Baselines and potential responses

I’m trying to get a baseline of activity from the logs. My MiaB server is a host on the internet so, of course, there is going to be some garbage traffic. Plenty of it just has to be ignored as one off recon or scripts incrementing their way across the internet trying to execute whatever vulnerability.

I’m noticing another type of log entry which I’ll call “statistical research.” It isn’t super surprising as plenty of research organizations are certainly taking aggregate information and digesting or publishing it for whatever reason.

However, there comes a tipping point when the volume of queries for statistical analysis turns into “monitoring.”

So, I’m considering a blocking strategy and/or things to monitor and I figured I’d solicit feedback on things you’ve done that you found useful.

Thanks.


If you are interested in my own logs…

The mail log has 5 days of history so far. And one host stands out more than others.

cat mail.log | tr -s " " | grep -v anvil | grep 34.227.19.103  | cut -d" " -f6-30 | sort | uniq -c
116 connect from starttls-virginia.securing-email.com[34.227.19.103]
116 disconnect from starttls-virginia.securing-email.com[34.227.19.103] ehlo=2 starttls=1 quit=1 commands=4

A general overview of some other smtp scanners by looking through the logs

scans 24x per day

starttls-virginia.securing-email.com

every day

proofpoint.com
censys-scanner.com
monitoring.internet-measurement.com

every other day

scan-10.shadowserver.org

first two days

scan-42.security.ipip.net

one day

netsystemsresearch.com

My experience is this can turn into a cat-and-mouse game that ultimately consumes more time that it saves.

I don’t really think a reduction of 116 requests over a five day period is going to result in relieving some meaningful amount of resources.

That said, maybe if you figure something out, you can submit your solution to the project for consideration. But be sure to work on this for a while, as you may discover that once blocked, they just change the domain slightly, or the IP address, or something.

This sounds like reductive reasoning presented under the unhelpful guise of a value judgement. It’s a disappointing response.

I ask questions about things I don’t know. I understand recon (optimize attacks by probing beforehand). I understand attempted break ins (use the system for some other purpose). I understand statistics (data and research are great). But why monitoring? Seriously. I understand why I would want to monitor my system. I want CIA, but why would someone else want to monitor my system? They aren’t maintaining it. They don’t even know how to contact me if this was some benevolent act. Sure they can contact abuse, but do they know I read it? They certainly didn’t send a message to any of the RFC 2142 addresses to tell me what they are doing beforehand. It’s fishy. They also do this from an anonymous Amazon address.

This domain has no references. It doesn’t host a web page to tell me what they are studying which is more weird. Yet every hour it connects. So, the only thing I’ve got to go on is that I have no idea who these people are or what they are looking for and this, most often, falls into the bad actor category.

So, I’ll tell you what I think and why I think this is the most valuable use of your time. What are they getting on a SMTP connection? If they asked once, then we might assume they were doing recon on server versions/configurations, or checking for open relays to send spam. But they check EVERY HOUR.

What is something you could get every hour? A key? A new key generated every hour. So, we need to ask ourselves WHY does getting a new key matter? Well, it shouldn’t. We should be using sufficient sufficient entropy. But what if they know something we don’t? One key every hour isn’t exhausting my entropy pool. But what if that is the test? What if they are looking for a busy mail server that is so busy it uses all its entropy and then generates weak crypto after that? What if they are recording keys and timestamps to make a prediction about the underlying system? OR, worst case, what if they have found a flaw such that they can use an old key to foil perfect forward secrecy. They would need an original key.

This is not FUD or general doom and gloom, just speculation on the behavior of a bad actor because we’ve seen some spectacularly sophisticated bad actors. PRISM and XKEYSCORE siphoned up data not because people were interesting, but they wanted to look through it after the fact. Honestly, this attack seems a bit lazy to be the feds. I would have expected THEM to perform this function across many hosts to blend into background noise, but someone is doing it. And the great thing about lazy scumbags is that it is easier to study them.

So, I have a reasonable suspecion that this is a bad actor. I have logs with which to start a baseline. I can respond in any number of ways.

I could block this attacker at L4 by manually adding them to iptables. I could look for smtp connections that don’t pass mail and chart these over time looking for patterns. I might block such smtp connections after they reach a threshold and age them out. I could report these IPs to their service provider. I could write a watchdog to monitor my entropy pool and alert me if it goes below a certain value. I could suspend services (like smtp) if the entropy pool goes to zero. I could install a hardware entropy generator. The possibilities are only limited to our ingenuity.

I don’t think I need anyone’s “help” per se. In fact I didn’t specifically care about this particular attacker when I posted. I already have a few ideas on what to do with him.

What I wanted was to see what other members were doing. I thought someone here might have already started a baseline, given odd log entries some thought and I was looking to chat about what you found useful.

Please be more respectful in your tone to users of this forum.

My post is in no way judging anything.

This is a support forum. Most users posting here are new to server administration, and you are new to posting in the forum.

It is normal for new users to review logs and be suspicious, so I shared with you my own personal experience on the matter, but without making any assumption about your actual level of experience. If my post was not useful, that is fine, but responding with some long rant is not going to generate productive or useful discussion.

Talking about a “value judgment” is no slight. It’s a “subjective evaluation” and is about the equivalent of saying you have an opinion. And I equate your statement “in my experience” to an opinion. So I can’t say I see a problem here.

In my own defense I think my “rant” is a pretty cogent overview of looking for anomalies and responding. It is in keeping with my original question, just not your conclusion. My overview was a touch lengthy, but when you don’t know the experience level of the audience it is often necessary.

As to calling my review of the issue a “rant.” That seems like a rebuke for saying I found your opinion unhelpful. I did not mean what makes you up as a person is unhelpful, but I think you pigeonholed the topic to two conclusions which was, in my opinion, unhelpful. I felt (as the alpha geek in the forums) expressing your contrary opinion (on a narrow interpretation YOU made on my post but I did not) pretty much labeled the problem for everyone else and shut down the topic.

Ironically, I thought this topic was going to be fun. I thought folks would share weird things in their logs. I figured there might be some interesting solutions. I thought it would be interesting and community building.

I have definitely not had fun and I can’t say it improved the community. I regret any hurt feelings. I like MiaB and I wish everyone on the forums well.

I think I’ll explore this topic on some postfix forums.

Hello @granitenoon ,

Though you didn’t mention it specifically in your OP another example is shodan.io … perhaps they scan the internet from another domain, I do not know. Shodan.io as well as censys-scanner.com are data miners.

An example of the data Shodan.io collects is to be found here in realtion to MiaB:

Interesting - we are going on 24,000 unmodified MiaB installs - :slight_smile: