Chance's questions

Short version: How do you prevent an Active Directory 2012 R2 Domain Controller from advertising the domain on a specific interface? I want that network to not be flagged as a domain network, and no domain services should be available.

Environment: A self-contained AD for managing a small hyper-v cluster and the related VM's. The DC also runs the VMM server and has access to the production network because of the need to reach the VMM console.

Long Term Goal / Potential Solution: I would like to have absolutely no non-VMM traffic reach the production network. I have considered just blocking all non-vmm outgoing connections with the windows Firewall, but I don't know how to force a particular profile on an interface.

Thanks!

I have attempted to figure this out with only my google-fu, however I am not familiar enough with active directory to confidently use guides not about my specific situation without at least asking. Any guides or recommendations you can throw my way would be much appreciated, also what are the big problems I should be on the lookout for?

Currently

We have a new server (2008 R2 standard) we are setting up as a domain controller for a new domain "CompanyA". We currently have a domain controller for the domain "project1", but we need to change servers and domains for various reasons.

Short term goal

We would like to setup the new domain so that "project1" is trusted, so all of our current accounts work on it. Then, as we setup/upgrade services/accounts move them to the new domain (e.g. new SharePoint server, new users, new file server,etc..)

Long term

Eventually (1-2 years) we will remove the "project1" server and domain and migrate the remaining users and computers over to the new domain.

To recap, I'm looking for: * Will this work? * How should I go about it? * Potential Problems

Update - Implemented

OK, it worked with some hiccups. Yes you do need to add them to each others DNS; I used conditional forwarders. Our big problem is permissions, external accounts can't be added to certian groups so I can't allow them to access Hyper-V :( I'm ok with having two accounts for administration (Can't add them to Domain Admin) but I wish I wasn't limited to remote desktop to manage the server/Hyper-V, the RSAT is useless because it pulls your credentials from your windows session.

If your DNS or network is having issues the trust will break / not establish, evidently these are "usual suspects" and proved to be where my problems originated from.

Does anyone else poll this router with SNMP?

We are using firmware version: 2.0.0.19-tz

We are having problems with the traffic counters, some of them appear to be implemented as 16 bit counter instead of 32 bit counters. The reason this is causing problems is that they roll over (at 65,000) to 0 in less than our minute polling cycle, really skewing our metrics.

The counter for the Lan (interface 2) seems to be functioning properly, however interfaces 3 and 4 (WAN and DMZ / WAN2) rollover at 65000.

Tue May 11 08:38:31 EDT 2010
IF-MIB::ifInOctets.1 = Counter32: 137634
IF-MIB::ifInOctets.2 = Counter32: 1865677943
IF-MIB::ifInOctets.3 = Counter32: 12450
IF-MIB::ifInOctets.4 = Counter32: 49354

Look at counter IF-MIB::ifInOctets.4 5 seconds later:

Tue May 11 08:38:36 EDT 2010
IF-MIB::ifInOctets.1 = Counter32: 137634
IF-MIB::ifInOctets.2 = Counter32: 1865836207
IF-MIB::ifInOctets.3 = Counter32: 13167
IF-MIB::ifInOctets.4 = Counter32: 12900

Any suggestions? Seems like a bug to me, however I just wanted to make sure I wasn't crazy..

Thanks!

Every email we send is causing qmail to send an email to [email protected]

How do I disable this?

Thank you, Chance

EDIT:

I created /var/qmail/alias/.qmail-log containing |exit 0

Hope this helps!

My company uses a standalone spam-assassin install to test marketing emails, however, mail originating from us does not seem to run the full gamut of test.
For example, Spam assassin has a default rule that flags messages that contain the phrase Dear [Something], and it properly flags spam that I feed it.It does not, however, apply that same rule to in house email I send it.

Is it possible that spam assassin has white-listed us somehow, perhaps because the mail originates in the same domain as the server or receiver?

I believe most of the recent spamassassin questions have been mine, so thanks for bearing with me as I figure this out!

Chance

EDIT Details on our SA setup:
We are piping the emails into the CL with spamc -R < test_email.eml Identical results testing as root or a user, no user_prefs file

I'll keep this short and sweet.

spamassassin --lint -D < email_message_to_test.eml
Returns:
[22154] dbg: check: is spam? score=4.205 required=5
Which is an entirely reasonable score, it is in fact what I'm looking for.

While
spamc -R < email_message_to_test.eml
Returns:
Content analysis details: (-0.7 points, 5.0 required)
Which is way to low!

Looking for why, and how to fix it.

System info:
FreeBSD 7.2
SpamAssassin version 3.2.5
running on Perl version 5.8.9
No previous installs.

Thanks!
Chance

EDIT
This is embarrassing. It appears that --lint always returns a score of 4.205, no matter what email I feed it. I was misunderstanding what --lint did, and since I was looking for something wrong I jumped on it.

Both answers make good points, and even though I'd love to delete this :) I'm leaving it up in case someone else wonders the same thing.

I recently setup a local installation of spam assassin for testing promotions as we want to catch any spam false positives before we mail our customers (This email is opt-in). We even added several (~30) additional rulesets that auto-update daily with a cron because we would rather be much stricter than average.

