Bot? / pf question
Mark Moellering
mark at msen.com
Wed Jan 5 19:48:21 UTC 2011
On 05-Jan-11 1:44 PM, Kevin Wilcox wrote:
> On 5 January 2011 13:25, David Brodbeck<gull at gull.us> wrote:
>
>> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox<kevin.wilcox at gmail.com> wrote:
>>> To really see what your machine is doing, consider taking a look at
>>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>>> get you flow data with mostly minimal overhead.
>> Also, keep in mind that depending on how badly the machine has been
>> compromised, you may not be able to trust the output of utilities
>> running on the machine itself. You may have to resort to capturing
>> its network traffic on another machine for analysis.
> That's an excellent point. A span port from the upstream switch/router
> would be ideal unless you've verified, through mechanisms external to
> the machine (known good test media), the tools on that machine are
> trustworthy.
>
> kmw
> _______________________________________________
Since I am going to be setting up a mail server sometime next week and
have to keep things like this in mind;
would it make sense to run pf and block all outbound traffic that isn't
on port 25 ( port 995 , etc) and force any web administration programs
onto a port other than 80 to help with this sort of thing? Any other
thoughts on how to make sure future installations can be kept secure?
As always, thanks in advance to everyone,
Mark Moellering
More information about the freebsd-questions
mailing list