[Dshield] Re: list Digest, Vol 25, Issue 24

pingtampa pingtampa at yahoo.com
Sun Jan 30 05:37:42 GMT 2005


Hi Team:
 
I am setting up a mail server and firewall for a major US operation in Dubai, United Arab Emirates. I would welcome mail server best practices for implementation/configuration. Any pointers in this regard would be appreciated.
 
Cheers,
Alfie 
CTO
HGC Group

wrote:
Send list mailing list submissions to
list at lists.dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/list
or, via email, send a message with subject or body 'help' to
list-request at lists.dshield.org

You can reach the person managing the list at
list-owner at lists.dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of list digest..."


Today's Topics:

1. Re: Rise in version.bind scans? (Frank Knobbe)
2. Re: Local DNS RBL (Pete Cap)
3. Johannes in the news...again (Joel Esler)
4. Re: Local DNS RBL (David Cary Hart)


----------------------------------------------------------------------

Message: 1
Date: Wed, 26 Jan 2005 11:32:47 -0600
From: Frank Knobbe 
Subject: Re: [Dshield] Rise in version.bind scans?
To: General DShield Discussion List 

Message-ID: <1106760767.872.19.camel at localhost>
Content-Type: text/plain; charset="us-ascii"

On Sat, 2005-01-15 at 08:34 -0500, Joel Esler wrote:
> I've noticed @ work, and now at home that there seems to be an increase 
> in version.bind scans. CHAOS? version.bind is the string (who hasn't 
> seen that before ;) but there seems to be alot more of them than there 
> used to be.

The answer to this scan appears to be on the front page of today's ISC
(Internet Storm Center) diary ;)

Was this done by hackers in possession of a 0-day exploit, or perhaps
initiated by ISC (Internet Systems Consortium) to check what the level
of exposure is -- how many vulnerable versions are in the wild -- in
order to build a risk model that could further assist in the timing of
the patch release? Conspiracy theorists rejoice.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.sans.org/pipermail/list/attachments/20050126/2a31c6ef/attachment-0001.bin

------------------------------

Message: 2
Date: Wed, 26 Jan 2005 15:32:38 -0800 (PST)
From: Pete Cap 

Subject: Re: [Dshield] Local DNS RBL
To: General DShield Discussion List 

Message-ID: <20050126233238.86688.qmail at web52408.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii


--- Frank Knobbe wrote:
> While on the subject of blocking, I always snicker
> when people preach
> the "deny-all-allow-what-is-required" firewall
> mantra, but then turn
> around and selectively block countries they think
> are hostile. Why not
> block them all, and only allow certain, friendly
> networks???

Hi Frank,

It's a valid question. The short answer is, the list
of good guys out there on the net is still a lot
longer than the list of bad guys (although maybe this
is not so clearly defined when a "good" host can be a
"bad" host if it's part of a botnet). On the other
hand, the list of necessary services is short, and the
list of wholly unnecessary services is very long.

Furthermore, the purpose of a server is to do a few
things for a lot of people. Therefore, denying all
but a few activities (web traffic for the web server,
etc.) but allowing as many people as possible makes
sense.

The original poster suggested that there is a close
correlation between "bad activity" and certain
countries. I'm not convinced that this is the
case--the vast majority of the garbage hitting my
firewall is being relayed by hosts within the US. 
Sure, I get the most interesting toys from Chinese
websites, but that doesn't make China the main
culprit. So far as I have seen, hacking activity
seems closely related to the global distribution of
the IPv4 netspace, which means that it makes more
sense to work on securing your server than to work on
blocking on a nation-by-nation basis.

Just my two cents,

Regards,
Pete



__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - What will yours do?
http://my.yahoo.com 


------------------------------

Message: 3
Date: Fri, 28 Jan 2005 13:22:20 -0500
From: Joel Esler 
Subject: [Dshield] Johannes in the news...again
To: General DShield Discussion List 

Message-ID: <1106936540.27952.70.camel at localhost.localdomain>
Content-Type: text/plain

http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?
articleId=59100379


------------------------------

Message: 4
Date: Fri, 28 Jan 2005 20:19:23 -0500
From: David Cary Hart 
Subject: Re: [Dshield] Local DNS RBL
To: General DShield Discussion List 

Message-ID: <1106961564.25479.34.camel at dch.TQMcube.com>
Content-Type: text/plain

On Wed, 2005-01-26 at 15:32 -0800, Pete Cap wrote:
> --- Frank Knobbe wrote:
> >
> The original poster suggested that there is a close
> correlation between "bad activity" and certain
> countries. I'm not convinced that this is the
> case--the vast majority of the garbage hitting my
> firewall is being relayed by hosts within the US. 

That may be. However, close to 100% of the email that I receive from
Korea, China and Taiwan is spam. Even if that amounted to only 15% of
the total (and it is considerably more), it is logical to block those
areas entirely with whitelisting where required.

The US is a different story. Much of the spam generated in the US and
Canada is routed through proxies, exploitable servers and dynamic IPs.
Again, the strategy is similar. Virtually 100% of the mail I receive via
dynamic IPs is going to be spam. Therefore, it makes perfect sense to
block as much dynamic space as I can while relying on SORBS et al to
take care of the open relays and proxies and exploitable servers.

Ultimately, though, the trick is to carefully monitor what is being
blocked.

The correlation that I made was between spam and the spread of viruses. 
________________________________________________________________________
Total Quality Management - A Commitment to Excellence
http://www.TQMcube.com



------------------------------

_______________________________________________
list mailing list
list at lists.dshield.org
http://www.dshield.org/mailman/listinfo/list


End of list Digest, Vol 25, Issue 24
************************************



More information about the list mailing list