I want to restrict ALL port 25 and port 26 email only to users who authenticate first.
I thought it came this way on Cpanel boxes, but yet there's a ton of crap being relayed through my box and getting me on tons of blacklists.
So I did something terribly dumb early this AM...go me...and I had to reinstall. Yes, it was that bad. Kernel panics, a hoarked up bootloader, nothing in the execution path, etc. Let's just say that between the 2.6.18-128.el5 kernel (I've been reading that there are a lot of reports of file corruption after this update, something I saw as well...) and yum doing something it wasn't supposed to, I'm having to start over. Thank goodness for backups. Anyways, to my questions:
CentOS 5.3 64-bit, clean install, no CP yet. I'm trying to get the base OS clean, simple and hardened before I put DA on there again and restore my websites but I have a few questions since I'm a network dork and normally pay for people to do the extended server hardening for me.
/etc/passwd/ ....
Does any one know of any good articles/tutorials on how to harden PHP and Apache on a cPanel VPS?
View 6 Replies View RelatedI have a dedicated server, and want to make it safe...
I once had a HOWTO to do that with things as APF and such, but is there some howto out there that is recent?
What a few things you would do to boost the security of your VPS? So far I have securing/restricting SSH access, installing chkrootkit and putting up a firewall. Any other things I should do?
Just noticed I put VPS Server Hardening, should be VPS Hardening
There are many people who sell server hardening for windows and linux and all the packages are pretty much the same. I don't want to give anyone outside access to my server no matter how much they claim to be good, fact is once it's out, it's out.
Is there an online resource with some sort of check list and links for a quality server hardening for windows and linux servers?
I.E. install this, install that, configure this?
Seems that do it yourself is worth the training and $100
Is there a guide or check list of settings to make on a new box that I can follow to lock it down?
View 1 Replies View Relatedwhere I can find a guide or how-to to hardening Debian Lenny web server (a xen vps one)?
View 0 Replies View Relatedwhile the ELS script looks pretty sexy on paper, it appears that the hardening of the /tmp and /shm is fairly problematic on CentOS 5 systems. Apparently the entire process is mucking up /etc/fstab and yes, I know, I'm being 100% lazy by using a script...so sue me.
Wanted to see if anyone had any success or complete disaster stories running ELS on a CentOS 5, preferrably 64-bit, system in the past few months and would be willing to share their experience. There's more than just the filesystem hardening in it and I'm looking for some of the other aspects but that seems to be the reoccuring nightmare scenario people are having.
For those wondering what ELS is, here's a good (and bad) discussion about it on the DirectAdmin forums. I'm sure there's others but this is where my search started.
[url]
1. I don't use nor will I EVER use cPanel (royal POS in my opinion). I might, however, have DirectAdmin installed (not sure yet)
2. CentOS 5, 64-bit edition
3. Apache 2.2 latest, MYSQL 5.1 latest, PHP 5.2 latest
I usually use appears to be super busy and just not able to get the job done. No slight on him, he has a busy work schedule. So I'm looking to go outside of my comfort zone and see other companies to use. I don't think I can use Platinum as I outright refuse to even discuss cPanel as an option. If I want an underperforming, unsecure and incompatible web and database server, I'll run Windows.
So I'm looking for the usual end-to-end hardening package. I'm too lazy to do it myself and I'll forget to do something. Any recommendations out there in WHT land?
Since this got lost (google cache of thread discussion so far)
[url]
im reposting because i think it was an interesting discussion.
I'm setting up a cpanel server for the first time. I was wondering if i could harden the default cpanel permissions for the user folders in /home The idea is to prevent users viewing each others files. Please don't suggest the php open_basedir option as its not secure and doesn't work with cgi based file browsers.
Note I'm using suexec/suphp.
currently new cpanel users folders are created with
group and user ownership and the permissions 755
I was thinking if i changed this to 711 would this break anything?
Could i lock this down even more by changing the group ownership to "nobody" and thus have permissions 710.
Other than anti-virus
View 8 Replies View RelatedWe have a linux server running cPanel/WHM and using Exim for mail, we're also using SpamAssassin to label messages as spam. I have made a few modifications to settings and installed things like DomainKeys, but am wondering if I am doing enough.
My objectives are to:
1) Prevent mail users on the server from being inundated with spam, and/or be able to effectively manage any spam that does come through.
2) Ensure that messages that my mail users send out remains as highly deliverable as possible.
3) Make it difficult for third parties to exploit my mail server for their own spamming needs.
Are there any good tutorials out there on this stuff that should at least cover some of my bases? Where should I begin? The only thing preventing me from hiring out the work to someone else is that I'd like to learn how to do it myself.
