Some people sent spoofing mails from our mail users sent to our user from Postfix/local that is listed in maillog like below:
Apr 29 16:57:02 ns1 postfix/local[3075]: EC2153565E3: to=<user-mydomain.com@ns1.mydns.com>, orig_to=<user@mydomain.com>, relay=local, delay=486, status=sent (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)
Bu i do not know how to prevent this people not to use my Postfix/local delivery part. How can i prevent this attack?
When i connect to my mail server to sent or receive my mail it look like
Apr 29 17:25:28 ns1 dovecot: pop3-login: Login: user=<user@mydomain.com>, method=PLAIN, rip=***.***.***.***, lip=***.***.***.***
....
Apr 29 17:25:55 ns1 dovecot: POP3(user@mydomain.com): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0....
We set up a Plesk 12 server for web hosting purposes only.
All mail-related services, exception from "smtp server" and "Plesk milter" are disabled or uninstalled.
For specific domains, we want to prevent the useage of the php mail function with "localhost" to avoid problems with outgoing spam by unsecured scripts. Instead, we want to force webmasters to use external smtp servers.
Is there any directive or setting on domain-level that we allow for this limitation?
My issue started ince a couple of months seemed to increase with update to Plesk 12.0 (though I can't guarantee it).I am using Centos 6.5, all updated. What happens is that postfix usage starts to increase without any apparent reason (during week-ends for example). Then postfix is not responding anymore.
I got an email "failure delivery notification" but i did not sent that email. It had my email address though.
So I contacted host and got a very quick reply:
Quote:
The is caused due to the email spoofing. Someone was spoofing your email account and sending mails by adding the mail header so that the appears to have originated from the actual source. By setting SPF record correctly in the DNS zone of the domain, we can almost prevent this.
Here The SPF record was not setup correctly. Now we have made some changes in the SPF record in the DNS zone file "/var/named/domainname.com.db".
------------ v=spf1 a mx ip4:67.21.1.226 ?all -----> v=spf1 a mx ip4:67.21.1.226 ~all ------------
Now I can understand that they have quickly fixed the problem. BUT I need to learn more on what is going on here.
I can understand that email spoofing is that spammer is sending email with header that shows it is my email address (which it is not).
But I dont understand the second part that a DNS record fix it.
What does that DNS line mean,
DNS stuff is really complicated and am lost when it comes to it.
I got a bounced back message that I never sent. I was profoundly shocked to discover (through the header info) that the message originated from dotworlds.net; a site that ostensibly is a spoof email service provider.
As explained here: w w w. securesphere(dot)net/download/papers/dnsspoof.htm I note the recommendations:
- To limit the cache and check that it's not keeping additional records. - Not to make security systems to use/rely on DNS. - Use cryptography like SSL, even if the problem remains the same, it increase difficulty level for the attacker (See article on Man in the Middle)
I did not on another site that the latest version of BIND for DNS should be installed. I'm quite sure I'm being attacked in this way by a guy on the same network as my numerous commercial websites. I'm setting a new server. I'm getting my own name server.
What steps should I take to best protect my self and my business against these attacks please?
(firewall? tips etc beside the above?) Please let me know as I want to set up and have a better than even bet I have shaken the guy.
Is there any way to stop spammers from spoofing my address? I've had issues ever since I started this server with getting bounced spam where the "From:" field was (jibberish)@mydomain.com which was annoying but not that constant.
I came online this morning to check my mail and had over 1200 e-mails and all of them have "online@wellsfargo.com" as the "From:" address, but the message-ID has my domain name in it..
Quote:
------ This is a copy of the message, including all the headers. ------
Return-path: <nobody@host.mydomain.com> Received: from nobody by host.mydomain.com with local (Exim 4.63) (envelope-from <nobody@host.mydomain.com>) id 1Hju9b-0002y3-TH for lwilder1999@yahoo.com; Fri, 04 May 2007 05:32:43 -0400 To: lwilder1999@yahoo.com Subject: Update Your Account Records From: Wells Fargo Online <online@wellsfargo.com> Reply-To: MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit
Message-Id: <E1Hju9b-0002y3-TH@host.mydomain.com> Date: Fri, 04 May 2007 05:32:43 -0400
There's gotta be some way (make that 1204.. just got 4 more bounces) to block spammers from doing this. Could someone help a newbie out?
I have a website that can be seen in a part of the world but not on the other. How can I troubleshoot this issue. Is there a web utility that can help me figure out what is the problem?
Is security really that critical? If so, why are some of the largest software companies providing such a bad example for the rest of the industry? Why would someone want to target my website? Why is security often overlooked?
These are all common questions that arise on a daily basis within the online industry.
The rest of this article will provide some detailed answers, along with practical examples and true scenarios.
