Hi Michael - I hope all is going well with your NUC. Great question about inheriting hardware, and to all an excellent reminder / caveat/ best practices opportunity for talking security, system hardening, being mindful of resources, and general good Linux / Unix housekeeping...
**If this were me**, I would typically take the following steps below - My apologies on the exact commands if they are not 100% accurate, I have not tested them on my raspberry pi 4 8gb. =^] 1. Before enabling Wi-Fi on inherited computers or servers, or plugging in a lan cable, be sure that the device is basically sandboxed and offline. 2. I believe you can run `netstat -a` to see if any ports are LISTENING state, (Windows has a great flag to this command, -bno, which tells you which binary or program or app is the source of listening on certain ports! I'm positive Linux has something similar...) ..but perhaps for a quick peek you could plug a LAN cable in and run the above command > with its STDOUT sent out into a file, to analyze after again putting the system offline. 3. As one responder on this list mentioned, it is good to check all the cron jobs that are geared up to go; for the ones as root you could run crontab -e, but I believe there is a directory as a repository for all the perhaps installed packages' usernames that might have cron jobs, where you can see them in one central place; pretty certain that's a thing! If they exist, perhaps chmod them ..or better, mv them to a subdirectory called /old/, or /cron_jobs_off/. 4. Thank you for staying with me this far lol - These two (2) commands are probably your very good friend, when poking around an unknown system and doing a little reconnaissance: 4a1. $ sudo apt list --installed > packages_list.txt ##OR 4a2. $ sudo dpkg-query -f '${binary:Package}\n' -W > packages_list.txt ##OR LASTLY, 4a3. $ sudo dpkg-query -l > packages_list.txt 5. See which services are active, enabled (run at startup), or especially are currently running! # systemctl list-units --type=service --state=active OR # systemctl --type=service --state=active # systemctl list-units --type=service --state=running OR # systemctl --type=service --state=running 6. Lastly but maybe the quickest easiest fix = Great to install a simple uncomplicated firewall and only over time incrementally open ports gradually **as needed** and known and identified as necessary, etc. Maybe this should be Step#1 above! $ sudo apt install ufw gufw Cheers, I hope this is helpful and I do happily welcome from the list any corrections and or added measures! Peter L in San Diego CA, <Peter then adt-siymbull then ITWiz1.Com> Active in kplug and sdbug, and recently nycbug! == Date: Thu, 18 Mar 2021 16:53:04 -0700 From: Michael Barnes <barnmich...@gmail.com> To: "Portland Linux/Unix Group" <plug@pdxlinux.org> Subject: [PLUG] What Is Sending Email? As part of my new gig, I inherited an email server. It is an Intel NUC running Linux. I have almost no information on it, other than its login info. Looking at various logs, I find a folder /var/log/Exim4 with mail logs in it. It has a series of log files titled mainlog with owner of Debian-exim and group of adm. In looking at the log, it has an entry every morning at 0625 that seems to be sending an email to an unknown person. I have obscured the identity data. 2021-03-18 06:25:02 1lMse6-0001wL-1W <= r...@mailx.mydomain.com U=root P=local S=707 2021-03-18 06:25:06 1lMse6-0001wL-1W => some...@somewhere.org < r...@mailx.mydomain.com> R=dnslookup T=remote_smtp H= in1-smtp.messagingengine.com [66.111.4.73] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=yes DN="C=AU,ST=Victoria,L=Melbourne,O=FastMail Pty Ltd,CN=*.messagingengine.com " K C="250 2.0.0 Queued as 89A962AC350" 2021-03-18 06:25:06 1lMse6-0001wL-1W Completed Any ideas on exactly what is happening here? I certainly don't want this thing sending someone emails every day that I do not know about. Thanks, Michael _______________________________________________ PLUG: https://pdxlinux.org PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug