What I say, and what I do may not be in a 1:1 ratio

I usually state the importance of backup, and reply to those who lose something ‘should have backed up’.

Since the change from Windows to Ubuntu, my email backup has been pretty lax – as in, it’s not a job for cron. I’ll have to work on this soon.

I find the subject to be somewhat true. I’ll say something, but I may not necessarily do that. Maybe it’s because that sense that “I can probably fix whatever it is” that promotes it..

I was having problems, randomly, my system would choose to have a ‘read only filesystem’ error appear, and all the labels on the windows would lockup, and the graphics would randomly offset somewhere in the order of + / – 150px, making using them difficult.

I tried to troubleshoot this, and despite the very obvious error message, I ignored that and went off suspecting gdm was the cause.

At some point between there and last week, I found the issue may have been in my face all along – I was forced a fsck by Ubuntu’s startup and this revealed many errors in the file system. So, I piped the output to ‘yes’, and let it do its thing.

After doing this, and switching to GNOME via KDM, I haven’t had the issue. I do suspect the issue as being the file system errors, as the system boots with ‘remount-ro’ – which explains would explain the problem.

Back to the spam problem, I got blocked once, dang virus. Anyway, unblocked, I thought nothing of it until recently, where I came across some more reports – I looked at the date / time, and sure enough, they were recent. I then looked at the router to see where port 25 clients came from and found the server IP there – that was OK, it runs an SMTP server I thought, then I considered they were client connections.

Remote desktopped, and I found IE opened with spam pages – the calling card of a virus. Checked task manager, ended an imposter process, and now running an online virus scan.

There’s a few things to consider here, in order of importance:
1. This would never happen if it was a linux system.
2. The system running a mail server goes a long way to promoting the ignorance of port 25 sessions.

However, being a ‘server’ there shouldn’t be many client connections, so now, I’ve changed the monitoring slightly – I now get alerts when a SMTP threshold is exceeded. One might consider installing an AV, but that just adds to load, the likelihood of a virus is actually, zero in normal conditions. Having users susceptible to viruses (gullible is the word), is not a normal situation here.

So, back on goes the firewall, a bash script is in place to grep the output of expect’s telnet checks, and email the domain about any large numbers of SMTP client sessions. I had checked ntop for the availability of this – it doesn’t have it. Cisco’s ‘kron’ doesn’t seem capable of sending the output out to a URL (I was initially going to write a PHP script to count the sessions and create an email).

Netflow is feeding ntop, but I couldn’t identify any quick way to get those sessions, so the ‘least’ intense method of checking is in fact, telnet, expect, and grep.

This entry was posted in Linux, Random. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *