nmap -sS -sV -O www.yourserver.com

Secure and hide version information:

• Apache, configuration file, usually at /etc/httpd/conf/httpd.conf
  ServerTokens ProductOnly
ServerSignature Off

• ProFTPD, in configuration file, usually at /etc/proftpd.conf
  ServerName "My FTP Server"
ServerIdent on "ProFTPD [version] Server (server name) [hostname]"

  This means, enough is to set, but in Global section:

  <global>
ServerIdent on "Generic FTP Server"
</global>And you can change the port, if you want.

• OpenSSH, tcp/22, not possible to change banner but yous should change the port, disable root login, etc.

• Telnet, tcp/23, I prefer to disable Telnet. If not, use this (change file /etc/issue.net)
  mv /etc/issue.net /etc/issue.net-original
echo "Windows Server 2008 (Microsoft)" > /etc/issue.net

• PHP, disable expose_php for security reasons in /etc/php.ini
  expose_php = 'off'

That’s about it. I believe there is more, and if someone wants to add something, just comment on this post.

dig @ns1.nameserver.com +short porttest.dns-oarc.net TXT

where ns1.nameserver.com is either IP or name of a DNS server. If the result is GOOD – it’s like that – anything else is a big problem.

cd /usr/local/
wget http://postfwd.org/postfwd-1.10pre7c.tar.gz
tar -xf postfwd-1.10pre7c.tar.gz
mv postfwd-1.10pre7c postfwd

Copy the configuration file at its place, and copy the startup script to its place

cp /usr/local/postfwd/etc/postfwd.cf /etc/postfix/
cp /usr/local/postfwd/bin/postfwd-script.sh /etc/init.d/postfwd

Then, if I try to set a daemon to be startet at boot time, with:

chkconfig --add postfwd

But I got an error saying: “service postfwd does not support chkconfig”? Ok. There is a statement in a init script that tells the chkconfig command how to add or delete this daemon to the boot process. This statement looks like this:

# chkconfig: 2345 78 32
# description: Postfwd Policy Server

This means that a script should be started in levels 2,3,4,5 and that its start priority should be 78, and stop pririty 32. Priorities present the order / sequence in which the services are either started and stopped. So if you for instance have Postfix starting and a postfwd application, it is essential that the postfwd is started before Postfix. Having Postfix start value of 80 you need a lower value for the Postfwd (78 for example).

After we added this line to /etc/init.d/postfwd file, lets repeat:

chkconfig –add postfwd

Ok. This worked. But, I had a lot of problems in a supplied default init script of policyfwd. I had to change a startup script a lot. After faunding out that init script is somehow strange, I had to rewrite a script based on postgrey’s init script. Here it is ready to download. So copy this one to /etc/init.d.

Now, start it with:

service postfwd start

It should work. Now to make Postfix aware of it. Open your postfix /etc/postfix/main.cf and insert or edit the following.

127.0.0.1:10040_time_limit	= 3600
smtpd_recipient_restrictions	= ...
				  ...
				  check_policy_service inet:127.0.0.1:10040,
				  permit

smtpd_end_of_data_restrictions =
				  check_policy_service inet:127.0.0.1:10040

The last one is needed because you have to call postfwd at end_of_data state for reliable size checks.

Testing it up

If you want to list the rules, just type:

/usr/local/postfwd/sbin/postfwd -f /etc/postfix/postfwd.cf -C

Finally, if you are satisfied, start postfwd and reload postfix. Then, monitor the log file for lines mentioning postfwd with:

tail -f /var/log/maillog | grep postfwd

There is an example policy request distributed with postfwd, called ‘request.sample’. Simply change it to meet your requirements:

nano /usr/local/postfwd/tools/request.sample
/usr/local/postfwd/sbin/postfwd -f /etc/postfix/postfwd.cf </usr/local/postfwd/tools/request.sample

Thats it.

No – it is not!

Really a bug not counted as one

I spent at least an hour just to find out the bug. No! It is not a bug. I just need to read very, very carefully:

From the Doc’s: “Multiple use of the same item is allowed and will compared as logical OR ”

So macro with this content:

&&LIMITEDS { sender=.*@onedomain.com ; sender~=user@seconddomain.com; };

will work, and the following one will not (only first rule will be accounted):

&&LIMITEDS { sender_domain=onedomain.com ; sender~=user@seconddomain.com; };

AllowOverwrite on
AllowStoreRestart on

The first one is probably already enabled in config file. Resumed upload is considered the same as a file overwrite (in ProFTPD). Therefore the file overwriting must be enabled.

The first that slips mind are Postfix’s bcc_maps directives (or similar). Alternative mechanism should be pretty straightforward – thru milter system. If someone reading this post finds some other useful utility (open source only), please post a comment about it.

And, my list f sound open-source solutions is:

• Postfix’s recipient_bcc_maps (mails send to some adresses) or sender_bcc_maps (for mails sent by some user addresses)
• Open Mail Archiver (I really like the straightforward idea)
• Scam-archiver
• MailArchiva (Open Source Edition)
• Or maybe some procmail recipes like here or Æmail

Service unavailable; Client host [x.x.x.x] blocked using zen.spamhaus.org; ...

