luke: June 2008 Archives

the samsung 750G drives (with 32M cache)  are almost twice as fast as the segate 750G drives (with 16M cache)  -  even after removing the limiters (the seagates came with jumpers
that limited them to 1.5G sata1) 

Anyhow, I've started to put system domains on the new server, Boar, and they are looking pretty good. 

new server status

| | Comments (0)
so we got the new servers installed and setup... and then we realised that disk was about 1/2 the speed we requested, and more importantly, there was serious problems with random access... copying /dev/zero to the disk would lock things up to the point where you couldn't even log in on another vt.   

Obviously we're not putting customers on it until we figure it out; the server is in the garage right now for testing. 
The server is going through burn-in as we speak

as I mention on the main page, we ran out of space the other day.    we are putting in a new server, boar, and one of my ancient catalyst switches, with 'port monitor' or SPAN capabilities,
so I will be un-breaking the bridge on lion, and bandwidthD and my inward-facing IDS will both continue to function. 

This will require us to physically re-configure the network (just moving cables-  if we don't
screw it up, downtime should be less than 60 seconds-  no reboot or anything,  just a few dropped packets.)

New rdns policy

| | Comments (1)
so, having rdns point back to me makes handling abuse reports much easier (that is, it makes it much more likely I will get the complaint rather than my upstream)  -  so I am going to require you to stay on a rdns until you have been a paying customer for 3 months. 

Like everything, exceptions can be made, but if I don't know you, it's three months (or you can pay up-front for three months, with the understanding that you won't get it back if I shut you down for AUP violations.) 

the AUP:

pretty standard, except for the bit where I prohibit all bulk mail without my approval. 
I'm not interested in hosting even most double-opt in lists-  most of the larger lists, even if they are legitimately double-opt in, generate more complaints than I am willing to deal with at these prices.    If you are a legitimate mail sender, I would suggest you start with 

monthly priceramDiskNetwork transfer
$5 64MiB5GiB40GiB

The new prices are only good on the new core2quad boxes, so existing customers may need to move-  also you will need to be added to the new billing system.  (users who signed up
within the last week will automatically be billed the new, lower rate when they come up for renewal.) 

Snort IDS installed.

| | Comments (0)
One way to make your network unattractive to spammers is to make setting up new accounts more expensive for the abuser- either through collecting AUP violation fees, or through high setup fees. Of course, this is difficult with the real black-hats, as they usually pay with fraudulently obtained credit cards. It works ok for the 'grey' spammers- those who mail people who 'opted-in' when they bought something, and now get tangentially related offers.

Another way to do it is to be more proactive about disconnecting abusive customers. See, most of the time, one can expect 4-24 hours between when the abuse is reported and when the provider does something about it- and in my experience, it takes quite a lot of abuse to get a complaint- sometimes the abuse has been going on for a week or more before it hits someone with the spare time and the knowledge to complain.

So my thought is this: why not run an IDS system, but instead of alerting on the constant stream of abuse coming in from the Internet, alert on abuse going out from your customers? you could even then automatically kill the ports belonging to obviously compromised or abusive hosts.

So that's what I did tonight. I setup a VPS on my new server, set my bridge to not remember MAC addresses (that is, I turned it into a hub) and installed snort on that VPS. Right now, it's pretty much just using the default rules and scanning all traffic, incoming and outgoing. Next, I need to set up some good e-mail rules (I want to allow people to run secondary MX servers, but I want to prohibit mailing lists beyond a certain size without my prior approval... I've not quite figured out how to do that.)

I figure if I'm going to be watching you, I should give you something back- so I have decided to give you access to see the snort alerts about people from the Internet trying to attack you. If you are on lion and interested, let me know via email.

I've got a shell script parsing the output, and putting it in a file for each user to watch, if they like. If it encounters an attack coming from one of my e-mail addresses, it e-mails me, meaning a worst-case response of around 8 hours. That's not a great response time if you count from when someone files an abuse report, but if you count from when the abuse starts (and that is what is happening) 8 hours isn't bad at all.

About this Archive

This page is a archive of recent entries written by luke in June 2008.

luke: May 2008 is the previous archive.

luke: July 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.