Jim's Depository

this code is not yet written
 
I think a better tool would be one that used a central repository with a copy of each package and called on the observed machine to generate on the fly signatures of files with a random seed.

A truly nasty rooter could still thwart that by faking things in either the C runtime library or the appropriate system calls.
Going forward:

I will have to drop dcc. Their licensing is no longer free enough to be distributed by Debian. That will slow more messages, but in practice anything dcc catches is also caught by spamassassin.

I'd like to add an adaptive whitelist out front to prevent false positives and give me a stream of known good messages for training the bogofilter. I haven't found one I like yet, but I keep looking. Maybe I'll have to write it.

An extra note on bogofilter:

Bogofilter is built with a single user in mind. I'm sure it works better when it has a single user's mail to think about and can rely on the human to tag the false positives and negatives.

In a 150 user common filter you can rely on exactly 0 of them to report their miscategorized spam. If you try to force them to comply you will find that 10% of them do it backwards and pollute your statistics so badly you have to erase everything and start again.

That said, it works quite well and is speedy and doesn't rely on external network servers so it makes a good first line of defense.
If you want to collect apache statistics with Munin you need to enable extended server status in apache.
ExtendedStatus On
<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
   Allow from munin-server.mydomain.com
</Location>

If your web server does not bind to localhost (127.0.0.1), you need to define the server status URL in your /etc/munin/plugin-conf.d/munin-node config file.
[apache_*]
env.url "http://servername.mydomain.com/server-status?auto"


If you run sendmail as your mail server munin has 3 plugins that are in the base Debian install.  Link all 3 into your /etc/munin/plugins directory.   One, sendmail_mailqueue will work out of the box.  The other two depend on sendmail stats files that do not get created in a base Debian install.

To enable stats logging you must manually create the stats files.

# touch /var/lib/sendmail/sendmail.st
# touch /var/lib/sendmail/sm-client.st

Once these files have been created, with sendmail write permission, sendmail will start logging to them.  Gotta love sendmail, "If you create the log file for me, I will write to it."

You can test your mail statistics file creation manually with the mailstats command.
Interesting observation when using a single fail2ban on multiple machines. It catches horizontal sweeps much sooner. Today I noticed it catch someone that was making one try at root on each of my machines. The merged auth.log files tripped my 10 hour ban after one attempt on each of three machines.
Hi - Your motion detection scheme is very interesting! I wonder if you have had a chance to develop it further?
Thanks
Steve
sgulick (at) wildlandsecurity.org 
More robot chatter:
  • fandango
  • tatuazh
So if a tattooed robot offers to dance the fandango with you, you should know it only wants sex.
I have made contact with the robots. We should all be afraid. Thus far the robots have attempted to add these comments:
  • SEX
  • SEX
  • SEX SEX SEX LOVE
  • zubav1na-ps1h1chesk1e-bolezn1  except the digits 1 are supposed to be the letter 'i', I just didn't want to get indexed by it.
I suppose some filtering software will now block my site because it talks about sex.
Oh look, there is a similar function for scanf().  You can do something like...

char *adj = 0;
sscanf(somestuff,"Some %as stuff", &adj);

... but only if you are using GNU libc. I got burned when I used this in a daemon and then moved it to OpenWRT where they uses a different libc.
more comments