Posted on

24-Jan-2011

More malicious attempts blocked at the gate
I expected it to happen: When one network is blocked, attempts will come from another source. So in the cause of a few days, I blocked a few more subnets. It seems to help, since the number of alerts dropped, and accessing the site is more constant and stable. I’m working on a method to report on abusive access – no matter in what way: DoS, Spam, FTP store, HTTP(s) attempts to break into software I don’t run (or on a different location). And than I’ll be able to publish them…
One package though needs closer attention, as I think chnaging it’ s locations to ReadOnly is trouiblesome, I need some advise from the specialist in that area. But I removed a possible cause of trouible – when looking to it’s name, I suspect it was – and cleaned quite a lot of rubbish tghat is must have left behind. Also, the users I previously disabled have now been deleted, and the caches cleared.

(The Dutch railways offer Internet in some of the fast trains – free until 2012, according their site. That’s where I wrote the entry)

Posted on

19-Jan-2010

Bandwith management
My son has bought a laptop some weeks ago and now he’s consuming all bandwidth downloading. At some point the software he uses had over 4000 sessions open, causing a severe access problem – both from outrside as inside. Most of this traffic seems to be outgoing – synchronisaton, probably?.
First, I squeezed the number of sessions from his laptop to a max of 200 – that helped somewhat, but still the outgoing traffic took almost all available space on the 1Mb channel. So this evening, I limited his upload bandwidth to 200Kb – and that caused his download speed to be much lower as well.
This shows immediately in the traffic graph:

Drop in traffic when bandwidth filters set

Stupid program ….
Another side effect is that the SYSLOG files grows VERY FAST. Where it took a few days – or a week – to exceed 25000 blocks, now it took just severakl hours…Each day, the log grows to a 125.000 blocks. This squeezing may decrease the growth as well – less traffic means less entries.
Space is not a real issue, but I’ll have to keep a keen eye on the size…
Blocking abuser
Another ability the router / firewall offers is blocking access from specific addresses – or subnets. That allows me to block a complete subnet: 69.25.7.0. This network offers the possibility of DoS attacks over Trace_rt – that doe occur severely at tgimes, overfilling my mailbox by the number of alerts due tgo these attemps, from the network, ending by a number ending in a mulitple of 4. We’ll see what happens next. Of course, this blocking is logged.
BTW: The owner – according WHOIS – has been notified of the abuse. But I didn’t receive confirmation – yet.
Disk trouble – continued
I got a message from the recovering firm that the disk heads and platters are in such a state that with the current replacement of the head assembly, it was almost impossible to retrieve any real data…But not all is lost ; there still is a chance that data can be recovered. But it will take some time and effort. Luckily it is both fixed price and no-cure-no-pay. If they succeed, tke UK holiday report can be extended with the tracking data (meaning I may have to re-generate and ere-install the album, but that’s just a matter of a few minutes :).
The replacement disk – 320 Gb – has been installed and initialized, so I’m still better off in terms of storage space.
Spam decrease
A few days ago I learned that a server that was heavily used by spam-sending botnets, was taken offline last month. That explains the downfall of the numbers of spam messages. A decrease I have observed as well. But as expected, it gradually re-increases….

Posted on

01-Jan-2011

Maintenance
Though a new year – for which I wish my readers all the best – it’s also the beginning of a new month so I had the system save it’s logfiles. The job also collects the mail statistics for the previous month:
PMAS statistics for December
Total messages    :   5390 = 100.0 o/o
DNS Blacklisted   :    545 =  10.1 o/o (Files: 31)
Relay attempts    :   3926 =  72.8 o/o (Files: 30)
Accepted by PMAS  :    919 =  17.0 o/o (Files: 31)
 Handled by explicit rule
        Rejected :    198 =  21.5 o/o (processed),   3.6 o/o (all)
        Accepted :    350 =  38.0 o/o (processed),   6.4 o/o (all)
 Handled by content
       Discarded :    109 =  11.8 o/o (processed),   2.0 o/o (all)
    Quarantained :    235 =  25.5 o/o (processed),   4.3 o/o (all)
       Delivered :     27 =   2.9 o/o (processed),    .5 o/o (all)

I still have to do the count of the relay attempts by hand:
05-Dec     19
06-Dec    288
07-Dec    813
09-Dec    120
12-Dec    203
13-Dec    202
19-Dec   1225
22-Dec    107
23-Dec    165
27-Dec    768

There may have been a few files less than 4 blocks in size but I consider these of less importance. Futher analysis will have to wait until a later date…
Apart from the usual activity, I consolidated all log files of last year in a single file to be stored on CD or DVD – mainly as a source for this analysis and as test data for the suite that I intend to create for it.
New disks for the workstation
I boaught two new 230Gb disks for the workstation: one internal, and one external – as a backup. Next month it will be filled with restored data – I hope.