Recently I've been tasked with network administration (I've been an admin for over a decade but this is not what I was hired to do).
The first thing I did was remove all local and domain administrative privileges from IT and senior Management.
The only person it effected was the IT Director, and once I made the appropriate local file permission changes it was fine.
A few weeks later he found he was missing access to one directory he needed so I logged onto the admin share c$ and gave him access. He was shocked I had remote access to view his files. This was a great boost as to why I have revoked administrator privileges from numerous people (I think I saw him breath a sigh of relief).
Anyway, the administrator access removal has not effected the IT Development team one bit. Once they have all the apps they need installed on their local workstation, and server level access configured for directory/file permissions, they're good to go about their development without a care.
This is where postfix "The Order of Rules" falls into play.
I have header_checks before the smtpd_recipient_restrictions that follow http://www.postfix.org/BACKSCATTER_README.html My myorigin is set to a hostname.mydomain, not mydomain and this works out perfect as our postfix and exchange both use hostname.domainname.com
Thanks though, I did just double check that things were working in this respect, and they are.
We've been using PureMessage for Unix for about 3 years, but most likely won't be next year when it's time to renew.
We use a dedicated postfix server (that comes with PureMessage). Each message is sent to PureMessage via "content_filter=". After the message has been tagged as spam, it's sent back to postfix with the subject line tagged with "[SPAM:####" (the number of #'s are an indication to the messages spam level). Then the message is relayed to our Exchange server.
Yesterday afternoon I was working on configuring the postfix system to perform message checks to get rid backscatter http://en.wikipedia.org/wiki/Backscatter_(e-mail)
While searching for ways to have postfix do this I ran across some basic spam fighting tips. Before I implemented the below postix additions, I myself was recieving on average 5 messages an hour tagged with [SPAM:####]. Not one single spam message has hit my inbox since yesterday, and I've been watching/var/log/maillog to make sure nothing is being rejected that shouldn't be.
So far everything that has been blocked is due to the sending server being listed on those RBL lists. RBL checks can be easily added to other MTAs if you're not using Postfix.
Of course I'll be monitoring the situation closely for awhile to make sure nothing is being rejected that shouldn't be, but if this sort of configuration can save you from looking at hundreds of messages a day, it might be worth a look.
I think the kernel developers are getting careless. One of my systems (plain Epox MVP3C mobo, AMD K6-2 500, 196 RAM, 1 3.5 gig Fujitsu hdd, 1 4.3 gig Fujitsu hdd and Matrox G200-8 Meg), has never crashed so much than since I've started using kernel 2.4.x Really, just out of the blue with no logs to even show why...drives me insane. Yeah, I suppose I could read up on kernel debugging and get some sort of log... but should I have to?
Anyway, if you compile scsi emulation in the past two kernels.13 and.14, with only scsi cdrom and scsi generic support -- and don't compile in a scsi controller (because ide scsi emu doesn't need one) - and yes this means turning off the one that's set to compile as a module by default, the kernel dies during compile with the following message
#error "Config.in must define either CONFIG_53C700_IO_MAPPED or CONFIG_53C700_MEM_MAPPED to use t
his scsi core."
Now, if you go back and recompile your kernel and build that controller in, then your fine.... but that's just a waste in your runtime kernel. Unless I'm missing something here?
And let's not forget how in.14 you can't have a loopback device. - Yes, I know they fixed that in.15pre1 - But, that alone deserves an immediate full stable kernel release (IMHO).
I don't plan on having my servers depend on such a huge addition to the kernel, that's just been thrown into a so called stable tree in the middle of the game.
-- Wondering what comes next. I love linux, but hate that it crashes more than ever.....maybe switch back to 2.2? - That's progress.....
I can't believe Microsooft even has an anti-spam initiative! Here's a test, go signup for a hotmail account and create a login that is so insane no one would ever guess it, make sure you go through the signup carefully so your not signing up for any other junk they offer, then don't tell anyone about the account. Wait about 4 hours and go check your email. If I were a beting man, I'd say there will be at least 3 spam messages waiting for you.
--Here's one guy regretting ever getting a hotmail account...too bad it's such a pain to change email addresses.
