Stephen Gran wrote:
> On Wed, Jun 14, 2006 at 02:59:49AM +0800, W B Hacker said:
>
>>Troy Engel wrote:
>>
>>
>>>Marc Perkel wrote:
>
>
> [want to block outgoing email in case he's p0wn3d]
>
>
>>>3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to any
>>>machine other than the smarthost you decided on above. (see
>>>http://oceanpark.com/notes/firewall_example.html)
>>>
>>
>>Not 100% useful. MTA's *listen* (for other mx) on port 25. They
>>ordinarily *send* on random ports well above 1024.
>
>
> netfilter has a uid match module that allows you to write rules like:
>
> iptables -t filter -A OUTPUT -m owner --uid-owner 0 -m state --state NEW --dport 25 -j ACCEPT
>
> So, actually, rather useful for this sort of thing. Not precisely how I
> owuld go about it (I would start by deciding what can make outbound
> traffic and stop all other traffic, but YMMV). If it is a root
> compromise, of course, you're screwed anyway, but a simple push over of
> a php script running as a non-privileged httpd user may not kill you in
> this case.
>
The best approach is to *first* simplify the environment.
Separate boxen and even 1U or 2U space can generally be had for
a lot less than admin labor, so there is no good reason to allow
php to exist on an mx box any more than Apache, MySQL, inetd, or
Microsoft-anything.
Not worth the hassle. Separate box.
>
>>Further, it is generally a safe assumption that any entity
>>clever/patient enough to crack a shell account, can and will,
>>escalate privileges, eventually to 'root'..
>
>
> This is of course true, and good advice. If you are hacked, the least
> of your worries is the spam coming from your machine.
Truly.
Even having both chkrootkit and rkhunter in cron is not 100%
foolproof. You not only have to set monitoring and traps - the
most important part is that you peruse your logs and reports at
least several times a day.
Bill