Date: Wed, 05 Jan 2011 14:48:25 -0500 From: Mark Moellering <mark@msen.com> To: freebsd-questions@freebsd.org Subject: Re: Bot? / pf question Message-ID: <4D24CB09.3030603@msen.com> In-Reply-To: <AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com> References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> <AANLkTi=%2B=FGeQevAnxii6m2XK7i%2B617Mt4EkQfd2Ucv0@mail.gmail.com> <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com> <AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 05-Jan-11 1:44 PM, Kevin Wilcox wrote: > On 5 January 2011 13:25, David Brodbeck<gull@gull.us> wrote: > >> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox<kevin.wilcox@gmail.com> wrote: >>> To really see what your machine is doing, consider taking a look at >>> the network flows. pfflowd, netflowd, ipaudit and a host of others can >>> get you flow data with mostly minimal overhead. >> Also, keep in mind that depending on how badly the machine has been >> compromised, you may not be able to trust the output of utilities >> running on the machine itself. You may have to resort to capturing >> its network traffic on another machine for analysis. > That's an excellent point. A span port from the upstream switch/router > would be ideal unless you've verified, through mechanisms external to > the machine (known good test media), the tools on that machine are > trustworthy. > > kmw > _______________________________________________ Since I am going to be setting up a mail server sometime next week and have to keep things like this in mind; would it make sense to run pf and block all outbound traffic that isn't on port 25 ( port 995 , etc) and force any web administration programs onto a port other than 80 to help with this sort of thing? Any other thoughts on how to make sure future installations can be kept secure? As always, thanks in advance to everyone, Mark Moellering
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D24CB09.3030603>