBL
> - check DomainKeys and/or SPF headers for scoring
> - use greylisting

I'd like to start from most soft algorithm realized in
http://www.datenklause.de/en/software/qgreylistrbl.html

It's do greylisting, but not for everybody - it's do it only for hosts
which are either blacklisted in RBL or looks like dialup IPs (using regex).
This way even hosts blacklisted in RBL will be able to send me email, but
only it they have real email queue. This is important for me, because we
all fall into RBL, without being spammers, because of different reasons.

I've tested this tool, and it pass just about 3 spam email in last 24 hours.
It's not a problem for me to kill 3 spam emails per day if I've assurance:
_all_ non-spam emails will be delivered to me.


P.S. While I'd like this tool's algorithm, I don't really like it's
realization - I think it should be much simpler and smaller. So I'll try
to rewrite it in that way (also in Perl). And prepare ebuild for
installing it.

-- 
			WBR, Alex.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] SPAM protection by requesting confirmation

[Alex Efros]

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

Hi!

On Sun, Sep 28, 2008 at 04:21:22PM +0300, Alex Efros wrote:
> only it they have real email queue. This is important for me, because we
> all fall into RBL, without being spammers, because of different reasons.

It should be read as:
    we all fall into RBL from time to time, without being spammers

-- 
			WBR, Alex.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] SPAM protection by requesting confirmation

[Homer Parker]

On Sun, 2008-09-28 at 16:21 +0300, Alex Efros wrote:
> Hi!
> 
> To everybody in this thread who said "C/R is bad idea":
> 
> While qconfirm and TMDA will work in most cases, I've read C/R critique 
> here http://en.wikipedia.org/wiki/Challenge-response_spam_filtering and
> agree it's bad idea in general. I unlike tools like SpamAssassin because
> if there just a "X% chance" something is spam, then it's mean there always
> "Y% chance" I'll lose non-spam email. C/R systems have same issues, but
> it's harder to find out that fact.

	A properly setup spamassassin doesn't lose mail, it sticks it in a
quarantine that you can go through and look for false positives
(spamassassin and amavisd-new make it pretty easy).. Never accept mail
that doesn't get delivered somewhere.. But, even a properly setup C/R
systems adds to the problem by spamming the forged sender with the C/R
request.. If you ever get Joe Jobbed with a dictionary attack at a site
using C/R you will be busting out some null routes, iptables DROP,
filtering in your router, something.. Joe Jobs are bad enough with those
that accept and bounce (another no no, see above about accepting mail
you're not going to deliver), C/R just adds to it..

-- 
Homer Parker <hparker@gentoo.org>

Re: [gentoo-server] SPAM protection by requesting confirmation

[Alex Efros]

Hi!

On Sun, Sep 28, 2008 at 02:41:59PM -0500, Homer Parker wrote:
> quarantine that you can go through and look for false positives

At first, normal mail will not be delivered timely, just because it will
be in quarantine, and usually people doesn't check quarantine even once
per day.

At second, normal mail will be lost, because while checking quarantine and
looking for false positives some normal mail will not be detected, because
it's hard enough work and people do mistakes.

And last, if I will check quarantine every few hours, I'll handle not so
much spam messages and chances are I'll not delete normal mail by mistake.
Yeah. But, in this case, what's the difference between using tools like
SpamAssassin and not using these tools at all and still handling all these
spam mail every few hours inside "inbox" instead of "quarantine"?

-- 
			WBR, Alex.

Re: [gentoo-server] SPAM protection by requesting confirmation

[Homer Parker]

On Sun, 2008-09-28 at 23:02 +0300, Alex Efros wrote:
> Hi!
> 
> On Sun, Sep 28, 2008 at 02:41:59PM -0500, Homer Parker wrote:
> > quarantine that you can go through and look for false positives
> 
> At first, normal mail will not be delivered timely, just because it will
> be in quarantine, and usually people doesn't check quarantine even once
> per day.

	Mine mails the lowest 100 scoring spams (I use the defaults of tag at
5, quarantine at 10.. And the end user can adjust that how they see fit)
in the quarantine daily, and the subscribers appreciate looking that
over rather then not having a usable Inbox. (I do domain hosting)

> At second, normal mail will be lost, because while checking quarantine and
> looking for false positives some normal mail will not be detected, because
> it's hard enough work and people do mistakes.

