Skip navigation

I love Linux, there is no two ways about it. One compares ones servers by the amount of time that they are up. We currently have Novell Netware, Linux and Microsoft Windows Servers.

Comparing uptime of our servers, i noticed that the best uptime we have are on our linux Servers. Next comes our Novell Netware Servers and then finally the Microsoft Windows Servers.

Current stats are: Linux 43 Days, Novell Netware 28 Days, and Windows 6 days.

Before I used to have uptime in excess of 180 days on my linux box, and am aiming for that now as well.

So over the last while we have had a bit of a problem with people trying to hack into our linux servers via ssh. After looking at the log files, we figured out that the hacking attempts where comming from all over the world, Russia, China and the US. I eventually found this website http://www.abuse.net/ which if you can do a reverse name lookup and get the domain name, you can get the abuse email address for that domain.

After getting the various addresses i bombed off an email to each of them attaching the log files. I have not heard anything back from them yet, but the hacking attempts have really slowed down dramatically.

Over the last month and a half, the internet line at work seemed to be used at all times, before that there where time where there wa no activity on the line. Two days ago we recieved an email stating that we where sending out spam and needed to address this or face being black listed.

So we went to panic stations and managed to get a header from one of those mails. After looking at it we realised we had a big problem. We where running all our users through border manager with surf control as the content filtering, but due to the memory requirement and the fact that it made our server unstable, we decided to move the content filtering onto a new box. We installed SLES 10 with Squid and Dansguardian. The border manager box still did our nat for us so we where protected, right? Wrong, after doing a bit of packet sniffing and nmap from the outside, we realised the machine was exposed to the internet and spammers where routing mail through our Transparent Proxy (squid).

We immediatley put a firewall on that box, and of course that blocked all internet access out, because the machine only had one network card enabled. It also caused all the spam coming throughn to stop and the usage on the line dropped to almost nothing in seconds.

Now came the task of getting the internet to work, one would think it is an easy task, and don’t get me wrong, it normally is pretty easy, but one stupid thing happened. I ssh’d into the SLES box, setup the network car for an external address, deleted the NAT mapping on the Border manager box, setup masquerading on SLES to route the traffic, and off we go, but it did not work.

Eventually after looking through everything, i find a tab on the network devices, and hidden away there i find that the network cardthat i setup for the external interface is set not to start ever. HUH? So i set it to boot at start up, restart some services and bam, it works.

Now my colleague likes to call me a “Free and Open Source Hippie” . I don’t really mind cause i probably am, and for a good reason (going to have to educate him a bit) but in this instance i actually think SLES is a bit messed. Why put such an important setting hidden away. Anyway at the end of the day, we won and the evil spammers got cut off, but i have learnt a valuable lesson, never assume anything is secure, test it out, before the hackers do.

-P