Anyone experiencing more frequent restrictions due to “suspicious botnet activity”?
Hey everyone, anyone dealing with Linode aggressively placing restrictions more than usual due to “suspicious botnet activity”?
I received this notice a few months ago and resolved with their team. We took the necessary steps to secure ourselves to change our root pass, setup SSH Private Key, and ClamAV. Restrictions were removed and one month later, they were back on due to “suspicious botnet activity” again and this time we are not able to resolve.
1 Reply
I've been the victim of "suspicious botnet activity"…and I report it every time I see it (even if it's traffic from the security researchers mentioned above).
You write:
Restrictions were removed and one month later, they were back on due to “suspicious botnet activity” again and this time we are not able to resolve.
You either failed to rid yourself of the 'bot the first time or you're re-infected with the same or different 'bot because you failed to close the exploit the 'bot used to infect your system.
You don't mention a firewall so I'm going to assume you have one. You probably need to tighten it up a whole lot (close EVERY port that your system doesn't regularly use; e.g. everything but 22, 80, 443 and the mail ports you actually use) and institute countermeasures like fail2ban(1) and blacklisting. Restrict traffic on specific ports to localhost when you can.
If you operate an email server, you'll want to do the following:
- use local-domain sockets when-/wherever you can (e.g. for milters like opendkim, postgrey, dmarc, etc);
- be anal about requiring senders to implement authentication standards (like SPF);
- require MUAs to use TLS and tell email peers that your server prefers ssmtp;
- require authentication & TLS for submission and imap4; and
- implement (very) aggressive anti-spam measures.
Implementing an aggressive intrusion detection system (e.g. snort) would probably help as well.
Most of all, you need to be very, very vigilant…
-- sw