[unisog] registering servers

Peter Van Epp vanepp at sfu.ca
Thu Jul 27 23:09:06 GMT 2006

On Fri, Jul 28, 2006 at 08:37:31AM +1000, Tim Eden (te) wrote:
> To those people that have a default deny policy and spent time 
> beforehand monitoring traffic and deciding which servers to allow 
> through initially - what sort of tools/methodology did you use to do this?
> Cal Frye wrote:
> >Thanks, all. We've been pretty open, and every suggestion of tightening
> >things up a bit brings the same complaints suggesting I'm related to
> >Mordac, the Denier of Information Services ;-)
> >

	To answer two questions in one, argus (http://www.qosient.com/argus)
on our borders records all IP flows in and out. The "Mordac, the Denier of 
Information Services" became "Really, 17 breakins via the netbios ports in 20 
days (all found and documented by argus logs), thats costing a lot to clean 
up. We better block those ports and do something different for the 4 (out of 
around 15,000) hosts that are using netbios from off campus ...". Highly 
recommended. Hard numbers sell ... Port 25 outbound is a harder sell because
we have lots of legit mail clients that do it in small volumes and argus 
flags ones doing it in large volumes without being an approved mail server for
whacking. Its still possible the occasional blacklisting will eventually get
25 outbound blocked but not yet ...

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list