Some people are getting "Majordomo burping", I get:
> [ Let's see if my post gets delayed again by a couple days
> in-between going into majordomo via honor.greatcircle.com
> and back out honor.greatcircle.com. I hate when that happens. ]
For my last (above) post, in/out was:
> From firewalls-owner @
GreatCircle .
COM Thu Mar 12 14:09:13 1998
> Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8])
> by mail2.panix.com (8.8.8/8.8.8/PanixM1.3) with ESMTP id OAA04436
> for <guy @
panix .
com>; Thu, 12 Mar 1998 14:09:13 -0500 (EST)
> Received: from honor.greatcircle.com by relay3.UU.NET with ESMTP
> (peer crosschecked as: honor.greatcircle.com [198.102.244.44])
OUT > id QQegkq22734; Thu, 12 Mar 1998 14:06:11 -0500 (EST)
> Received: (majordom @
localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-970926-1) id UAA00105; Wed, 11 Mar 1998 20:46:36 -0800 (PST)
> Received: from panix2.panix.com (panix2.panix.com [198.7.0.3]) by
> honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id UAA29998
IN > for <firewalls @
GreatCircle .
COM>; Wed, 11 Mar 1998 20:46:26 -0800 (PST)
> Subject: Re: Backing up Firewall email
In other words, it took 18 hours.
Sigh.
----
Guy wrote:
> One very important thing to back up are the email files
> passing through, so they can later be checked for security
> incidents.
>
> I have a free script that will do capture in the TIS fwtk/Gauntlet
> smap/smapd environment, short enough to post if anyone's interested.
I've been receiving requests for it, so here it is.
The site 'http://www.NetmailSecurity.com' should be ready by Monday,
if you're interested in the analytics for finding security incidents
in the email capture.
Aside from incoming hacking attempts, if you don't know what's
flowing out of your firewall via SMTP, it's like not having a
firewall at all.
---guy
Yeah, the product acronym was on purpose. ;-)
#!/bin/sh
#### ## ##### ##### # # ##### ######
# # # # # # # # # # # #
# # # # # # # # # # #####
# ###### ##### # # # ##### #
# # # # # # # # # # #
#### # # # # #### # # ######
# Freeware from Aspen Computer Incorporated, 1998, Rev 0.
#
# This script captures smap files before smapd delivers them. Later,
# feed the captured email to Aspen's Netmail Security Analyst software,
# to uncover security incidents.
#
# Directions:
#
# Edit the following four variables to match your system.
# ( CAPTURE SMAPD_PICKUP SMAP_DEPOSIT OWNER )
# All three of the directories are ideally on the same partition.
# Before installation, your netperm-table probably looks like:
#
# smap, smapd: directory /mnt3/chroot_smap
#
# For this script to work, you must give them separate directories.
#
# smap: directory /mnt3/chroot_smap
# smapd: directory /mnt3/smapd_pickup
#
# When installing, freeze incoming mail first.
# Also, rotate the capture directory each day...
# o freeze mail
# o mv $CAPTURE `date '+%y%m%d'`
# o mkdir $CAPTURE
# o chown $OWNER.$OWNER $CAPTURE
# o chmod 770 $CAPTURE
#
# You should use a partition with many free megabytes.
#
# This job runs as a daemon.
#
# The SMAPD_PICKUP directory gets populated by symlinks
# to the capture directory.
#
# During installation testing, you can run this script
# using trace (sh -x capture), and CTL/C it without
# screwing anything up.
CAPTURE=/mnt3/capture
SMAPD_PICKUP=/mnt3/smapd_pickup
SMAP_DEPOSIT=/mnt3/chroot_smap
OWNER=news # smap, smapd: userid 6
# Add mail to sysadm here, if you wish.
die()
{
echo "`basename $0`: Fatal Error: $*" >&2
logger -p daemon.err "Fatal Error: $*"
exit 1
}
# Set the perms on all three directories to match netperm-table's uid:
err=`chown $OWNER.$OWNER $SMAP_DEPOSIT $SMAPD_PICKUP $CAPTURE 2>&1` \
|| die "$err"
chmod 770 $SMAP_DEPOSIT $SMAPD_PICKUP $CAPTURE
SLEEP=7 # This is not a burden to the system.
err=`cd $SMAP_DEPOSIT 2>&1` || die "$err"
cd $SMAP_DEPOSIT
# Main loop.
#
# Notes...as process IDs wrap around, smap filenames can
# be duplicated. If this happens, a suffix is tacked on
# to the copied smap file so a previous one isn't overwritten.
#
# Steps:
#
# o $list - get names of all finished smap files
# o if no files, sleep and loop again
# o loop for each smap file:
# o $new_filename - name to copy smap file into.
# This is usually the same name, unless collisions.
# o $suffix - prepare it by setting it to one
# o loop while we've got duplicated smap filenames
# o $suffix - bump it to 2, 3, 4, ...
# o $new_filename - hopefully a unique filename now...checked.
# o disable CTL/C
# o move the completed smap file to the capture directory
# terminate if an error occurs
# o symlink the captured file into the smapd pickup directory
# terminate if an error occurs
# o enable CTL/C
while :
do
list=`ls sma* 2>/dev/null`
[ -z "$list" ] && { sleep $SLEEP; continue; }
echo "$list" | \
while read filename
do
new_filename=$filename
suffix=1
while [ -f $CAPTURE/$new_filename ]
do
suffix=`expr $suffix + 1`
new_filename=$filename.$suffix
done
trap "" 2
#
# move from smap delivered to capture directory
#
err=`mv $filename $CAPTURE/$new_filename 2>&1` \
|| die "$err"
#
# make it appear in the smapd pickup directory
#
err=`ln -s $CAPTURE/$new_filename $SMAPD_PICKUP/$new_filename 2>&1` \
|| die "$err"
trap 2
done
done
|
|