I've spoken with numerous hackers over the past short while. I can't count the number of times I've heard the line "Ignorant site owners deserve to be hacked". In my opinion, that's like claiming that cars without alarms deserve to be stolen, or homes without alarm systems deserve to be burglarized. It's not just wrong - it's illegal.
Security risks and vulnerabilities affect the entire online industry. When a single website is hacked, there are usually multiple other victims. This is most commonly seen with widely distributed software. A potential attacker has the ability to install the software on a test environment, locate the vulnerabilities, then attack random victims even before anyone else is aware of the potential exploits. Once a vulnerability is located, the attacker simply needs to search for other environments using the same software, and within minutes there are hundreds, often thousands of potential victims.
Typically, in the race to market, software providers are encouraged to release their products as soon as the applications are usable. Critical development procedures are often overlooked or intentionally bypassed. One such miss is an application vulnerability assessment. Although the product may be usable, the effects of a vulnerable application could be severe.
Sadly, nobody is "off limits" when it comes to hacking. Most hackers feel safe committing online crime, since the online industry has evolved much faster than the security industry. Many applications are not created with the intent to recognize hacking attempts. Some hackers view their actions as a competition - Who can attack the most valuable website? Who can exploit the most user databases? In many cases, these attacks are bragged about within the hacker's immediate network. The competitive nature of these hacking groups has become so severe, there have been reports of attacks between competing organizations.
You might ask, "If I use industry standards, won't my environment be secure?". The short answer: no, but it helps. Hackers are not restricted by industry standards. Most security companies only implement new standards once at least one victim is reported. This often gives hackers plenty of time to locate other vulnerable environments, and before long, the number of victims can increase rapidly. Hackers are some of the most innovative individuals within the online industry. The most logical way to combat them is to use similar methodology for security purposes.
I am having trouble finding a good sysadmin for my needs. Has anyone else been in a similar situation? Does anyone have any advice on how to find somebody like this?
SITUATION: I am having trouble finding a reliable RH sysadmin. I have a handful of clustered HA setups for customers (6+ servers & load-balancers) and a number of single-server dedicated hosting customers. I do a lot of the work myself. The additional sysadmin usually only has a small amount of actual worked hours per month, dependent on new installs. But, they need to be reliable, available, and familiar with the complexities of the setups.
From what I have seen, some sort of server management company wouldn't be able to be familiar with the setups well enough to not regularly make errors or modify setups correctly due to the amount of clients they have.
I have a small dns cluster with 4 servers, the problem is that when i want to update a dns registry one of them doesnt sync, i have to try like 6 or 8 times to get that server to sync with all the others, and im concern because the one who gets trouble to sync is my secondary dns server
Is bandwidth going to be my most expensive cost if I open up a video hosting site? Is there a inexpensive alternative? Is there an inexpensive web host with low cost bandwidth allocation?
A few people have asked me to give feedback on my experience with VolumeDrive so I decided I will be posting a 3 part review on them:
Part 1 - initial impressions Part 2 - three month review Part 3 - one year review (hopefully)
------------- When I first got in contact with VD, contact was slow: about an email a day. It was very annoying to say the least. However when VD realized that I was genuinely interested in purchasing a server, and not just a window shopper, contact was more frequent and acceptable.
After looking around and comparing, I ended up ordering the following server from VD for a whopping $105 per month:
Well just at face value, I don't think anyone will argue with me when I say you cannot beat the price. Where else will you find that kind of server w/ full management for $105 a month?
In the ordering process there were a few forgivable annoyances: 1) VD does not have any sort of automated, order online system for their "good" deals. I had to order via email and manually pay from PayPal. I was, however, emailed an invoice confirming my purchase after I paid.
2) It took VD 2 hours to send me my order request after I said "I am ready to purchase". Now it was late at night, so they probably only had a skeleton staff on hand, so this is understandable; however this point is sort of related to the lack of an automated system point mentioned above.
So after I paid and all, I was told they were building me a new server and it would take 3 business days to arrive. I was bummed out upon hearing this but this was understandable and justifiable - if they don't have the parts on hand, they don't have the parts, no big deal. I did appreciate the fact that they were honest with me upfront instead of trying to con me into giving me a different server (like I have been hearing stories about with other hosts).
So I waited. I was told my server would be setup on Tuesday afternoon and it was. The actual time between order and setup was about 5 and a half days: 3 days for the parts to arrive + Saturday + Sunday + time to build the server.
On Tuesday I was informed that my server has a Q8200 instead of a Q6600. To me this was not a big deal so I didn't object but if you are going to order from VD and you want one specific CPU I would be very clear with them that you won't accept any alternative. What did make me chuckle, however, is the fact that I was told "I received a free upgrade" to Q8200. It made me chuckle because I don't consider it a "free upgrade" when I was offered a choice between the Q6600 and a Q8200 for the same price during the ordering process. However, as I already said, a Q6600 or Q8200 - it does not matter to me: both are very similar in performance anyway.