I'm sure alot of people are thinking the same thing here.
It's time to start using encryption for everything we can online. I know there is over head to encryption, but there are hardware solutions to ease that. I realize there are countries that either don't allow encryption or only allow weak encryption, so we need to come up with a "secure as possible" way to communicate with them. eg. first try to connect with strong crypto, then fallback to weak, then back to none. This would apply most importantly to SMTP (we can encrypt mail retrieval fairly easy right now (sslwrap or stunnel)), but also use the same connect atemps with https (strong,weak,fall back to http or forget about it), for web browsing. Ftp even needs to be fixed (like most of us didn't know that). Anyway I could probably go on about this for awhile, so I won't... However NOW is the time to get are butts in gear and encrypt EVERYTHING we can EVERYWAY we can!
I was actually in the process of backing up my data to do a fresh install (don't ask), when I got the urge to get online and check out slashdot. Much to my joy this artocle was here. Perfect I thought, I'll give it a shot.
I went over the web interface till I was satisfied, then did a run for my system. dd'd it to the floppy. Copied my data to another system on the network. Rebooted and made my fat32 partition (dont' ask).
The only thing that I was prompted for was my hostname and domain name. This is because my system is not a permanent a piece of the internet, and the redhat installer tried to do a dns lookup on my non-routable IP address.
The second part that didn't quite go as I expected was after telling the web interface that I wanted to setup automatically, it didn't gicve me an option to have the system start in runlevel 5.
Slashdot Mirror
..or other hostnames with AAAA records:
Add -4 to ping_check command, restart nagios and carry on.
Dan
That must be a typo. Surely you meant 6 weeks.
Recently I've been tasked with network administration (I've been an admin for over a decade but this is not what I was hired to do).
The first thing I did was remove all local and domain administrative privileges from IT and senior Management.
The only person it effected was the IT Director, and once I made the appropriate local file permission changes it was fine.
A few weeks later he found he was missing access to one directory he needed so I logged onto the admin share c$ and gave him access. He was shocked I had remote access to view his files. This was a great boost as to why I have revoked administrator privileges from numerous people (I think I saw him breath a sigh of relief).
Anyway, the administrator access removal has not effected the IT Development team one bit. Once they have all the apps they need installed on their local workstation, and server level access configured for directory/file permissions, they're good to go about their development without a care.
Dan
This is where postfix "The Order of Rules" falls into play.
I have header_checks before the smtpd_recipient_restrictions that follow http://www.postfix.org/BACKSCATTER_README.html My myorigin is set to a hostname.mydomain, not mydomain and this works out perfect as our postfix and exchange both use hostname.domainname.com
Thanks though, I did just double check that things were working in this respect, and they are.
Dan
We've been using PureMessage for Unix for about 3 years, but most likely won't be next year when it's time to renew.
/var/log/maillog to make sure nothing is being rejected that shouldn't be.
We use a dedicated postfix server (that comes with PureMessage). Each message is sent to PureMessage via "content_filter=". After the message has been tagged as spam, it's sent back to postfix with the subject line tagged with "[SPAM:####" (the number of #'s are an indication to the messages spam level). Then the message is relayed to our Exchange server.
Yesterday afternoon I was working on configuring the postfix system to perform message checks to get rid backscatter http://en.wikipedia.org/wiki/Backscatter_(e-mail)
While searching for ways to have postfix do this I ran across some basic spam fighting tips. Before I implemented the below postix additions, I myself was recieving on average 5 messages an hour tagged with [SPAM:####]. Not one single spam message has hit my inbox since yesterday, and I've been watching
#main.cf
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client zen.spamhaus.org,
permit
So far everything that has been blocked is due to the sending server being listed on those RBL lists. RBL checks can be easily added to other MTAs if you're not using Postfix.
Of course I'll be monitoring the situation closely for awhile to make sure nothing is being rejected that shouldn't be, but if this sort of configuration can save you from looking at hundreds of messages a day, it might be worth a look.
Dan
I'd say normal, they don't make any noise that cause me concern.
