Re: Bot? / pf question
On 05-Jan-11 1:44 PM, Kevin Wilcox wrote: On 5 January 2011 13:25, David Brodbeckg...@gull.us wrote: On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcoxkevin.wil...@gmail.com wrote: To really see what your machine is doing, consider taking a look at the network flows. pfflowd, netflowd, ipaudit and a host of others can get you flow data with mostly minimal overhead. Also, keep in mind that depending on how badly the machine has been compromised, you may not be able to trust the output of utilities running on the machine itself. You may have to resort to capturing its network traffic on another machine for analysis. That's an excellent point. A span port from the upstream switch/router would be ideal unless you've verified, through mechanisms external to the machine (known good test media), the tools on that machine are trustworthy. kmw ___ Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, Mark Moellering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot? / pf question
Yes and no. You want to leave ftp open, too, just in case for port upgrading/downloading, plus you would want to do monitoring across the wire (Nagios or something, maybe?). You could, though, do a dual-NIC setup and have one be a private network LAN for the servers if you aren't already considering it. On Jan 5, 2011, at 1:48 PM, Mark Moellering wrote: Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, Mark Moellering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Bot? / pf question
On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering m...@msen.com wrote: That's an excellent point. A span port from the upstream switch/router Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, That a great example of when jails should be used, I put each service into it's own jail eg MTA, FTP, www. Actually I use something like pound then put each different website in it's own jail. Make sure each database backed service has separate login/passwords. Then if something like phplist, or an MTA is compromised the host OS and utilities can still be trusted, in theory at least. Also a managed port can help you deal with issues by tracking stat metrics/port mirroring/etc. You can use something ezjail to make administration tasks easier, and if you isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities. There are a couple of utilities in ports to help automate snapshots too. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org