[sdnog] Network Full with malicious activities
Daniel Shaw
danielshaw at protonmail.com
Fri Nov 23 11:17:54 SAST 2018
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, November 23, 2018 8:40 AM, Frank Habicht <geier at geier.ne.tz> wrote:
> On 22/11/2018 16:36, Philip Paeps wrote:
>
> > You should also restrict outbound traffic to port 25 to your
> > designated mail relays. Hosts inside your network should relay mail
> > through those relays or use submission (TCP/587 or (better)
> > TCP/465).
>
> and you should not just block the packets outgoing to port tcp:25
> (except to designated relays), but also log that activity. This will
> help you find the origin: the bad guys(machines) on your network.
>
However, do also have a process in place to allow exceptions. You almost certainly will have that one professor that insists on using their own custom external SMTP server from their laptop for some "very important" emails under a customs address...
The key take away in my comment above is that I mean a people/support process, more than a technical one. (Although you should have a good technical process for making and tracking changes in nay firewalls too!).
Having some documented way for people to request exceptions (not only smtp related ones), that allows for approvals/denials, and a record of the request and its outcome for later reference are invaluable.
Likewise a technical way to track config changes and do roll backs is also a must.
- Daniel
More information about the sdnog
mailing list