	As it will get lost in an Inbox full of spam.. Spamassassin quarantines
2500-3000 spams a week on one of my accounts, I'd lose lots of legit
email if that was in my Inbox... That said, I don't remember digging one
out of the quarantine in a very long time, I do get some forwarded jokes
tagged because it's been forwarded 10 times or something.. I can live
with that..

> And last, if I will check quarantine every few hours, I'll handle not so
> much spam messages and chances are I'll not delete normal mail by mistake.
> Yeah. But, in this case, what's the difference between using tools like
> SpamAssassin and not using these tools at all and still handling all these
> spam mail every few hours inside "inbox" instead of "quarantine"?

	In my case it's a usable Inbox vs 2500-3000 spams a week clogging it
up.. Spamassassin isn't a fire and forget piece of software.. You need
to train bayes, keep rules updated, write rules, etc... I hear
bogofilter is decent as well, might look into it.. But there's no way I
could handle using email without filtering to a quarantine.. 

-- 
Homer Parker <hparker@gentoo.org>

Re: [gentoo-server] SPAM protection by requesting confirmation

[Alex Efros]

Hi!

On Sun, Sep 28, 2008 at 04:07:49PM -0500, Homer Parker wrote:
> 	In my case it's a usable Inbox vs 2500-3000 spams a week clogging it
> up.. Spamassassin isn't a fire and forget piece of software.. You need
> to train bayes, keep rules updated, write rules, etc... I hear
> bogofilter is decent as well, might look into it.. But there's no way I
> could handle using email without filtering to a quarantine.. 

I don't really understand your point. :(

I use own deliver tool http://powerman.name/soft/deliver.html to filter
spam using hand-made perl regular expressions applied to any email headers
and content using any logic expressions like:

    To(qr/powerman@/) and Cc(qr/powerman@.*powerman@/)

    (some time ago, after saying "fuck off" to some young spammer who
    registered in our IT social network and try to discuss "why sending
    spam is good for fun and profit" I start receiving stupid spam, with
    my email in To: field and twice again in Cc: field... I think his idea
    was to deliver 3 spam messages instead of 1 to my inbox, but it all
    was filtered with simple rule shown above)

I carefully write and support these rules, and I'm sure they will never
match normal email. So, matched emails are just dropped, without quarantine.

This solved spam issue for me for years. But in last months I receive
about 20-50 spam messages every day, and it isn't clear for me how to
write regular expressions for that spam - every message is too different
from each other and rules for filtering them have a chance to match normal
mail.

    Probably it's because I've to public my email on several websites
    related to IT because I work as freelancer and should provide a way
    for new customers to contact me.
    And most spam I receive now trying to mask itself as IT-related message.

Looks like greylisting will turn these 20-50 spam messages into 2-5
messages per day. This amount of spam is acceptable to have in inbox
without any quarantine.


So, if it isn't clean FOR ME how to filter that spam with regular
expressions and full Perl power in my hands, then HOW can SpamAssassin do
this? Sadly, but Bayes isn't a silver bullet and can't solve this too.

IMHO, SpamAssassin and Bayes are good only for people, who choose between
two bad things: either they will be unable to handle MOST of their mail
because of huge amount of spam, or they will be unable to handle SOME mail
(with low enough and acceptable for them probability) because it will be
automatically killed as spam or lost in quarantine. Your tuning of
spam weight/score which is acceptable for inbox, acceptable for quarantine
and acceptable to kill immediately are just tuning of the chance you'll
lose normal mail - you make it larger or smaller, but never 0%!

Maybe if I will receive 3000 spam which I unable to filter with my
custom rules per week, then I will install SpamAssassin and agree to have
small chance to lose some mail from time to time... maybe... but I'm not
sure and anyway will try to find another solution first (like greylisting).
But now I can't agree with any chance to lose mail which is higher than 0%!

-- 
			WBR, Alex.

Re: [gentoo-server] iptables && fail2ban

[Kerin Millar]

2009/8/2 mrfroasty <mrfroasty@gmail.com>:
> Hello,
>
> I have setup iptables and fail2ban, but I am curios that this line of
> defense seem not to work and ban me if i do this:
> #wget ftp://mysql:xxxx@fileserver
>
> I have seen a script kido, doing that and firewall just didnt respond to
> him or atleast not on the logs that he had been banned when he tried that.
> The firewall does ban or respond if I do this:
> #wget ftp://foo:pass@fileserver
>
> Probably he could have been banned if used a different user, but not
> mysql...I am confused...any clue? :-D

You haven't provide any pertinent background information (ftp daemon
in use, log message which is expected to trigger action, details of
the fail2ban filter and so forth), which makes it rather difficult to
take a view. My guess is that the particular filter you are using
contains a regex which matches log messages from the daemon which
convey only an invalid user, rather than an authentication failure in
general. If so, you would need to adjust the filter - or add an
additional one - so as to cover both cases.

As a side note, do be careful when crafting the regular expressions
that form the basis of the filter. The slightest mistake can
potentially result in the tool being open to attack itself via log
injection. For more information on this topic, search for
"attacking-loganalysis.html" via Google and view the cached copy; the
original article seems to have disappeared from the ossec.net site.

Cheers,

--Kerin

Re: [gentoo-server] iptables && fail2ban

[Homer Parker]

On Sun, 2009-08-02 at 13:24 +0200, mrfroasty wrote:
> Actually we are talking about proftp deamon analysed using
> /var/log/auth.log.

	You can play with fail2ban-regex and see what it thinks.

-- 
Homer Parker <hparker@gentoo.org>

Re: [gentoo-server] iptables && fail2ban

[mrfroasty]

Hello,

I have setup iptables and fail2ban, but I am curios that this line of
defense seem not to work and ban me if i do this:
#wget ftp://mysql:xxxx@fileserver

I have seen a script kido, doing that and firewall just didnt respond to
him or atleast not on the logs that he had been banned when he tried that.
The firewall does ban or respond if I do this:
#wget ftp://foo:pass@fileserver

Probably he could have been banned if used a different user, but not
mysql...I am confused...any clue? :-D

Thanks...

GR
mrfroasty

-- 
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:http://www.mzalendo.net

Re: [gentoo-server] iptables && fail2ban

[mrfroasty]

[-- Attachment #1: Type: text/plain, Size: 3035 bytes --]

Hell Kerin,

Thanks for the pointer, I will take my time in searching for that
"attacking-loganalysis".
Actually we are talking about proftp deamon analysed using
/var/log/auth.log.

Here is the /var/log/auth.log that is suppose to trigger BAN on fail2ban:

Jul 31 23:43:41 fileserver proftpd[28423]: fileserver.mzalendo.net
(124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect
password.
Jul 31 23:43:41 fileserver proftpd[28423]: fileserver.mzalendo.net
(124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect
password.
Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net
(124.205.130.15[124.205.130.15]) - USER mysql (Login failed): Incorrect
password.
Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net
(124.205.130.15[124.205.130.15]) - Maximum login attempts (3) exceeded,
connection refused
Jul 31 23:43:42 fileserver proftpd[28423]: fileserver.mzalendo.net
(124.205.130.15[124.205.130.15]) - FTP session closed.

And here is the filter using regular expression  that actually confirms
how it has been missed:

fail2ban-regex /var/log/auth.log
/etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15

Is it a normal routine that users have tweak those filters?

GR
mrfroasty



Kerin Millar wrote:
> 2009/8/2 mrfroasty <mrfroasty@gmail.com>:
>   
>> Hello,
>>
>> I have setup iptables and fail2ban, but I am curios that this line of
>> defense seem not to work and ban me if i do this:
>> #wget ftp://mysql:xxxx@fileserver
>>
>> I have seen a script kido, doing that and firewall just didnt respond to
>> him or atleast not on the logs that he had been banned when he tried that.
>> The firewall does ban or respond if I do this:
>> #wget ftp://foo:pass@fileserver
>>
>> Probably he could have been banned if used a different user, but not
>> mysql...I am confused...any clue? :-D
>>     
>
> You haven't provide any pertinent background information (ftp daemon
> in use, log message which is expected to trigger action, details of
> the fail2ban filter and so forth), which makes it rather difficult to
> take a view. My guess is that the particular filter you are using
> contains a regex which matches log messages from the daemon which
> convey only an invalid user, rather than an authentication failure in
> general. If so, you would need to adjust the filter - or add an
> additional one - so as to cover both cases.
>
> As a side note, do be careful when crafting the regular expressions
> that form the basis of the filter. The slightest mistake can
> potentially result in the tool being open to attack itself via log
> injection. For more information on this topic, search for
> "attacking-loganalysis.html" via Google and view the cached copy; the
> original article seems to have disappeared from the ossec.net site.
>
> Cheers,
>
> --Kerin
>
>
>   


