On Tue, Aug 27, 2002 at 04:11:21PM +0300, Mika Bostr?m wrote: > > Karl Breitner wrote: > > >Welcome to the world of SPAMfighting > > Our new server has an official IP since last saturday, and no domain > > name pointing to it yet besides a dyndns-account I abused for testing > > purpose. Within these three days of operation I had several persons > > trying to get access to our (non-public) FTP service as well as some > > probes for the usual IIS-holes that Nimda & Co. like to abuse. How will > > that be if we will be publically online and "known" through our regular > > domains? brrr.... :) > > Simple. Random IP-address block scans. Having the box live on the 'net > alone guarantees that it will get some random hits. Prepare to see lot more > of them from here-on. > > Script-kiddies, trying to find suitable hosts for their mass exploitation > tools. Worms, eagerly propagating on their own means; And spammers > (spammerbots?) trying to find open relays they could abuse. > > The only thing you can do is to make damn certain your box does not become > part of the problem.
I'll add to that: make sure you actually check your logs. I use syslog-ng to bring all essential realtime logging to a hardened server; I also run logcheck for hourly reports; snort for attack detection; tiger for security auditing; fascist iptables firewalling on all externally reachable machines; and of course tripwire for after the fact intrusion detection. It's a jungle out there lad.
