Hi,
On Fri, Jul 12, 2024 at 09:44:09PM +0200, Marco Moock via mailop wrote:
> Am 12.07.2024 um 12:36:10 Uhr schrieb Mark E. Jeftovic:
> > You'd need to be able to break down which unit is generating the spam.
>
> I think abuse reports will be fine for that.
We typically want to identify the problem before abuse reports start
coming in, as that can take hours to days and waiting will
potentially allow hundreds of thousands of incidents of abuse.
> You can use outgoing logging only for the port 25 (e.g. Cisco ACL
> permit <src-IP> any eq 25 log
Similarly netflow is one option. We export details of outbound SYN
packets for setting up port 22 and 25 connections. An abnormal rate
of this (i.e. abnormal per-customer rate of SSH/SMTP session
creation) triggers alerts for a human to look in to.
You also need to make customers aware of this because some
legitimate uses of a VM will trigger it, such as penetration testing
their own or their client's infrastructure, or doing a big email
marketing campaign etc. It's fairly obvious if they have a big rate
of connections to few IPs of a known email service provider; less so
if they are doing the outbound mail themselves, which is rare but
does happen. So they need to know to communicate their extreme
deviations from the norm otherwise we would be too scared to ever
take action.
For us it is done with perl scripts querying an SQL database of
ulogd2 data for the outbound port 22/25 SYN packets from the
nftables firewall on each of our hypervisors.
https://netfilter.org/projects/ulogd/index.html
This could of course be extended to catch other forms of automated
abuse but we haven't found it happens too often outside of SSH and
SMTP. Most incidents are our customers being compromised by
extremely simple brute force scanning efforts, not bad actors
signing up. I'm sure big platforms are more targeted.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
