[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network utility tools



On Tue, Apr 29, 2003 at 12:53:12PM -0700, Paul Ademola Ajayi wrote:
>    pls I want to ask of you people what network utility tools can one use
>    to detect any spam message on a network and how to control it by
>    stoping such act.?

Are you concerned about people outside your network sending spam inbound, or
people who are on your network sending spam outbound?

Unfortunately it's not possible[*] to reliably detect spam - one man's spam
is another man's mailing list. But there are heuristic programs which do a
fairly good job of deleting spam automatically, if you are prepared to
accept some of your good mail being accidentally deleted as well.
'spamassassin' is an example of this kind of program.

For control of your own users (outbound) it may be possible to examine mail
logs to work out who is sending large volumes of mail.

[*] unless the spammer has remembered to set the Evil Bit on his packets -
see RFC 3514

>    And what network utility tools can I use to know the IP address on my
>    client system - let say their server with a global IP address i.e the
>    IP address I gave them.
> 
>    let assume I forget the IP address and I want to get the actual IP
>    address on their server system from my end.?

I don't really understand the question. You can use 'nslookup' to make a DNS
query to convert a domain name to an IP address, or vice versa. That assumes
you have set up your DNS properly, and you can remember the hostname.

Can you give a specific example of what you are trying to do?

>    beside, how do I detect people that are u sing my service without my
>    knowledge may be just becos they have my network parameters one or the
>    other i.e sniffers on my network?

That's a very big area. There are lots of things to consider:

1. Probably the biggest problem is that you may be running old versions of
   software on your servers, which are vulnerable to "remote exploits" -
   that is, someone can exploit the bugs to break into your system. Crackers
   use automated tools which scan networks looking for vulnerable systems
   and break into them. Once this has happened, they can do anything:
   launch attacks onto other systems, sniff passwords, or whatever.

Things to do:

- Most importantly, KNOW YOUR NETWORK. That is, monitor all aspects of it:
  the number of mail messages you send and receive per day, the amount of
  bandwidth used by each of your servers (if they are plugged into a switch,
  you can use MRTG and SNMP to monitor the bandwidth going in and out of
  each port), every aspect of performance. If something changes abruptly,
  you know there's a problem which needs to be investigated. Use scripts
  to analyse your log files and filter out 'normal' occurrences, so that
  you are left with the 'abnormal' to check.

- Make sure you keep up-to-date with the latest patches. Join the
  announcements mailing list for your operating system. Keep an eye on
  'bugtraq' or similar services. Reinstall any old or suspect systems
  from scratch.

- Scan your own network using a tool to identify known vulnerabilities.
  Look for 'nessus' on freshmeat.net for a good example of this type of
  tool.

- Disable all unnecessary services on all machines. Each one potentially
  could be a security hole, so why risk it?

- Consider using a tool like 'tripwire' to monitor for changes in system
  files.

2. Users tend to choose bad passwords which are easily guessed. So someone
   may be able to break into an account just by trying lots of passwords.
   And in many cases, passwords can be sniffed, anywhere in the path
   between you and them.

   Try to educate your users to choose strong passwords. And try to
   encourage them to use SSL where possible. For example, if you provide
   a webmail server, you can make it accept https:// as well as http://
   (or even force them to use https)

3. Limit access - especially administrative access and shell accounts.
   Disable shell accounts for everyone except system administrators.
   Disable telnet and ftp - use 'ssh' instead.
   Disable admin logins from IP addresses outside your network: that way,
   even if someone knows or guesses and administrative password, they
   cannot use it from off-network.
   Use ssh DSA/RSA authentication instead of passwords.

   When configured properly, this can give you a big increase in
   security and yet give very little restriction on your day-to-day
   working.

4. For systems which are inherently insecure (e.g. any Windows server) or
   especially sensitive or business criticial (e.g. billing systems),
   don't put them on the open Internet. Put them behind a good-quality
   well-configured firewall, or leave them disconnected.

These are just the things which come immediately to mind, I'm sure there
will be many other good suggestions from people on this list...

Regards,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org