CPTTM Network Admin newsletter issue #7


In order to keep closer contact with IT network administrators in Macau, we've created a network admin newsletter and I've taken the liberty to add you to our netadmin-news mailing list. If you'd like to unsubscribe or recommend friends to subscribe at any time, just email me.

--- Simon Tam, Editor in Chief

Topics in this issue:

Survey on Training

In order to have information from professionals, we would like to have your feedback to help us on networking trainings. Would you please reply me this email and make the choice on the following 2 quesitons? Thank you!
- Do you want to have Solaris Training?
___ Yes
___ No

- What Solaris training you want to attend?
___ Solaris 10 OS System Administrator
___ Solaris 10 OS Network Administrator
___ Others. Please speicify: ________________________________________

- Do you want to have Lotus Notes/Domino Training?
___ Yes
___ No

- What Lotus training you want to attend?
___ IBM Lotus Domino 7 System Administration Operating Fundamentals
___ Building the IBM Lotus Domino 7 Infrastructure
___ Fundamentals of IBM Lotus Domino 7 Application Development
___ Others. Please speicify: ________________________________________

Spam Proxy Daemon

In the last Issue of Network Admin newsletter, we have talked about Spamassassin.
At first, CPTTM used the Spamassassin built-into MDaemon. But, we found that it is difficult to fine tune it because most of its related modules and documentation are Unix/Linux-based. So, we tried to seek for another solution.

Later on, we found one suitable component. It is called "spampd - spam proxy daemon". Actually, it is a SMTP proxy service, which incorporates with Spamassassin. The advantage is that we can move the Spam scoring process out of MDaemon and then, we can fine tune it easily.

The basic network configuration is as follow:

  ----->SMTP Gateway to Internet---->spampd---->Internal SMTP/POP3 server---->Mail clients
                                                                      |
                                                                      |
                                                          spamassassin

Both the spampd and spamassassin run on Linux server. Since spampd can spawn childrens to handle the requests, the performance is high.
The implementation has been finished. Now, we can fine tune spampd and spamassassin easily.

e.g. We have added network tests to spamassassin to increase its accruracy. What is it? One of these network tests is called : DCC - Distributed Checksum Clearinghouse. This is a free network service for users on the Internet to report spam signatures to its servers. Then, the DCC servers will collect many many spam signatures and their occurance. Afterwards, users can send a spam signature to the DCC servers to check its occurance. If the occurance is high, e.g. 55555, it has a great possibility to be a spam.

We have fully implemented this spam control mechanism and our users are used to reporting falsely classified mail, if any.

The accuracy of spam filtering has been increased.
e.g.
Colleague 1    99%
Colleague 2    99%
Colleague 3    95%

To learn more about spampd, see : http://www.worlddesign.com/Content/rd/mta/spampd/spampd.html
To learn more about dcc, see : http://www.rhyolite.com/anti-spam/dcc/

Protect Your System by FileSystem Integrity Auditing

No matter what system you are using in your environment. System administrators tired with applying patches and bug fixes. But discouragingly, even you keep your system in most updated status, not means you are out of security problem. There is no total safe system. Intruder are still there to wait for your system hole. When most system administrators think of system security, they think of firewalls, network configuration, services management, and user policy. However, a task of great importance to the really security conscious system administrator is filesystem integrity auditing. This integrity auditing involves keeping track of the state of your system's filesystem, and checking it periodically for unauthorized changes. When a suspicious change is detected, it's time to determine whether this was caused by an intruder.

By far the best-known filesystem integrity auditing tool in a Linux or UNIX environment is Tripwire. Tripwire is a commercial tool. But there is a open source version of Tripwire called Open Source Tripwire. Open Source Tripwire can check the filesystem integrity periodically and provide report to you. The report you receive (by email) can show you clearly what files were added/removed/modified after the last check. You can find the partial report example  as follow.

====================Partial report of tripwire=============================
 
-------------------------------------------------------------------------------
  Section: Unix File System
-------------------------------------------------------------------------------

  Rule Name                       Severity Level    Added    Removed  Modified 
  ---------                       --------------    -----    -------  -------- 
  Invariant Directories           66                0        0        0        
  Tripwire Data Files             100               0        0        0        
  Other binaries                  66                0        0        0        
  Tripwire Binaries               100               0        0        0        
  Other libraries                 66                0        0        0        
  Root file-system executables    100               0        0        0        
  System boot changes             100               0        0        0        
  Root file-system libraries      100               0        0        0        
  (/lib)
  Critical system boot files      100               0        0        0        
* Other configuration files       66                0        0        1        
  (/etc)
* Boot Scripts                    100               0        0        2        
  Security Control                66                0        0        0        
  Root config files               100               0        0        0        

Total objects scanned:  8259
Total violations found:  3
=======================End of report===================================

You can tell the tripwire what files should be check and what should not. For example, many log files are changed by system frequently. We don't need to check those log file's integrity everyday.
Now, all machines run on Linux system in CPTTM are protected by Open Source Tripwire. Reports are sent to me everyday. I can monitor all systems easily by just reading emails.

http://sourceforge.net/projects/tripwire/

Books review - Network Intrusion Detection An Analyst's Handbook

As the number of corporate, government, and educational networks grows, so does the number of attacks on those networks. Stephen Northcutt - one of the most renowned experts on intrusion detection - gives you Network Intrusion Detection An Analyst's Handbook.

With detailed explanations and illustrative examples from his own career, Northcutt covers intrusion detection completely, from detect evaluation, analysis, and situation handling, through the theories involved in understand hackers, intelligence gathering, and coordinated attacks, to an arsenal of preventive and aggressive security measures.

You can borrow this book from our "CPTTM IT Book Shelf" in Cyberlab. Please visit :
http://www2.cpttm.org.mo/cyberlab/mslib/


CPTTM Network Admin Newsletter can be reviewed from :
http://www2.cpttm.org.mo/cyberlab/netadmin-news/