I think the kernel developers are getting careless. One of my systems (plain Epox MVP3C mobo, AMD K6-2 500, 196 RAM, 1 3.5 gig Fujitsu hdd, 1 4.3 gig Fujitsu hdd and Matrox G200-8 Meg), has never crashed so much than since I've started using kernel 2.4.x Really, just out of the blue with no logs to even show why...drives me insane. Yeah, I suppose I could read up on kernel debugging and get some sort of log... but should I have to?
.13 and .14, with only scsi cdrom and scsi generic support -- and don't compile in a scsi controller (because ide scsi emu doesn't need one) - and yes this means turning off the one that's set to compile as a module by default, the kernel dies during compile with the following message
.14 you can't have a loopback device. - Yes, I know they fixed that in .15pre1 - But, that alone deserves an immediate full stable kernel release (IMHO).
Anyway, if you compile scsi emulation in the past two kernels
#error "Config.in must define either CONFIG_53C700_IO_MAPPED or CONFIG_53C700_MEM_MAPPED to use t
his scsi core."
Now, if you go back and recompile your kernel and build that controller in, then your fine.... but that's just a waste in your runtime kernel. Unless I'm missing something here?
And let's not forget how in
I don't plan on having my servers depend on such a huge addition to the kernel, that's just been thrown into a so called stable tree in the middle of the game.
-- Wondering what comes next. I love linux, but hate that it crashes more than ever.....maybe switch back to 2.2? - That's progress.....
I can't believe Microsooft even has an anti-spam initiative! Here's a test, go signup for a hotmail account and create a login that is so insane no one would ever guess it, make sure you go through the signup carefully so your not signing up for any other junk they offer, then don't tell anyone about the account. Wait about 4 hours and go check your email. If I were a beting man, I'd say there will be at least 3 spam messages waiting for you.
--Here's one guy regretting ever getting a hotmail account...too bad it's such a pain to change email addresses.
I find Security related books are somewhat hard to come by, at least good ones.
"Hack Proofing Your Network"
"Building Internet Firewalls, 2nd Edition"
"Real World Linux Security"
"RSA Security's Official Guide to Cryptography"
Certifcation books are great.
Publishers: Sybex, Network Press, Microsoft Press, QUE, Mc Graw Hill and Coriolis (there are others I'm sure).
Not only do you learn something (though rarely enough about a specific subject), when your done reading, you should be ready for an exam or two.
And, I can't forget about O'Reilly books!
A friend has one of these things, and I just saw an infomercial last night on it. I'm getting one because I've felt it do it's thing...it's awesome.
http://www.drhonow.com/
One important idea I forgot here.
The SMTP servers would also need to leave crypted the local copy so only the true owner could open it.
I'm sure alot of people are thinking the same thing here.
It's time to start using encryption for everything we can online. I know there is over head to encryption, but there are hardware solutions to ease that. I realize there are countries that either don't allow encryption or only allow weak encryption, so we need to come up with a "secure as possible" way to communicate with them. eg. first try to connect with strong crypto, then fallback to weak, then back to none. This would apply most importantly to SMTP (we can encrypt mail retrieval fairly easy right now (sslwrap or stunnel)), but also use the same connect atemps with https (strong,weak,fall back to http or forget about it), for web browsing. Ftp even needs to be fixed (like most of us didn't know that). Anyway I could probably go on about this for awhile, so I won't... However NOW is the time to get are butts in gear and encrypt EVERYTHING we can EVERYWAY we can!
I was actually in the process of backing up my data to do a fresh install (don't ask), when I got the urge to get online and check out slashdot.
Much to my joy this artocle was here. Perfect I thought, I'll give it a shot.
I went over the web interface till I was satisfied, then did a run for my system.
dd'd it to the floppy.
Copied my data to another system on the network.
Rebooted and made my fat32 partition (dont' ask).
The only thing that I was prompted for was my hostname and domain name.
This is because my system is not a permanent a piece of the internet, and the redhat installer tried to do a dns lookup on my non-routable IP address.
The second part that didn't quite go as I expected was after telling the web interface that I wanted to setup automatically, it didn't gicve me an option to have the system start in runlevel 5.
I hope they can work around these.
Job well done so far though!