I am compiling a list of security hardening procedures which should be performed to a server, with the goal of coming up with a comprehensive list of hardening procedures which should be implemented.
The following lists the details I have compiled so far. Please feel free to contribute additional hardening tips so we may come up with a full and thorough list:
Install mod_security
Install mod_evasive
Install mod_limitipconn
Install APF
Install BFD
Install PRM
Install SIM
Install portsentry
Install chkrootkit and configure reporting cronjob
Install rkhunder and configure reporting cronjob
Install snort
Install tripwire
Install libsafe
Install mail header patch to identify cause of spam sent through nobody
Limit compiler and fetch utilities access to root only
Correct folder permissions to prevent directory transversal
Remove unneeded OS packages
Upgrade kernal to latest OS release
Ensure MySQL password is set
Ensure OpenSSH protocol is only using protocol 2
Ensure cannot SSH directly to root. Must SSH to admin first.
Enforce noexec & nosuid on temporary directories /tmp and /var/tmp
Disable used services
Disable DNS recursion
Disable IP source routing
Disable IMCP redirect acceptance
Disable certain php functions (system, exec, shell_exec)
Enable IP spoofing protection
Enable Spoofing protection
Enable syncookie protection
Enable misc. sysctl settings
Harden host.conf
We have discussed all the basic methods of securing and hardening the server. Lets leave all the basic and general server securing and hardening I have started this to get advance knowledge in securing and hardening of the server so that it will usefull for all the person So i request all to provide all the vaulable tips and suggestions in advance securing and hardening of linux servers I welcome all the comments related to advance securing and hardening of linux servers.
View 5 Replies View RelatedI've just ordered my new Windows 2003 server with 49Pence.com and will be taking "delivery" of it once they have commissioned it.
Anyway, I would appreciate some advice on how to secure it. I have been used to the luxury of a hardware firewall, but budgetary constraints mean I will have to rely upon a software firewall (something that scares me a little). It will be running our company websites, MSSQL and MDaemon mailserver.
I am not sure exactly how the server will be delivered, but I assume it will arrive fully patched with Remote Desktop access, and Windows Firewall installed.
First question: Is Windows Firewall sufficent? I am more used to configuring firewalls with Ports/Protocols/IP's rather than "applications". I also understand that Windows Firewall cannot restrict access to specific IP's.
I read that IPSec / TCP Filtering should also be used. I've looked at various links and have an idea how to do this, but I do not want to make a mistake and get "locked out". I saw a post saying that during testing they set up a scheduled job to reset the IPSec policies every x minutes so that they can log back in if they do make a mistake. How would this be done (in terms of IPSec) .. or is this a matter of stopping a service?
If I go with another software firewall, is there an easy way to install remotely without getting locked out of the Remote Desktop? KVM over IP is a charged by the hour.
It is "safe" to leave Port 3389 open and rely upon passwords (and potentially IPSEC IP policies), or should I administer by VPN?
If so, it seems that in order to create a VPN connection on the server, it requires that the Windows Firewall is shut down (at least on my test server here). Obviously this is something I don't want to do!
I am having issues in receieving emails. For some reason, the rbl lists I had setup are causing the server to reject emails (retry - timeout). So, I need to take this rbl list completely. How can I do that? exim.conf is locked and using the advanced editor is no fun even though I tried it putting the dnslists without the rbl causing the problem.
View 3 Replies View Relatedthis is often happening on my new servers, with FreeBSD and exim 4.69
2 exim process start using a lot of CPU (that's not 100%, but it's like 40% for one process and 35% for other) for hours...
but, as soon as I restart exim, that stops
so it's not a high mail load on server, nor anything like that
I even checked logs to see if it was on some kind of infinite loop (auto-auto-auto-auto-reply), etc, but can't find anything out of ordinary
anyone experiencing something similar?
I have a dedicated server with WHM installed on it, but recently I've been having problems with emails, specifically exim.
The main issue appears to be a huge number of exim processes all running at the same time. It pushes the server load higher and higher (and when I say high I mean over 100), and basically locks everything else up until I can get a command through to kill exim.
After a bit more investigation I found that the mail queue in WHM appears to be seperate to the one I can find with the exom -bpc command, and gets full of email sent to non existant domains or accounts. So my first theory is that at some point exim tries to deliver all of these at once and that causes the massive load spikes. I don't know if that's possible, or probable, but there isn't enough legitimate email coming into the server that there ought to be any issues.
i've read about how to control the mail q from exim, but that doesn't appear to make a different to the q shown in whm. Currently the server is being held up by a cron running every half hour to restart exim automatically, but at peak times this doesn't appear to be doing enough, and at one point yesterday exim had 400 running processes.
