Hello Everyone! Hope you’re doing well!
So for the last few weeks, I have been dealing with a DoS attack happening against me. After spending a couple days with Comcast Network Engineers we finally figured out that my mail server was being attacked. Once we disabled the NIC on the server, Internet service would start up immediately and everything appeared to be working properly. Looking at the auth logs, I noticed that port 80 and port 22 were getting bombarded by the DoS attacks.
Since the Comcast gateway has a poor firewall, I looked in to getting an upgraded PAN to meet my demand, but unfortunatly, that was going to set me back about $4k, and I looked at Untangle, but ran into configuration issues with the Comcast Gateway and my static IP’s.
So, until I save my pennies to get the upgraded PAN I had to use ufw to block my attacks.
UFW, or Uncomplicated Firewall, is the default Firewall for Ubuntu. Since my mail server is running Ubuntu, I decided to use this. And it is fairly easy to setup and use.
First thing I noticed when being attacked is that specific Chinese IP addresses were attacking the server on port 22 and port 80, which are the SSH port and the unencrypted default web server port. So these were going to be the first ones that I setup, however, one thing to note is that when you enabled ufw, it blocks all traffic, which is a good thing really, however, when you rely on email for your job, blocking it all is not good. so I needed to find out what external ports I needed to have open to the public so that it would still work, and which ones I could have just available internally so that I can still work on the servers if I need to.
First thing I did was look at what ports my server was sharing outside. I did this with the netstat command:
netstat -an | more
This command outputs all the interfaces and ports that the server is listening and communicating on. This also tells you who is connected to what service if they have an open session, so this command is pretty important if you are wanting to get into security.
To make it easy, I needed imap, pop, smtp, ssh, http, https, and ldap.
I also needed to know what can be internal only and what needs to be exposed to the public so that my email server can still get email.
Here is what I came up with:
|587 (SMTP Submission)
So, now that I have the required information, I can create the rules. They are as simple as doing the following command:
sudo ufw allow from x.x.x.x/24 to any port 22
This rule allowed only my internal IPv4 network to connect to the server. I did this for all internal addresses. I also added the specific email external IP address with a /32 to specify only the server could talk to itself on the internal ports. Might have been overkill, but better safe than sorry. For my public rules I did the following command:
sudo ufw allow from any to any port 443
This will also create IPv6 rules as well.
If you accidently create a rule and it isn’t working properly, you can remove the rule by first looking up its number:
sudo ufw status numbered
sudo ufw delete [rule #]
Once everything is done, enable the firewall so that the rules will be applied:
sudo ufw enable
If you every need to stop the firewall, you can disable it by
sudo ufw disable and it will go back to being unsecured.
I still had to reboot the server after creating the rules and enabling the firewall since sessions were still open but after the reboot, I haven’t had any more issues and email still works. You can look at the syslog to see all the blocks, which is somewhat fullfilling.
If you have any questions, or if you have any comments, please leave them below!