Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi folks. A server I manage recently got hacked. Sadly, they converted my machine into a spam broadcaster. I'm in the process of rebuilding that machine, and researching various security strategies to help me defend against such rape in the future, but that's not what I want help with, yet.
What I want to know is if anybody has a suggestion for some kind of monitoring I can run that will inform me when outbound email exceeds some threshold level. This server sends out a few (maybe 10) notifications of various types to a few addresses each day, so I don't want to shut down email or anything that excessive. But I DEFINITELY want to know when it's suddenly sending out 10000 messages per day. And I want to know FAST. (The fact that my hacked box was spamming for almost a week before I got wind of it is more than a little embarrassing.)
I'm still learning the ropes for tools like tiger and tripwire and I'm sure there are other tools I'll discover as I begin to build my "fortress on the prairie." But I'd really like to have some piece of mind that, if/when the new system fails, I won't commit spamicide for week again before I shut it down.
While I realise you do have a legitimate question, and with all due respect, but IMHO you got your priorities reversed. You should deal with resolving your compromise before doing anything else. Especially finding the *cause* your box got turned into a spam fountain. Spammers by default don't go for root account compromises but go the way of least effort, often this indicates you running stale or deprectated software, or misconfigurations like overly broad permissions or even a crackable ssh. Hardening a box from the ground up takes away much of the chances for abuse giving you plenty of time to get a grip on the relatively lesser important measures to take.
I agree that hardening the box is the first concern. As I said in my original posting, I am working on that and feel reasonably confident that I can find what I need to make some major improvements.
BUT
I am also not naive enough to think that I will do a perfect job of this, nor that any job, however perfect at one time, will remain perfectly secure.
Consequently, I want a system in place that might give me a hint if/when those failures re-occur.
As I said above, I'm confident I can build a much more secure system this time. The tips and "how tos" for such stuff is a yard deep and a mile wide on the net. What I am NOT finding is a tool that will monitor my success for me in this particular way. I didn't see the point of asking this community to help me with stuff I can already find solutions for.
So my question still stands. Does anybody have any suggestions for how to monitor the mail output of my machine and send a warning if/when that output exceeds a particular threshold?
0. You can search Freshmeat.net or Sourceforge for a complete system monitoring solution with all bells and whistles and install that.
1. I can generate a script for per hour and daily stats which can be picked up by a Nagios plugin or Monit as say HTTPS as CGI, accessed tru SNMP, output to syslog to have something else pick it up or cronjobbed and made to alert all by itself.
2. I can also take output from an intermediary like SMA, the "SendMail Analyser", grep for "Messages/hour" and script an alert alert for when it exceeds thresh:
0. You can search Freshmeat.net or Sourceforge for a complete system monitoring solution with all bells and whistles and install that.
1. I can generate a script for per hour and daily stats which can be picked up by a Nagios plugin or Monit as say HTTPS as CGI, accessed tru SNMP, output to syslog to have something else pick it up or cronjobbed and made to alert all by itself.
2. I can also take output from an intermediary like SMA, the "SendMail Analyser", grep for "Messages/hour" and script an alert alert for when it exceeds thresh:
3. You can pick up outgoing SYN's to remote MTA's with Iptables and choke it with temp rules and alert.
And then I prolly forgot some. Oh well.
Dear Sir,
I am facing same kind of problem, my firewall IP are blacklisted each day i donts cause is outgoing emails are spred spam. I search a lot but yet not got perfect solution over this problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.