Obviously this is causing a few problems. I don't have the technical knowledge to diagnose or fix the problem past the guesswork i've already done, so i'd appreciate any suggestions
I have some clients who own large forums, and during usage Mass Mail CPU goes up to 100%. Is there any way to re-configure the exim so not to distrupt the CPU that much?
View 4 Replies View RelatedI got a mail "spamd failed @ Fri Jan 11 04:34:53 2008. A restart was attempted automatically".And I checked the server.Then I found that spamd is not working.Its a cpanel server.I've tried to restart exim but spamd is not starting.
View 4 Replies View RelatedI'm trying to diagnose some server load spikes, and I've noticed that my exim log files are getting huge (5 gigs, plus 4 gzips at 1.7gigs)...my server status shows the gzips and greps on these log files putting my cpu load at 99.9%...how do i keep these from getting so huge and/or keep them from maxing out my server?
I'm running CentOS and cpanel...
In WHM > Server Status, it shows exim as:
exim (exim-4.63-1_cpanel_maildir)
I remember it used to show more stuff inside the (). Can you tell me what it shows on your server?
I recently switched over from Virtuozzo to WHM (on a vps), and was going through some of the different pages there. I noticed one page that displays the exim stats, similar to running it through the command line. Anyway there is one section I'm not entirely sure what it's referring to.
Quote:
Top 50 mail rejection reasons by message count
Messages Mail rejection reason
311 Rejected RCPT: No such person at this address
75 Rejected RCPT: Sender verify failed 25"The mail server detected your message as spam and has prevented delivery (200)."
I'm not sure if this is referring to inbound addresses being blocked, or forged emails from my server being rejected by outside servers.
i use exim-4.67 as mta i have some troubles with some domains this i recieve in my log and debug when i try to send email. Where is the problem?
--------------------------------------------------------------------------------------------------------------------
2007-06-13 12:12:44 [70566] cwd=/usr/src 5 args: exim -v -d+all -M 1HyO9G-000FL3-CG
2007-06-13 12:12:45 [70567] 1HyO9G-000FL3-CG TLS error on connection to mail.impresstech.net [195.8.222.33] (SSL_connect): error:00000000:lib(
0):func(0):reason(0)
2007-06-13 12:12:45 [70567] 1HyO9G-000FL3-CG TLS session failure: delivering unencrypted to mail.impresstech.net [195.8.222.33] (not in hosts_
require_tls)
2007-06-13 12:12:45 [70567] 1HyO9G-000FL3-CG send() to mail.impresstech.net [195.8.222.33] failed: Operation not permitted: Operation not perm
itted
2007-06-13 12:12:45 [70566] 1HyO9G-000FL3-CG == petkov@impresstech.net R=dnslookup T=remote_smtp defer (1): Operation not permitted: send() to
mail.impresstech.net [195.8.222.33] failed: Operation not permitted
----------------------------------------------------------------------------------------------------------------
12:12:44 70566 calling dnslookup router
12:12:44 70566 dnslookup router called for petkov@impresstech.net
12:12:44 70566 domain = impresstech.net
;; res_nquerydomain(impresstech.net, <Nil>, 1, 15)
;; res_query(impresstech.net, 1, 15)
;; res_nmkquery(QUERY, impresstech.net, IN, MX)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57989
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; impresstech.net, type = MX, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57989
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; impresstech.net, type = MX, class = IN
impresstech.net. 2h26m22s IN MX 0 mail.impresstech.net.
impresstech.net. 52m22s IN NS ns2.s801.sureserver.com.
impresstech.net. 52m22s IN NS ns1.s801.sureserver.com.
mail.impresstech.net. 2h26m22s IN A 195.8.222.33
12:12:44 70566 DNS lookup of impresstech.net (MX) succeeded
;; res_nquerydomain(mail.impresstech.net, <Nil>, 1, 1)
;; res_query(mail.impresstech.net, 1, 1)
;; res_nmkquery(QUERY, mail.impresstech.net, IN, A)
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57990
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; mail.impresstech.net, type = A, class = IN
;; Querying server (# 1) address = 127.0.0.1
;; new DG socket
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; mail.impresstech.net, type = A, class = IN
mail.impresstech.net. 2h26m22s IN A 195.8.222.33
impresstech.net. 52m22s IN NS ns1.s801.sureserver.com.
impresstech.net. 52m22s IN NS ns2.s801.sureserver.com.
