Archive

Archive for the ‘Tech Tip Tuesday’ Category

Some mail server networking best practices

I was reminded this week about the importance of some good best practices when handling the networking portion of a mail server. While a server or exchange administrator will do a great job handling all of the best practices of configuring the software itself, it is not uncommon for the networking portion to be overlooked. Here is a summary of a couple of networking or firewall related best practices…

  • Your Mail Server should be NAT’ed to an IP address different than your general internet traffic. This ensures that malicious activity taking place on your general internet traffic, or an infected pc, or even a guest system does not impact your ability to send email. If I guest laptop on your wireless network has a virus and is sending out spam, it might result in your IP address being blacklisted, and it will cascade onto your mail server. With a public IP address dedicated to your mail server, you can be assured that if you’re blacklisted, it is because of traffic through your mail server, and not from another source.
  • Block outbound port 25 from everything except your mail server. In general, the only device that should be sending mail outside of your network is your mail server, and if another device needs to send email, such as your MFP or other device, it should relay off your mail server, and not send out directly.
  • If you are using some form of hosted inbound spam or mail filtering, such as MXLogic or Reflexion, you should source IP filter your inbound port 25 traffic, or better yet, consider using an alternate port. If you don’t lock this down, it permits people to bypass your hosted mail hosting, and directly send spam to your mail server.
  • Ensure that your firewall has application aware protection in place for SMTP traffic, however if you have an older Cisco PIX firewall and an Exchange mail server, consider turning FIXUP off for SMTP since there is a long history of documented problems.
  • Be on the lookout for a mail administrator who assigns a public IP address on their mail server directly, thereby bypassing the firewall or other edge protection. If they really want to dual home the mail server, have them place it on a DMZ instead.

Enjoy

 

Advertisements

DHCP Server Logs

Feb 18, 2013 1 comment

There have been several instances where I have been trying to troubleshoot DHCP Issues live, or other cases when I needed to know what computer had a specific IP address in the past…. A useful way to find out this information is to use/view the DHCP server logs. The log keeps only the past 7 days of logs, but through backups, you can actually go back to any point in time.

The log it located at C:\Windows\System32\dhcp

The logs are named dhcpsrvlog-mon; dhcpsrvlog-tues, etc… you get the idea. There is also a separate log to DHCPv6 (IPv6) addreseses.

 

dhcplog

Also, along that lines, don’t specifically trust the DHCP Lease active/inactive status as indicated in the DHCP console. Sometimes a reservation is used for a device that is set statically, so DHCP will show inactive, while the address is actually in use. Also it might show active even though the device isn’t properly receiving an IP address.

Enjoy!

Cisco terminal length 0 and –more–

From time to time I just need to perform a simple dump of a configuration file from a Cisco IOS device for backup or review purposes, such as a from a router or switch. However, for switch stacks or complex configurations the configuration file can be long, and when using something like Putty to log all the terminal/ssh actions to a file, there is no need to constantly press any key at the –more– prompt. To avoid this, you can simply enter:
terminal length 0
at the enable (#) prompt. From there you will no longer see page breaks but rather have the data scroll out to you the entire configuration file. This also avoids the needs to go back and find/replace the –more– elements from a dump.

Enjoy!

REU Power Outage – South East Redding

Redding Electric Utility (REU) is reporting a power outage in South East Redding today. No ETA for restoration. This was caused by a sub-station outage.

ca.gov email servers under spam attack

 

ca.gov

For the past couple of days many ca.gov domains have been under attack with a huge volume of spam. The result is effectively a denial of service of the mail servers, as they are saturated with connection attempts. This has caused various many emails to sporadically bounce because the sending SMTP mail servers are unable to connect to the ca.gov mail servers.

Using an inbound hosted mail filtering service such as Postini or MxLogic can help avoid this problem for your organization because they host multiple inbound SMTP servers, and have a focus on the stability and reliability of these services so you don’t have to worry about it.

W32/autorun.worm.aaeb-h Outbreak

Nov 28, 2012 1 comment

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

DHCP Best Practices

Here are several DHCP best practices as collected from various resources including Comp/TIA and Microsoft:

  • Always include the entire subnet in the scope (192.168.1.1 – 192.168.1.254, or 172.29.0.1 – 172.29.255.254)
  • Add exclusions for ranges which are using static IP addresses, and for future growth area, such as setting aside 10 addresses for printers so they stay within the same general IP address range
  • For networks where DHCP services are critcal or for larger networks, consider two DHCP servers configured in an 80/20 split (however, Microsoft Server 2012 has a new provision for redundant DHCP servers)
  • Configure active directory credentials to enable DHCP to update the DNS server with IP address information using secure updates.
  • Use “server side conflict detection” only when needed – this is a feature which delays DHCP from handing out an address until it has first issued an ICMP ping message to check if the address might already be in use but not known by DHCP already (ie statically assigned within the lease range without an exclusion or active lease).
  • Typical DHCP lease time is 8 days, however if you have a separate scope for guest or wireless clients, consider a shorter lease time such as 8 hours; conversely, leases for fixed devices (printers, etc) consider 16-24 days.