Here is my problem: Our SA install consistently ranks things much lower than other spam test we send mails to, even passing mail that our email provider marked as spam (that was embarrassing). It seems as if even the default rules are not working! We do recieve a score, and the worst spam I could find in my spam folder is marked as spam, but on average the score for real spam is only 2-4 (5 is the threshold).

I'm looking for advice from veteran SA users, more diagnostics I can run, and/or recommended rule sets. If this should be split into multiple questions I will happily do so.

System info: Freebsd 7.2 SpamAssassin Server version 3.2.5 running on Perl 5.8.9 Fresh SA install on a fresh OS install.

EDIT I verified that our basic rules are working, I'm looking mainly for things that will help me be stricter on mass marketing emails.

Thanks for any help, Chance

I am setting up a trial of Argus at my company as a diagnostic tool. We have a collector box attached to a monitoring port on our switch, and the initial plan is to redirect ports with unusual traffic to the collector and then analyze it to get troubleshooting info.

I need to sell this before I can pitch a more consistent monitoring solution, which I know is the real strength of this type of application.

The initial reports will be all on the command line, so reducing the information presented to a manageable level is key.

My question is this: From both a security and troubleshooting point of view, what information would be most valuable? What reports should I have preconfigured?

I have already thought of:

• Listing of address currently talking on the port (our network map is horrible)
• Protocol distribution,
• current flows for a specific IP address

Maybe one on packet loss or broken connections? (not sure if I can do that last one)

Thanks, I wish I had the background to answer this, but I'm working hard to get there.

I'm having problems all over our LAN where Firefox is not closing network connections when using our internal webapp. It closes some but not all of the connections, repeat this often enough and your browser takes minutes to open a page.

I'm looking for a way to monitor the state of TCP connection that is a little more elegant than hitting netstat over and over. Something like tcpview from sysinternals but for bsd would be great.

Any help would be appreciated!

We have just started using more javascript in the web interface of an internal application(php if it matters). Now that the changes are in place it is becoming very obvious that the more javascript on the page, the slower the page loads through squid.

Any suggestions on why this is happening? I don't want the question to be to vague but I don't want to suggest somthing when I don't know what I'm looking for.

One thing that occurred to me: What if the pages without javascript aren't getting cached, and our squid server is secretly slow? How do I test this?

Please, enlighten me!

Update 1 All of the javascript is cached, and being pulled from the proxy server. The largest chunk data wise (~60k) is the generated html and that is a miss every time.

Update 2 There is no ajax, the javascript is confined to a floating toolbar and handles some text pre-parsing for a search feature, its simple rule based "If it has x many characters look for a matching order number" kind of thing.
Upon closer inspection all the cached javascript is checked if its the newest version before being sent on. Triggering a TCP_REFRESH_HIT/304 I have a feeling this may be my bottleneck.

We have a demand for inter office messaging and while the couple of people who use it right now use AIM we realize the possibility for abuse with this setup is quite high. We are hoping to use some sort of logging system as a deterrent.

Could you please provide recommendations on good IM logging proxies, and experience with those same setups? We wish to monitor AIM in particular.

This will need to run on FreeBSD and should not require java, if you wish to suggest an alternative solution to our problem, please feel free to do so.

Thanks, Chance

We are looking to give access to some of our employees to chat with each other - however we are worried about them abusing the privilege and chatting we friends outside work. We have decided to deploy our own XMPP Server to solve this. I'm looking for two things:

1. Experiences with a XMPP server in the ports tree

2. Alternative suggestions with related experiences

3. cross platform clients that are friendly to administrators would be nice, we are currently using pidgin. (I know I can't count)

Thanks in advance, its nice to have somewhere to turn where I feel I can trust the feedback I get.

Chance

EDIT I would prefer if the solution did not require java, it was mentioned that ejabberd did not, however it requires the diablo-jdk16 during compilation. (Open fire also requires a JDK)

When we route http or Https traffic over our backup T1 our squid proxy server stops being able to reach anything. This has worked in the past, however we recently replaced the T1.(mere hours ago)

Computers have firefox configured to use the proxy, it is not a transparent proxy. If we remove the proxy they can connect over the T1.

Network setup: Single Linksys Rv082 router with a primary WAN link to a cable line and a secondary link to a T1 connection. We also have a freebsd server (Server A) running DNS and a PC-BSD server (Server B) as our squid proxy server. Server A has the name servers from both WAN1 and WAN2 in it's resolve.conf file. Server B is now running bind only as a local name server for cacheing, it contacts Server A for name resolution.

We at first suspected DNS issues, however if computers do not use the proxy they can connect.

Any suggestions?

I am looking to pitch a comprehensive monitoring system to my manager, and have been considering OpenNMS. However, I have seen glowing praise of Nagios on here and I was hoping someone with experience could help illustrate the key differences for me. Do their focuses differ, or are they just competitors?

If some background helps, we run 6 on-site servers (File server, PBX, proxy, application, etc.) and two off-site servers (Website / development) along with a couple of switches and a router. The monitoring service we install will be running on a separate converted desktop running freeBSD. All of our stuff runs either Linux or a BSD derivative.

We are looking to spend no money to implement this (sigh).

Thanks for any help.

EDIT It looks like openNMS offers a more comprehensive solution closer to what I want. However, because it is written in Java and the port is not in the official ports tree yet, it has been vetoed. Now begins my Nagios would be better than just MRTG campaign. Thanks for the fast responses.

-Chance