LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-16-2012, 12:26 AM   #16
ctamayoa
LQ Newbie
 
Registered: Nov 2012
Posts: 9

Original Poster
Rep: Reputation: Disabled

Quote:
Originally Posted by Noway2 View Post
This is what happens when you try to run postgreyreport with sudo. You need to run it from a room prompt. I tried this yesterday on an Ubuntu host and got this exact same result, line number 184 and everything, which is what prompted me to make the post about using sudo -i to get the root shell.
Thank you for your advise I will try the command.
 
Old 11-18-2012, 10:14 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by ctamayoa View Post
Finally I could run your command on root user and this time no errors are displayed
If you read the log it did throw errors again running postgreyreport. If you want to try it again try:
Code:
\ls -tr1 /var/log/maillog.*.gz | xargs -iX zcat 'X' >> /tmp/maillog
cat /var/log/maillog >> /tmp/maillog
postgreyreport −−nosingle_line −−check_sender=mx,a −−separate_by_subnet="=net=\n" /tmp/maillog 2>&1 > /tmp/postgreyreport.log

Quote:
Originally Posted by ctamayoa View Post
Here I uploaded the new version of the output1.log
Thanks for the log. Apart from checking the services that seem to be listening on all interfaces against what your firewall allows (or rather: should not allow), you also might want to run pflogsumm on the file created above:
Code:
pflogsumm.pl --verbose_msg_detail --iso_date_time  --zero_fill /tmp/maillog > /tmp/pflogsumm.log
to ensure all spam was actually rejected. Other than that I can not detect anything untoward from the log you sent so I suggest you focus on the measures required to assess the state of your 20 LAN machines running Windows.
 
Old 11-20-2012, 01:59 AM   #18
ctamayoa
LQ Newbie
 
Registered: Nov 2012
Posts: 9

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
If you read the log it did throw errors again running postgreyreport. If you want to try it again try:
Code:
\ls -tr1 /var/log/maillog.*.gz | xargs -iX zcat 'X' >> /tmp/maillog
cat /var/log/maillog >> /tmp/maillog
postgreyreport −−nosingle_line −−check_sender=mx,a −−separate_by_subnet="=net=\n" /tmp/maillog 2>&1 > /tmp/postgreyreport.log


Thanks for the log. Apart from checking the services that seem to be listening on all interfaces against what your firewall allows (or rather: should not allow), you also might want to run pflogsumm on the file created above:
Code:
pflogsumm.pl --verbose_msg_detail --iso_date_time  --zero_fill /tmp/maillog > /tmp/pflogsumm.log
to ensure all spam was actually rejected. Other than that I can not detect anything untoward from the log you sent so I suggest you focus on the measures required to assess the state of your 20 LAN machines running Windows.
Thanks for your help.
I don't know what I'm doing wrong
I logged in finally as root, and also I tried using sudo -i, but still shows the same message "Permission denied".
Look.
Code:
root@mail:~# postgreyreport −−nosingle_line −−check_sender=mx,a −−separate_by_subnet="=net=\n" /tmp/mail.log 2>&1 > /tmp/postgreyreport.log
Can't open −−nosingle_line: Permission denied at /usr/bin/postgreyreport line 184.
Can't open −−check_sender=mx,a: Permission denied at /usr/bin/postgreyreport line 184.
Can't open −−separate_by_subnet==net=\n: Permission denied at /usr/bin/postgreyreport line 184.
root@mail:~#
Here I uploaded the pflogsumm.log
And here the maillog: http://mailing-ecuador.info/mail.log
Attached Files
File Type: log pflogsumm.log (201.9 KB, 10 views)
 
Old 11-27-2012, 06:55 AM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by ctamayoa View Post
I don't know what I'm doing wrong
I don't know either.

BTW CYP update this thread or lend closure by responding to the other 3 tasks outlined in post #13:
Quote:
2. Review your firewall rules so no traffic passes in or out without filtering,
4. Snort IDS seems to be supported in Zentyal so install it. While the current rules only consider Cutwail Command and Control URI's (Pushdo A, B and C because D encrypts traffic) it's better than nothing. Get the rule set from the Snort website, disable rules for services you don't run or that are otherwise outside of the scope (like deleted, Oracle, SCADA, VoIP, etc, etc). The rule set you must keep is botnet-cnc.rules. Then get the rule set from the Emerging Threats web site and disable along the same lines. The rule you must keep is called emerging-current_events.rules,
5. Scan every LAN machine with what you know from the "Scanning your machine for exploits" document.
 
Old 11-27-2012, 08:29 PM   #20
jefro
Guru
 
Registered: Mar 2008
Posts: 11,076

Rep: Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362
Looks like good advice by others. I might suggest an alternate idea or two.

One is to use a virtual machine as your layer 7+ firewall for a while. Port all traffic to and from the vm.

Go to internal computers and scan for malware from bartspe or such live media.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hacked bruxelles2010 Linux - Security 9 11-15-2010 07:23 AM
Server hacked cpanelskindepot Linux - Security 46 07-05-2004 06:19 PM
Server hacked php4u Linux - Security 1 07-05-2004 11:34 AM


All times are GMT -5. The time now is 07:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration