NTP issue – update
From several sides I got information on the NTP problems; John Santos (via OpenVMS SIG) suggested a test for checking whether time was updated, using ntpq (it did) , and Stephen Hoffman showed me where NTPDC is located; but I found that already, and disabled monlist as was suggested – by editing TCPIP$NTP.CONF. Now monlist doesn’t work anymore – not even on localhost (directly), nor does ntpq – runs into a timeout. The router log doesn’t show any more incoming NTP traffic either – what used to be the case when monlist was not disabled. time to dig into the manuals – if available….Enabling monlist – just to be able to do some synchronization – might be a possibility – now incoming traffic to port 123 is disabled….We’ll see.
For the rest, no real surprises:
PMAS statistics for January
Total messages : 1414 = 100.0 o/o
DNS Blacklisted : 0 = .0 o/o (Files: 0)
Relay attempts : 338 = 23.9 o/o (Files: 31)
Accepted by PMAS : 1076 = 76.0 o/o (Files: 31)
Handled by explicit rule
Rejected : 445 = 41.3 o/o (processed), 31.4 o/o (all)
Accepted : 288 = 26.7 o/o (processed), 20.3 o/o (all)
Handled by content
Discarded : 137 = 12.7 o/o (processed), 9.6 o/o (all)
Quarantained : 163 = 15.1 o/o (processed), 11.5 o/o (all)
Delivered : 43 = 3.9 o/o (processed), 3.0 o/o (all)
There have been relay attempts on a few days- on 13-Jan-2014 there were about 100 from one address. Of course these failed.
31-Jan-2014
Coïncidence: NTP DOS?
Yesterday morning, Thomas Heim send out a warning on the OpenVMS SIG list that he had seen evidence on his systems of an exploit of a hole in older versions of NTP, and his warning was “Beware”.
That evening, when heading for bed, I heard my VMS server beep every few seconds. It normally does if a mail message comes in but at this rate, that means trouble.
And yes, I got loads of messages, that all concerend massive outgoing UDP traffic on port 123 – the NTP server, to a limited number of addresses but dirfferent ports on each of them. At times, there was a message concerning traffic to port 80 that was suspected to be torrent-based (quite unlikely to have UDP-traffic to a webserver…) so I got these as well.
Quite a coincidence?
Stopping the NTP server stopped the flood of messages, but after I restarted it, it restarted within a minute. So I turned my attention to the fireewall where port 123 (the standard NTP port) was still open. So I closed it and blocked all incoming traffic on port 123 – from any address.
Restarted NTP and after that, at least the flood of mail messages stopped so I wouldn’t be kept from sleeping. Whether I have to worry about time keeping remained to be seen. But a quick glance this morning reveled that time services still ru and do get an answer (the log states [Pass], so I think I don’t have to worry anymore for my time-keeping.
But there is still a lot of investigation to be done. The whole sequence styarted just after 21:00 and went on to justr after 22:00 when I stopped the NTP server; Restarted it at 22:10, the circus commenced so stopped it again at 22:11. Blocked the port in the firewall and restarted NTP at 22:16.
Just one (!) message blocked, and no problems ever since.
Next step is to investigate – as far as possible. I’ll keep the logfiles at hand (tonight they will be moved to the archives by the monthly maintenance job…).
01-Jan-2014
New year’s maintenance
Not really surprising: there is little to mention….
PMAS statistics for December
Total messages : 1519 = 100.0 o/o
DNS Blacklisted : 0 = .0 o/o (Files: 0)
Relay attempts : 251 = 16.5 o/o (Files: 31)
Accepted by PMAS : 1268 = 83.4 o/o (Files: 31)
Handled by explicit rule
Rejected : 571 = 45.0 o/o (processed), 37.5 o/o (all)
Accepted : 288 = 22.7 o/o (processed), 18.9 o/o (all)
Handled by content
Discarded : 179 = 14.1 o/o (processed), 11.7 o/o (all)
Quarantained : 194 = 15.2 o/o (processed), 12.7 o/o (all)
Delivered : 36 = 2.8 o/o (processed), 2.3 o/o (all)
The number of messages that need to be handled is still low. Especially around Chrismas, the number dropped significantrly. Just on two successive days show really large amounts of SMTP access from one address (several messages a minute) but the address has been blocked when I noticed it.
I saved all 2013 files in the usual location – now startring 2014!
10-Dec-2013
Database corrupted?
It looked as if the previous entry (02-Dec-2013) wasn’t complete when accessed, it missed the beginning showing the mail stats vor November. Text was all bol and green. Not as I entered it….
It makes a difference in what mode the edit form showed up. In Visual mode, the first part didn’t show either, all text bolded; swithing to HTML mode shows <strong><span> and </strong></span> tags around the text. If the edit form comes up in HTML mode, it’s all Ik – except when swithing to Visual mode, and the same thing happened…
Fount the cause: a missing double quote in the header:
<strong><font color=”red> doesn’t work.<strong><font color=”red”> does 🙂
Lessons learned:
Nothing new. I know I should have….
02-Dec-2013
Abusing mailservers down, or blocked?
Since I blocked a number of mail servers – open relay, or hacked – the number of spam messages has dropped significantly:
PMAS statistics for November
Total messages : 1085 = 100.0 o/o
DNS Blacklisted : 0 = .0 o/o (Files: 0)
Relay attempts : 78 = 7.1 o/o (Files: 30)
Accepted by PMAS : 1007 = 92.8 o/o (Files: 30)
Handled by explicit rule
Rejected : 303 = 30.0 o/o (processed), 27.9 o/o (all)
Accepted : 256 = 25.4 o/o (processed), 23.5 o/o (all)
Handled by content
Discarded : 196 = 19.4 o/o (processed), 18.0 o/o (all)
Quarantained : 219 = 21.7 o/o (processed), 20.1 o/o (all)
Delivered : 33 = 3.2 o/o (processed), 3.0 o/o (all)
This is really is the amount for November…Exactly a year ago, the total number was almost 10 times as high. At the beginning of November, I blocked one site (67.53.119.2) that caused malfunction of mail – sending a massive amount of messages in a short time. At least. it looked that way, but it turned out is was merely a matter of bad requests, since after I did, there were a number of messages from the router telling me something was blocked – It wasn’t even mail. Just a bogus message. I just wondered why it passed the filter first, DoS protection is enabled so it shouldn’t have passed.
After that, trouble was over with above result.
Few relay attempts as well. None of the files exceeds 4 blocks (2KB), possibly for the same reason.
Found a few web abusers – and blocked them.