12:12:44 70566 DNS lookup of mail.impresstech.net (A) succeeded
12:12:44 70566 195.8.222.33 in "0.0.0.0 : 127.0.0.0/8"? no (end of list)
12:12:44 70566 Actual local interface address is 212.95.164.58 (rl0)
12:12:44 70566 Actual local interface address is 212.95.164.59 (rl0)
12:12:44 70566 Actual local interface address is 192.168.3.1 (rl1)
12:12:44 70566 Actual local interface address is 127.0.0.1 (lo0)
12:12:44 70566 fully qualified name = impresstech.net
12:12:44 70566 host_find_bydns yield = HOST_FOUND (2); returned hosts:
12:12:44 70566 mail.impresstech.net 195.8.222.33 MX=0
12:12:44 70566 set transport remote_smtp
12:12:44 70566 queued for remote_smtp transport: local_part = petkov
12:12:44 70566 domain = impresstech.net
12:12:44 70566 errors_to=NULL
12:12:44 70566 domain_data=NULL localpart_data=NULL
12:12:44 70566 routed by dnslookup router
12:12:44 70566 envelope to: petkov@impresstech.net
12:12:44 70566 transport: remote_smtp
12:12:44 70566 host mail.impresstech.net [195.8.222.33] MX=0
12:12:44 70566 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
12:12:44 70566 After routing:
12:12:44 70566 Local deliveries:
12:12:44 70566 Remote deliveries:
12:12:44 70566 petkov@impresstech.net
12:12:44 70566 Failed addresses:
12:12:44 70566 Deferred addresses:
12:12:44 70566 search_tidyup called
12:12:44 70566 close MYSQL connection: localhost/mta_db/mtauser
12:12:44 70566 >>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>
12:12:44 70566 --------> petkov@impresstech.net <--------
12:12:44 70566 search_tidyup called
12:12:44 70566 set_process_info: 70566 delivering 1HyO9G-000FL3-CG: waiting for a remote delivery subprocess to finish
every time i send an email from my server to any @hotmail account it doesnt arrive @hotmail.
In my exim_mainlog, log says that operation is completed.
2007-09-29 07:00:32 1Iba3k-00043A-0z no host name found for IP address IP
2007-09-29 07:00:32 1Iba3k-00043A-0z <= webmaster@domain.name H=([192.168.1.100]) [IP] P=esmtpa A=fixed_plain:brm@dak$
2007-09-29 07:00:32 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1Iba3k-00043A-0z
2007-09-29 07:00:32 1Iba3k-00043A-0z => account@hotmail.com R=lookuphost T=remote_smtp H=mx3.hotmail.com [65.54.245.72]
2007-09-29 07:00:32 1Iba3k-00043A-0z Completed
What makes it weird is that..
when i send email from hotmail to my servers account, i get email from hotmail, and, when i do reply on that email to @hotmail, email arrives @hotmail.
I am not actually a hosting provider but a client. I do have some technical knowledge about Exim, Sendmail etc and my host also co-operates with me so I thought of asking this question myself. My problem is with the RBL checks that my host's server performs even on authenticated SMTP connections. My ISP provides a IP to me which is being shared by many subscribers and gets blocked often. This causes a problem for me to use my mail client to send outgoing e-mail through my host's SMTP.
Suppose my hosted domain is "mydomain.com". Now when I use my e-mail client and send an e-mail using my hosts SMTP server (which requires due authentication) and give return-path (envelope sender) as "someone@mydomain.com", the e-mail passes through nicely. But when I use some other return path like "me@yahoo.com", I get a RBL block message after RCPT command. This should not happen as I am a paying member and I am correctly authenticating myself using the username & password of my hosted account.
My host uses Exim 4.63 so I just wanted to know whether there is a way to modify Exim ACL so that it doesn't perform RBL checks for authenticating users.
to run exim command line for delivery all emails in the queue
we need to use command as single:
exim -M xxxxxxx
BUT without <message id>
as
exim -q -M
but not work
I've a question how to make every email come to my inbox a copy of it go to other email i mean if i get an message on ss@ss.com automaticly a copy of this message go to aa@aa.com
View 4 Replies View Relatedive been asked to use exim coz its easier to use with spamassasin.
but is exim as safe as qmail?
ive heard qmail offers better safety.
Is there a way I can get more error messages with exim? I'm trying to log in using plaintext smtp authentication and all I get is this:
2009-06-21 06:51:23 Start queue run: pid=8021
2009-06-21 06:51:23 End queue run: pid=8021
2009-06-21 07:07:41 no host name found for IP address 220.80.173.17
2009-06-21 07:07:42 no host name found for IP address 220.80.173.17
2009-06-21 07:21:23 Start queue run: pid=8029
2009-06-21 07:21:23 End queue run: pid=8029
2009-06-21 07:41:18 no host name found for IP address 220.80.173.17
2009-06-21 07:51:23 Start queue run: pid=8074
2009-06-21 07:51:23 End queue run: pid=8074
2009-06-21 08:20:47 no host name found for IP address 220.80.173.17
2009-06-21 08:21:23 no host name found for IP address 220.80.173.17