Logs and how to read them

Tom 'Needs A Hat' Mitchell mitch48 at sbcglobal.net
Fri Apr 23 04:39:07 UTC 2004 

On Thu, Apr 22, 2004 at 10:40:08AM -0700, Mike Rambour wrote:
....
> >25 outbound, but rather *redirecting* tcp/25 to your mail server. That 
> >way, *any* attempts to connect to an SMTP server will be redirected to 
> >yours. And if one of your Windows users does have a worm, it'll be unable 
> >to talk to the outside but you will see it's attempts in your
....
 Yes a good idea.

>   what a great idea... and the shorewall one that you suggested in the 
> next message also...I wanted to learn on my own without GUI's but I have 
> been reading the website shorewall and it seems to just do it so easily, I 
> will try it first thing after lunch today.
> 
>   By the way my ISP says I have not sent SPAM out since Monday and they 
> only received 3 complaints total over the weekend so I think I am ok. 

It is important to get a good report from the ISP.
Complaints need to be supported with full headers so you
can track the issue.

Most of the nasty worms and viri... look like spam and impersonate
the sender.  

It is possible that none of the spam originated from your
organization.  By chance if they cause you to be blacklisted because
of a handful of spoofed messages this can cause your company major
pain.

Watch out for WIFI links....
Use arp watch.

Have a permissive but responsible connection policy inside of your
company.  i.e. nothing gets connected without checking in first.  No
unregistered iPods, memsticks, laptops, palm, etc.

Then build a virus scan and problem notification policy for each.  If
you know nothing about the device have the requester fill in a rough
security and virus scan and software update policy.

If you know what people are running you can collect appropriate
notifications.

The goal of such a policy is to permit people to get work done in
a responsible way.

In addition to sendmail and http the same is true for instant
messaging.  Recent problems have surfaced with IM services that
can infect systems.

The wireless links on some devices are active even when connected to a
docking station and can connect point to point with a visitor's laptop
sitting in a conference room.  See discussions about APIPA (Automatic
Private IP Address) in this list.

Microsoft just sent out a big old patch update CDROM for the asking.
Make sure that folks update their boxes.

> Concerned because i could not track down how it was done but ok, Thanks for 
> all the help...I am sure I will ask more later.
> 
>  I never knew my old job here was so boring until I "volunteered army 
> style" 3 weeks ago for this one, now I learn something new every hour and 
> go home feeling frustrated and like I accomplished something. 

On a personal soap box, encourage a mix of systems and tools that
are interoperable.  Some simple minded IT groups mandate that all systems
run the same software on all their boxes.  As a person of Irish decent
monoculture can kill big time. The potato famine was such a disaster
because when the blight hit there was nothing left to eat as the fungus
went from field to field to field.



-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.

More information about the fedora-list mailing list