Fw: New mail blocks result of Ralsky's latest attacks?

Brian Bruns bruns at 2mbit.com
Fri Oct 10 15:46:15 UTC 2003


MessageThis is something I sent to someone offlist.  I've strpped out his
name, etc.
--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511
----- Original Message ----- 
From: Brian Bruns
To: XXXXX
Cc: admins at 2mbit.com
Sent: Friday, October 10, 2003 11:35 AM
Subject: Re: New mail blocks result of Ralsky's latest attacks?


Hey XXX,

There are a few ways to lock down an Exchange server.  Luckily, I used to be
an Exchange admin two years ago, so let me quickly dig up my notebook...


Ok, first, make sure on your exchange server you have Guest disabled.
According to reports, the following usernames are being tested and cracked:
abc, web, admin, www, administrator, data, server, backup, master, test,
root, webmaster.  Basically, if you have any of these accounts active,
please make sure they have a strong password on them.  Please be careful
though when changing them - you'll have to make sure that all services which
depend on the account also are updated with the new password.

Second, if you don't use SMTP auth, simply disable it.
Open the SMTP virtual server properties under Exchange Server Manager,
select the Access tab, click Relay in the Relay restrictions group. Clear
the check off of "Allow all computers which successfully authenticate,
regardless of the list above"

You should be in good shape then.

On a side note (and I do recommend this to my customers), if you want added
security, yeah, you are going to want to use a UNIX/Linux box in front of
the exchange server and then relay mail to it.  That way, you are less
likely to fall victim to Exchange exploits as well.  Its not too hard to
setup, but takes time.


--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.2mbit.com
ICQ: 8077511





More information about the NANOG mailing list