Closed eric-gilbertson closed 4 years ago
RocketMan
commented
4 years ago Zk's only IP address is 171.66.118.91. Not sure what 148.163.149.245 is? @romain2k, why do you suspect this is related to zookeeper?
FWIW, all Zk's outbound SMTP is forwarded through smtp.stanford.edu (the 'smart host').
romain2k
commented
4 years ago Hi folks,
Sorry I didn't reply earlier. There was a cron email that Eric marked as suspicious, so it wound up bouncing up through the G Suite admin console. Doing some more digging, ProofPoint turns out to be a filtering service that Stanford uses to prevent escapes of proprietary/confidential information, so that aspect is benign.
I guess if Eric just wants to train Gmail to keep cron mail out of his inbox, we can ignore at the G Suite admin level.
Romain
On Tue, Jul 7, 2020 at 1:44 AM Jim Mason notifications@github.com wrote:
Zk's only IP address is 171.66.118.91. Not sure what 148.163.149.245 is? @romain2k https://github.com/romain2k, why do you suspect this is related to zookeeper?
FWIW, all Zk's outbound SMTP is forwarded through smtp.stanford.edu (the 'smart host').
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/RocketMan/zookeeper/issues/165#issuecomment-654697096, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACTVZVRWTO2EI4UMCZM2JZ3R2LOADANCNFSM4OSKDLNA .
RocketMan
commented
4 years ago Thanks @romain2k !
The simple solution would be to remove Eric from the root alias on zk, which I have just done.
I try to review these e-mails daily, or as frequently as time permits, just to make sure everything is working as expected. However, it's good to have a second pair of eyes. @romain2k , would you mind if I add you to the alias? There are two e-mails per day; they look like this:
Date: Sat, 11 Jul 2020 01:01:02 -0700
From: Cron Daemon <root@zookeeper.stanford.edu>
To: www-data@zookeeper.stanford.edu
Subject: Cron <www-data@zookeeper> /srv/http/zookeeper/zk daily
Starting 2020-07-11 01:01:02
Running charts: No (charting suspended until 2020-12-28)
Purging deleted playlists: OK
Purging old sessions: OK
Done 2020-07-11 01:01:02and
Date: Fri, 10 Jul 2020 06:35:21 -0700
From: Cron Daemon <root@zookeeper.stanford.edu>
To: root@zookeeper.stanford.edu
Subject: Cron <root@zookeeper> test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
/etc/cron.daily/logrotate:
Log Analysis for Zookeeper Online
Reading Old Report File: index.html
Reading Old "Full List" File: log.files.html
Reading Log File: /var/log/apache2/access.log
327,678 of 327,678 log entries processed
335 IP addresses resolved
Generating Agents/Platforms Report
Generating Referring URLs Report
Generating Keywords Report
Generating Main Report
Generating Details Report
Report CompleteYou already have an account on zookeeper with sudo privileges. Thanks Romain.
romain2k
commented
4 years ago Hi Jim,
I can certainly keep an eye on those emails. However, I long ago lost information about access via the SSH bastion(s) and have never logged into the current ZK server. I guess I should get that figured out...
Best, Romain
On Sat, Jul 11, 2020 at 5:26 AM Jim Mason notifications@github.com wrote:
Thanks @romain2k https://github.com/romain2k !
The simple solution would be to remove Eric from the root alias on zk, which I have just done.
I try to review these e-mails daily, or as frequently as time permits, just to make sure everything is working as expected. However, it's good to have a second pair of eyes. @romain2k https://github.com/romain2k , would you mind if I add you to the alias? There are two e-mails per day; they look like this:
Date: Sat, 11 Jul 2020 01:01:02 -0700 From: Cron Daemon root@zookeeper.stanford.edu To: www-data@zookeeper.stanford.edu Subject: Cron www-data@zookeeper /srv/http/zookeeper/zk daily
Starting 2020-07-11 01:01:02 Running charts: No (charting suspended until 2020-12-28) Purging deleted playlists: OK Purging old sessions: OK Done 2020-07-11 01:01:02
and
Date: Fri, 10 Jul 2020 06:35:21 -0700 From: Cron Daemon root@zookeeper.stanford.edu To: root@zookeeper.stanford.edu Subject: Cron root@zookeeper test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
/etc/cron.daily/logrotate: Log Analysis for Zookeeper Online Reading Old Report File: index.html Reading Old "Full List" File: log.files.html Reading Log File: /var/log/apache2/access.log 327,678 of 327,678 log entries processed 335 IP addresses resolved Generating Agents/Platforms Report Generating Referring URLs Report Generating Keywords Report Generating Main Report Generating Details Report Report Complete
You already have an account on zookeeper with sudo privileges. Thanks Romain.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/RocketMan/zookeeper/issues/165#issuecomment-657055945, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACTVZVS5DIT3BBDAM3CY6GTR3BK7NANCNFSM4OSKDLNA .
RocketMan
commented
4 years ago Awesome, thank you Romain. I'll send you a PM with access details.
The following alert was reported, apparently by Romain. I don't know what this is referring to so I suggest that any follow up be done with him.
Message
romain@kzsu.stanford.edu The originating IP address from ProofPoint is odd:https://whois.arin.net/rest/net/NET-148-163-128-0-1/pft?s=148.163.149.245
Maybe time to set up DKIM or other tools to prevent ZK SMTP from getting spoofed? | Jul 06, 2020, 05:51 PM |
romain@kzsu.stanford.eduSet assignee to 'romain@kzsu.stanford.edu' |