Re: forwarding as a gateway, logging certain traffic
On Tue, 12 Sep 2006 15:51:08 -0400
Bart Silverstrim [EMAIL PROTECTED] wrote:
Something inside our network is infected with a spam-mailing trojan.
We now have our PIX firewall set to block all outgoing traffic to
port 25 unless it is from our mail server.
you should also accept only authenticated smtp connections from your LAN (or
exchange only, if you can), and limit the number of recipients per email.
Pretty sure you can limit the rate at which xchange will send emails out
(virtual smtp server). Then just check the xchange queues ... see them
grow...and wonder why did we (I'm in the same boat ;) ) went with xhcnage in
the first place :D
HIH
_
{Beto|Norberto|Numard} Meijome
I don't think they could put him in a mental hospital. On the other
hand, if he were already in, I don't think they'd let him out.
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: forwarding as a gateway, logging certain traffic
In response to Bart Silverstrim [EMAIL PROTECTED]: This will probably be kind of wordy, but I could use some advice on how to track it. I have a freebsd system acting as a gateway (it's using IP forwarding) so it can act as a web proxy server and filter for the users. It is also filtering incoming email to act as a mail filter between the Internet and our internal Exchange server. The firewall rules used for forwarding information to Squid are rather simple. Ipfw -list gives: *** 00049 allow tcp from 10.46.255.253 to any 00050 fwd 10.46.255.253,3128 tcp from any to any 80 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any The DHCP server then hands out the IP of the FreeBSD server as the gateway address. Something inside our network is infected with a spam-mailing trojan. We now have our PIX firewall set to block all outgoing traffic to port 25 unless it is from our mail server. After setting up a syslog monitor and checking the logs to see if the culprit would appear, what should appear but...the FreeBSD server. Then I smack my forehead; of course it would show up. It's supposed to be the gateway. The trojan computer hits the BSD system and from there hits the PIX...the PIX will be useless to find the culprit. Is there some way to get the FreeBSD system to log machines using port 25 without interfering with the FreeBSD machine's filtering of email function? Or at least make the traffic visible to sniffing with tcpdump or wireshark or ethereal? Off the top of my head ... ipfw add 25 log tcp from any to any 25 should work. There are certain kernel configs you have to have in place for logging to work, though. -- Bill Moran Collaborative Fusion Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: forwarding as a gateway, logging certain traffic
On Sep 12, 2006, at 1:08 PM, Bill Moran wrote: Is there some way to get the FreeBSD system to log machines using port 25 without interfering with the FreeBSD machine's filtering of email function? Or at least make the traffic visible to sniffing with tcpdump or wireshark or ethereal? Off the top of my head ... ipfw add 25 log tcp from any to any 25 should work. There are certain kernel configs you have to have in place for logging to work, though. Better to use something like: ipfw add 1 log tcp from any to me 25 setup If Bart would like to use tcpdump for the same purpose, consider running something like: tcpdump -nt 'port 25 and (tcp[tcpflags] tcp-syn != 0)' -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: forwarding as a gateway, logging certain traffic
In response to Chuck Swiger [EMAIL PROTECTED]: On Sep 12, 2006, at 1:08 PM, Bill Moran wrote: Is there some way to get the FreeBSD system to log machines using port 25 without interfering with the FreeBSD machine's filtering of email function? Or at least make the traffic visible to sniffing with tcpdump or wireshark or ethereal? Off the top of my head ... ipfw add 25 log tcp from any to any 25 should work. There are certain kernel configs you have to have in place for logging to work, though. Better to use something like: ipfw add 1 log tcp from any to me 25 setup Yeah, that would be more concise. As a more permanent solution, why not set up ipfw on the FreeBSD machine to refuse to allow this to happen ever? ipfw add 5 allow tcp from any to me 25 setup ipfw add 6 allow tcp from me to any 25 setup ifpw add 7 drop tcp from any to any 25 setup I don't remember the rest of the rulset, but if you have an established rule, this should force all SMTP to use this machine as a relay, although you may need to tweak the rules to get them working right around nat. -- Bill Moran Collaborative Fusion Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: forwarding as a gateway, logging certain traffic
On Sep 12, 2006, at 4:28 PM, Chuck Swiger wrote: On Sep 12, 2006, at 1:08 PM, Bill Moran wrote: Is there some way to get the FreeBSD system to log machines using port 25 without interfering with the FreeBSD machine's filtering of email function? Or at least make the traffic visible to sniffing with tcpdump or wireshark or ethereal? Off the top of my head ... ipfw add 25 log tcp from any to any 25 should work. There are certain kernel configs you have to have in place for logging to work, though. Better to use something like: ipfw add 1 log tcp from any to me 25 setup If Bart would like to use tcpdump for the same purpose, consider running something like: tcpdump -nt 'port 25 and (tcp[tcpflags] tcp-syn != 0)' Maybe my ipfw is old; it kept telling me that log is an invalid action. However, I think I may be able to get the tcpdump idea to work. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: forwarding as a gateway, logging certain traffic
On Sep 12, 2006, at 1:37 PM, Bart Silverstrim wrote: Better to use something like: ipfw add 1 log tcp from any to me 25 setup If Bart would like to use tcpdump for the same purpose, consider running something like: tcpdump -nt 'port 25 and (tcp[tcpflags] tcp-syn != 0)' Maybe my ipfw is old; it kept telling me that log is an invalid action. However, I think I may be able to get the tcpdump idea to work. There's a kernel option you need to enable for IPFW to do logging. If you're kldload'ing the ipfw module, it probably wasn't compiled with IPFW_LOGGING or whatever the exact name is. Anyway, tcpdump should be your friend. :-) -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: forwarding as a gateway, logging certain traffic
On Sep 12, 2006, at 4:45 PM, Chuck Swiger wrote: On Sep 12, 2006, at 1:37 PM, Bart Silverstrim wrote: Better to use something like: ipfw add 1 log tcp from any to me 25 setup If Bart would like to use tcpdump for the same purpose, consider running something like: tcpdump -nt 'port 25 and (tcp[tcpflags] tcp-syn != 0)' Maybe my ipfw is old; it kept telling me that log is an invalid action. However, I think I may be able to get the tcpdump idea to work. There's a kernel option you need to enable for IPFW to do logging. If you're kldload'ing the ipfw module, it probably wasn't compiled with IPFW_LOGGING or whatever the exact name is. I had set the verbosity (I think that was the parameter) from googling around earlier, but that doesn't seem to help. I'm probably missing an option somewhere else. But you're right...tcpdump will be my friend :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: forwarding as a gateway, logging certain traffic
There's a kernel option you need to enable for IPFW to do logging. If you're kldload'ing the ipfw module, it probably wasn't compiled with IPFW_LOGGING or whatever the exact name is. I had set the verbosity (I think that was the parameter) from googling around earlier, but that doesn't seem to help. I'm probably missing an option somewhere else. Rebuild your kernel with the following options: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE=1000 Will have it log up to 1000 entries on a rule that specifies the log option. Alternatively, you can do something like: # ipfw add 100 allow log logamount 5 to override the kernel config log amount. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