So since I got my server I have been busy setting it up so VD can secure it after I am finished migrating my website (which by the way they just did - I just got an email ).
During that time I have emailed VD a fair amount of times, sometimes asking for clarification and sometimes asking for assistance with a problem, and they have responded back in a more than acceptable time frame and manner.
The only one major problem I have had so far is that initially, and by initially I mean first ~12 hours, it seems the connection to my server was not all the best. Randomly pages would take a while to load; I was curious as to why this was happening so I did some pinging and saw packets were being lost sometimes. This problem seems to have been auto-corrected itself now and I am did email VD about it; hopefully if it happens again we can get it perma-fixed.
Final verdict: people say "you get what you pay for". I say "I got more than I paid for". Hope it continues this way.
Today I'm back to encourage you to stay away from Crissic: I know the prices are tempting, but know that you will have no one on your side when a problem comes up. I finally closed my account with them after numerous major issues with my VPS.
I've had a simultaneous account with Slicehost for the past few months, just to see if paying the extra buck is worth while. Now I know it absolutely is. I'm paying double the price for half the resources with Slicehost, but their service is amazing and reliable, their support is stellar, and peace of mind that the server will stay up and running without load issues, memory or drive failures is worth every penny. The point of this post is not Slicehost though, back to Crissic.
When I signed up for Crissic, I knew that it was a relatively new web hosting startup, but I had no idea it was a one-man show. Yes it's probably possible for a single guy to run a small web hosting company--the problem, particularly in the case of Skylar, is that when something is beyond him, it isn't getting fixed.
A recent support incident occurred where I was suddenly unable to access my VPS via SSH or the console. I contacted support, here are some of his responses to my status inquiries: ....
Are there any web designers/developers who offer hosting to their clients as part of their website creation package. I am toying with the idea of only creating websites for people who host with me. I currently have a colo server, but only use it for personal things. So I have no experience with the needs and demands of clients in regards to hosting. What are some of your experiences with hosting for clients? Is it worth it?
Does anyone know anyway that "rm -rf /" can be disabled? OR any selinux rule or something to prevent this?
Or if I wanted to prevent a certain directory from being deleted like backups but something unlike chattr that someone can figure out quickly.
Im sure LOTS of people would like to know about this. Ive searched around and only somewhat useful thing I have found is an rm wrapper that sends everything to a trash file in the root of the mount point.
I'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages.
Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.
I am giving few tips on securing your server against hack attempts. You must check these inspite of other securities like firewall, rootkits detectors etc.
1. Most Important, do not disable safe_mode under php.ini. If any customer asks to disable it, turn it off on his account only, not on whole server.
As most of the time attack is done using shellc99 (phpshell) script. In case safe_mode is off on server and there are public dirs with 777 permission, he can easily hack through.
2. Compile apache with safe mode as well.
3. In cpanel under tweek settings, turn on base_dir, if someone requests to turn off, turn it off on his/her account only. As using phpshell one can easily move to main server dirs like /etc, /home.
4. Do not allow Anonymous Ftp on your server. You can turn it off from ftp config under WHM Service Configuration. If its allowed, one can easily bind port using nc tool with your server and gain root access. Always keep it disabled.
5. Make sure /tmp is secured. You can easily do that by running this command /scripts/securetmp using ssh. But do make sure, /tmp is secured. Else one can upload some kind of perl script in /tmp dir and can deface or damage all data on the few/all accounts on your server.
Does anyone know how to prevent some shell, php script change file name from file.php to file.jpg or file.gif and upload to server and run it to attack server?
We have been using our L2 switches functionality to only allow IPs that are assigned to a particular server to be accessed for sometime. However, the latest version of this particular switch no longer includes this feature. Moreoever, it is quite a labor intensive task which is not good for "budget" servers.
I am considering moving the rules to the main router, but am afraid of the scalability of this. Will it hold up with a few 1000 servers?
How are other hosties going about this? I have heard that some just don't bother at all, which leaves their clients open to having their IPs duplicated by others on the same subnet. This can't be good....
I'm currently having trouble with Postfix. I recently installed some new web hosting software (ispCP) and so some new configs were written for all my software. Postfix was one of them and I can't figure out what's wrong with it.
Whenever I send e-mails to my server, Postfix denies it saying "Unknown address error 554: Relay access denied". The logs say NOTHING about it and I've been trying the old configs on Postfix and still nothing works.
Here are my configs: main.cf
Code: # # Postfix MTA Manager Main Configuration File; # # Please do NOT edit this file manually; #
# # Postfix directory settings; These are critical for normal Postfix MTA functionallity; #