From owner-freebsd-questions@FreeBSD.ORG  Wed Jan  5 19:48:21 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7B905106566B
	for <freebsd-questions@freebsd.org>;
	Wed,  5 Jan 2011 19:48:21 +0000 (UTC) (envelope-from mark@msen.com)
Received: from shell.msen.com (msen.com [148.59.86.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 3FFF48FC1D
	for <freebsd-questions@freebsd.org>;
	Wed,  5 Jan 2011 19:48:20 +0000 (UTC)
X-Sent-To: <freebsd-questions@freebsd.org>
Received: from [192.168.1.103] (c-68-40-255-141.hsd1.mi.comcast.net
	[68.40.255.141]) (authenticated bits=0)
	by shell.msen.com (8.14.3/8.14.3) with ESMTP id p05JmKSD079684
	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT)
	for <freebsd-questions@freebsd.org>;
	Wed, 5 Jan 2011 14:48:20 -0500 (EST) (envelope-from mark@msen.com)
Message-ID: <4D24CB09.3030603@msen.com>
Date: Wed, 05 Jan 2011 14:48:25 -0500
From: Mark Moellering <mark@msen.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
	rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <4D249129.6090008@webtent.net>
	<4D249298.9080706@nrdx.com>	<AANLkTi=+=FGeQevAnxii6m2XK7i+617Mt4EkQfd2Ucv0@mail.gmail.com>	<AANLkTinOewwzjMigG_Bn0+ZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
	<AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com>
In-Reply-To: <AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: Pass (sender authenticated); receiver=msen.com;
	client-ip=68.40.255.141; envelope-from=<mark@msen.com>
Received-SPF: Pass (sender authenticated); receiver=msen.com;
	client-ip=68.40.255.141; helo=[192.168.1.103]
Subject: Re: Bot? / pf question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2011 19:48:21 -0000

On 05-Jan-11 1:44 PM, Kevin Wilcox wrote:
> On 5 January 2011 13:25, David Brodbeck<gull@gull.us>  wrote:
>
>> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox<kevin.wilcox@gmail.com>  wrote:
>>> To really see what your machine is doing, consider taking a look at
>>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>>> get you flow data with mostly minimal overhead.
>> Also, keep in mind that depending on how badly the machine has been
>> compromised, you may not be able to trust the output of utilities
>> running on the machine itself.  You may have to resort to capturing
>> its network traffic on another machine for analysis.
> That's an excellent point. A span port from the upstream switch/router
> would be ideal unless you've verified, through mechanisms external to
> the machine (known good test media), the tools on that machine are
> trustworthy.
>
> kmw
> _______________________________________________

Since I am going to be setting up a mail server sometime next week and 
have to keep things like this in mind;
would it make sense to run pf and block all outbound traffic that isn't 
on port 25 ( port 995 , etc)  and force any web administration programs 
onto a port other than 80 to help with this sort of thing?  Any other 
thoughts on how to make sure future installations can be kept secure?

As always, thanks in advance to everyone,

Mark Moellering