My logwatch package is up to date. Problem is – the service and configuration for postfix in that package are not.

You need to update postfix filter portion of logwatch.
It can be updated either from: http://www.mikecappella.com/logwatch or from latest version of logwatch at: www.logwatch.org

For me, the first link was better because it had a fresher scripts. I downloaded the package, and only two files are needed for me (do not install or anything).

Just rename (remove -logwatch part of filename) files

postfix-logwatch
postfix-logwatch.conf

to

postfix
postfix.conf

and copy them to

       /etc/logwatch/scripts/services/postfix (The Logwatch postfix filter)
       /etc/logwatch/conf/services/postfix.conf (The Logwatch postfix filter configuration file)

Files at this location will override default values. And this should fix the problem.

But, there was a problem with  file services/postfix where I had to remove the first line for logwatch to work. Now, when I execute /etc/cron.daily/0logwatch, I do get an reasonable sized email with email statistics.

[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/ads
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/thisdoesnotexistahaha.php
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/drupal
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/adserver
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/adxmlrpc.php
[error] [client xx.121.146.224] File does not exist: /var/www/sharedip/xmlrpc.php

These robots are constantly trying to exploit vunerabilities. I want to stop them.

There are couple of solutions, but after researching, I concluded that for me the best one is Fail2Ban (compared to DenyHosts or BlockHosts), specially because it can analyze log files for Apache, SSH, FTP and Postfix (and I have it in repository). BTW, there was some vulnerabilities with it, in the past.

All the configuration is done in /etc/fail2ban/jail.conf.

awk '{print $1}' access_log | sort | uniq -c | sort -n | tail -20 | awk '{print $2,$2,$1}' | logresolve | awk '{printf "%6d %s (%s)\n",$3,$1,$2}'

where access_log is filename for Apache  access log file, and -20 means that I want to see a first 20 addresses. Great resource of information can be found at the-art-of-web.com.

I setup AWStats package on my server using instructions on this DjTremors site.

And everything worked, besides the fact that I must disable suexec in ISPConfig (Management / Server – Settings / Web / suexec Checkbox).

At first, I tried adding this statistics inside a ISPConfig’s http server. Just to remember, whenever I need something to be an option in ISPConfig, under the Tools menu. This is done by creating a subdirectory in  /home/admispconfig/ispconfig/web/tools/tools, and creating a nav.inc.php file there

But the problem arises because Perl can not be enabled without larger modifications in a /root/ispconfig/httpd/conf/httpd.conf. I always got an error

mod_perl.so: undefined symbol: apr_bucket_shared_split

So I made a Tools link, but pointing to a main Apache server (where I have Perl enabled).

File: nav.inc.php

<? if($go_api->auth->check_admin(0,1)) {
/*
   Only Admin can see this
   Copyright (c) 2008, cvladan.com, Vladan Colovic - All rights reserved.
*/
?>
<!-- Mail AWStats for all domains //-->

menuDaten.neu(new LinkEintrag('root','<? echo $go_api->lng("Mail Server Statistics")?>','http://www.duplonucleo.com/ispcstats/awstats.pl?config=mail','_blank','email.gif','Ma
il Server Stats','n',''));

<? } ?>

Let me explain important files in AWStats for ISPConfig. There is /root/ispconfig/scripts/shell/awstats.php file that periodically recreates .conf files in /etc/awstats, based on virtual domains created in web home /var/www. There is no need to change this file. Another important file is/home/admispconfig/ispconfig/web/ispc.awstats/awstats_updateall.pl which is executed periodically too. This file launches update process for all AWStats config files, except awstats.model.conf found in a particular directory (in our case /etc/awstats), so you can easily setup.

As we see, there is no need to change anything. It will automaticly update our mail statistics. So, lets go there…

First, I needed to add a script  maillogconvert.pl  where it sould be in a first place – in: /home/admispconfig/ispconfig/web/ispc.awstats

Then edit the /etc/awstats/awstats.mail.conf and … Not so good link, and much better (original).

And do not be shooked with the amount of mails recieved by admispconfig@. Thats ok. The admispconfig mailbox is a script that generates your mail statistics. The emails that go to admispconfig contain the size of the original email sent to one of your users in bytes.

And, after everything, I just updated AWStats from 6.5 to version 6.8 (latest one)

Window > Translation >  Received data assumed to be in which character set: UTF-8
Window > Translation >  Handling of line drawing characters: Use Unicode line drawing code points
Connection > Data > Terminal details > Terminal-type string: linux
Terminal > Keyboard > The Function keys and keypad: Linux

The commander is now working as it was supposed to. Source of information.

Besides this, when we are already in PuTTY, to mention couple of configuration settings:

Connection > SSH > Enable compression: on
Connection > SSH > Preffered SSH protocol version: 2 only

If you want PuTTY to open some session when you start it, just create a shortcut and add a suffix

-load "Session-Name"

For example: C:\Program Files\Putty\putty.exe -load "MySession"