I have a slackware 10 box set up at home running as a web/ftp/database/ssh server. I have noticed that it is getting hammered on my network. I have a simple hardware firwewall (wireless router) that has only the necessary ports open for the current services I'm running. I would assume it's something either through my mail or web that is hogging lots of bandwidth but I don't know how to pinpoint or stop it. Any good suggestions on where to go from here?

Hi,

Too general of a question without reference information!

First, what do mean by hammered? Someone port scanning you? How did you find this out?

I would first try to see how your security is set. Try a service like 'Steve Gibson's' www.grc.com. Check to see what is exposed.
How your system is responding to inquiries from the internet.

Do you have tripwire or chroot running? Could you have been cracked already? Maybe someone has already scripted you and using you as a POS for attacks therefore hogging your services.

I'd like to help but can't without information.

As for the 'simple hardware firewall (wireless router)' how is it connected to the internet? Via cable,dsl or what? By chance do you have it set with DMZ?

Sorry, I will try to provide a bit more info. the wireless router is connected with DSL, and is not set with DMZ. The ports open are 80, 22, 25, 21 and are forwarded to the slack box.

By hammered, I noticed that data was being transferred just by looking at the router and dsl modem and noticing that everything I was doing on the internet was crawling, I then ran "netstat" and noticed a lot of connections. I actually have the computer off now temporarily while I'm at work. I'm not sure what "tripwire" is.

All GRC.com really told me was which ports I had open, which I already knew. I'm temporarily blocking SMTP to see if this is the problem. Is there a good guide to securing mail services?

A perfect example of my server getting spammed is my guestbook. It is loaded with crap. How can I secure apache not to accept this kind of junk?

Block automatic thrasing in some way? For instance, by requiring the user to enter a number that is displayed in some automatically generated image.

I was hoping there might be an option for the webserver itself, not the forms on it. There has to be a way to detect and stop spam constantly scanning your site. I also feel it's a bit drastic to require someone to validate an image just to post to a guestbook or send an email. I can understand with some type of registration system, but not something so simple and meaningless.

The problem is that Apache does not know which are legitimate connections and which are not. If you can identify what constitutes an unwanted connection, you can build rules into Apache (and maybe your firewall).

Someone here may well be able to help, can you describe the differences between the connections that should and should not be allowed?

Hi,

Look here;

http://sourceforge.net/projects/tripwire/

I prefer to set my systems up so as they are a true stealth to the internet.
If someone needs to get in they know me therefore can get in. Web services, I would use a hosting service (cheap $$).

Since you are forwarding to the slack box I assume you have rule set for the router and/or DSL modem. Maybe too loose on the allow/dent sets.