Stephen Gran wrote: > On Wed, Jun 14, 2006 at 02:59:49AM +0800, W B Hacker said: > >>Troy Engel wrote: >> >> >>>Marc Perkel wrote: > > > [want to block outgoing email in case he's p0wn3d] > > >>>3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to any >>>machine other than the smarthost you decided on above. (see >>>http://oceanpark.com/notes/firewall_example.html) >>> >> >>Not 100% useful. MTA's *listen* (for other mx) on port 25. They >>ordinarily *send* on random ports well above 1024. > > > netfilter has a uid match module that allows you to write rules like: > > iptables -t filter -A OUTPUT -m owner --uid-owner 0 -m state --state NEW > --dport 25 -j ACCEPT > > So, actually, rather useful for this sort of thing. Not precisely how I > owuld go about it (I would start by deciding what can make outbound > traffic and stop all other traffic, but YMMV). If it is a root > compromise, of course, you're screwed anyway, but a simple push over of > a php script running as a non-privileged httpd user may not kill you in > this case. >
The best approach is to *first* simplify the environment. Separate boxen and even 1U or 2U space can generally be had for a lot less than admin labor, so there is no good reason to allow php to exist on an mx box any more than Apache, MySQL, inetd, or Microsoft-anything. Not worth the hassle. Separate box. > >>Further, it is generally a safe assumption that any entity >>clever/patient enough to crack a shell account, can and will, >>escalate privileges, eventually to 'root'.. > > > This is of course true, and good advice. If you are hacked, the least > of your worries is the spam coming from your machine. Truly. Even having both chkrootkit and rkhunter in cron is not 100% foolproof. You not only have to set monitoring and traps - the most important part is that you peruse your logs and reports at least several times a day. Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