-- 
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:http://www.mzalendo.net


[-- Attachment #2: Type: text/html, Size: 3930 bytes --]

Re: [gentoo-server] iptables && fail2ban

[mrfroasty]

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

I have already played with it and concluded that fail2ban missed it...in
my previous mail its mentioned that

#fail2ban-regex /var/log/auth.log
/etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15

Nothing in the output, that means it has just missed to ban this guy.

Kerin did mention that this is an issue on the regex, that it captures
the guy who played with an unknown user and not because a user tried 3
times.

Honestly, I would love to get to solve the issue as this is obviously
not the intention.
The idea was to BAN any IP regardless of the user is defined on the box
or not.

P:S
I havent looked on those filter yet, I was on holiday since yesterday so
probably tomorrow I will get time to check if I can put my hands dirty
on this subject.

GR
mrfroasty




GR
mrfroasty

Homer Parker wrote:
> On Sun, 2009-08-02 at 13:24 +0200, mrfroasty wrote:
>   
>> Actually we are talking about proftp deamon analysed using
>> /var/log/auth.log.
>>     
>
> 	You can play with fail2ban-regex and see what it thinks.
>
>   


-- 
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:http://www.mzalendo.net


[-- Attachment #2: Type: text/html, Size: 1844 bytes --]

Re: [gentoo-server] iptables && fail2ban

[Steve Dommett]

On Saturday 08 August 2009, mrfroasty wrote:
> I have applied this and test it looks like its working better, found in
> the ubuntu forums...
>
Yes,  they look much more adequate.

I don't run an FTP server myself,  but I notice than fail2ban (0.8.3 at least) 
on Gentoo already includes those rules in /etc/fail2ban/filter.d/proftpd.conf

You just need to enable that particular config in the [proftpd-iptables] 
section of /etc/fail2ban/jail.conf

Cheers,
  Steve.

Re: [gentoo-server] iptables && fail2ban

[Ajai Khattri]

On Mon, 3 Aug 2009, mrfroasty wrote:

> I have already played with it and concluded that fail2ban missed it...in
> my previous mail its mentioned that
>
> #fail2ban-regex /var/log/auth.log
> /etc/fail2ban/filter.d/proftpd.conf|grep 124.205.130.15
>
> Nothing in the output, that means it has just missed to ban this guy.

Personally, Im nervous about any tool that modifies my carefully 
configured firewall, so I use denyhost instead.



-- 
A

Re: [gentoo-server] iptables && fail2ban

[mrfroasty]

I finally got my hands on the subject, but I am not in a position to
play with regular expression.

REGEX:
#failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

This captures only this kinds of logs on auth.log:
#Aug  6 22:25:59 fileserver proftpd[18234]: fileserver.mzalendo.net
(202.102.135.54[202.102.135.54]) - USER !@#$%^&*: no such user found
from 202.102.135.54 [202.102.135.54] to 192.168.1.34:21

It misses this:
#Aug  7 20:47:18 fileserver proftpd[23323]: fileserver.mzalendo.net
(gendesktop.mzalendo.net[192.168.1.33]) - USER mysql (Login failed):
Incorrect password.

Anyone with a smarter regex and interested to share it with me?
I will see if I can learn regex and try to manipulate this expressions.

Thanks

GR
mrfroasty

-- 
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:http://www.mzalendo.net

Re: [gentoo-server] iptables && fail2ban

[mrfroasty]

I have applied this and test it looks like its working better, found in 
the ubuntu forums...

failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
            USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$




Homer Parker wrote:
> On Sun, 2009-08-02 at 13:24 +0200, mrfroasty wrote:
>   
>> Actually we are talking about proftp deamon analysed using
>> /var/log/auth.log.
>>     
>
> 	You can play with fail2ban-regex and see what it thinks.
>
>   


-- 
Extra details:
OSS:Gentoo Linux
profile:x86
Hardware:msi geforce 8600GT asus p5k-se
location:/home/muhsin
language(s):C/C++,VB,VHDL,bash,PHP,SQL,HTML,CSS
Typo:40WPM
url:http://www.mzalendo.net

Re: [gentoo-server] iptables && fail2ban

[paul kölle]

mrfroasty schrieb:
> I finally got my hands on the subject, but I am not in a position to
> play with regular expression.
> 
> REGEX:
> #failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
> 
> This captures only this kinds of logs on auth.log:
> #Aug  6 22:25:59 fileserver proftpd[18234]: fileserver.mzalendo.net
> (202.102.135.54[202.102.135.54]) - USER !@#$%^&*: no such user found
> from 202.102.135.54 [202.102.135.54] to 192.168.1.34:21
> 
> It misses this:
> #Aug  7 20:47:18 fileserver proftpd[23323]: fileserver.mzalendo.net
> (gendesktop.mzalendo.net[192.168.1.33]) - USER mysql (Login failed):
> Incorrect password.
> 
> Anyone with a smarter regex and interested to share it with me?
> I will see if I can learn regex and try to manipulate this expressions.
Not really. IMO all these brute-force-polling-logwatcher are pretty bad 
design. If proftpd uses pam you should search for pam_shield, it can 
recognize failed logins and insert the appropriate rules into your firewall.

cheers
  Paul

> 
> Thanks
> 
> GR
> mrfroasty
> 

Re: [gentoo-server] iptables && fail2ban

[Arturo 'Buanzo' Busleiman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

paul kölle wrote:
> Not really. IMO all these brute-force-polling-logwatcher are pretty bad
> design. If proftpd uses pam you should search for pam_shield, it can
> recognize failed logins and insert the appropriate rules into your
> firewall.

You've just stated a particular set of cases: applications that do auth and support pam.

fail2ban is also used with fastcgi, lighttpd, apache, mod_security, nagios, etc, etc, etc.

and polling is the fallback method....

anyway, subjective opinon here, i'm one of fail2ban developers :P - don't take me seriously.

- --
Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107
Independent Linux and Security Consultant - SANS - OISSG - OWASP
http://www.buanzo.com.ar/pro/eng.html
Mailing List Archives at http://archiver.mailfighter.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEAREKAAYFAkqulskACgkQAlpOsGhXcE2vLACfYog8xe6K8o71kxu2WrdBZcLn
qhcAniFwShclOrirUE+wQKQHEOxxTA5l
=BCAP
-----END PGP SIGNATURE-----

Re: [gentoo-server] iptables && fail2ban

[Paul Kölle]

On Mon, Sep 14, 2009 at 9:17 PM, Arturo 'Buanzo' Busleiman
<buanzo@buanzo.com.ar> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> paul kölle wrote:
>> Not really. IMO all these brute-force-polling-logwatcher are pretty bad
>> design. If proftpd uses pam you should search for pam_shield, it can
>> recognize failed logins and insert the appropriate rules into your
>> firewall.
>
> You've just stated a particular set of cases: applications that do auth and support pam.
>
> fail2ban is also used with fastcgi, lighttpd, apache, mod_security, nagios, etc, etc, etc.
>
> and polling is the fallback method....
>
> anyway, subjective opinon here, i'm one of fail2ban developers :P - don't take me seriously.
Sorry man, I didn't want to bash you work. Of course pam_shield is
limited to pam-enabled apps but in that cases it's better suited as it
can actually tell if there was a failed *login*. I hope we can agree
here ;)

cheers
 Paul
>
> - --
> Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107
> Independent Linux and Security Consultant - SANS - OISSG - OWASP
> http://www.buanzo.com.ar/pro/eng.html
> Mailing List Archives at http://archiver.mailfighter.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEAREKAAYFAkqulskACgkQAlpOsGhXcE2vLACfYog8xe6K8o71kxu2WrdBZcLn
> qhcAniFwShclOrirUE+wQKQHEOxxTA5l
> =BCAP
> -----END PGP SIGNATURE-----
>
>