Booservers - All about dedicated servers

Install Mailscanner MRTG

This will install Mailscanner MRTG on your system. I have tested it on Ensim 3.1.10 and Ensim 3.5.17. Others have also done this on CPanel, but make sure you make the change noted...

Regular, I am not responsible for your box/you are doing this at YOUR OWN RISK... It should not screw anything up, but you are ultimately responsible if it does. I will help out as much as I can, but I am not a genius.

PREREQUISITES
1) MRTG *MUST* be installed (HOW-TO)
2) Mailscanner *MUST* be installed (I use gpans MS/SA/CM HOW-TO, but there is a MS Only HOW-TO too)

INSTRUCTIONS
cd ~
wget http://umn.dl.sourceforge.net/sourc...rtg-0.05.tar.gz
tar -xzvf mailscanner-mrtg-0.05.tar.gz
cd mailscanner-mrtg-0.05
cp mailscanner-mrtg.conf /etc/MailScanner/
cp mailscanner-mrtg.cfg /etc/mrtg/
cp mailscanner-mrtg /usr/sbin/
cp mailscanner-mrtg.include /etc/httpd/conf/
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bk

For CPanel Users
mkdir /usr/local/apache/htdocs/mailscanner-mrtg
cp web/* /usr/local/apache/htdocs/mailscanner-mrtg/
pico -w /etc/MailScanner/mailscanner-mrtg.conf
Find the two lines that start with:
Incoming Queue Dir =
Outgoing Queue Dir =
and change it to look like this:
Incoming Queue Dir = /var/spool/exim_incoming/input/
Outgoing Queue Dir = /var/spool/exim/input/

For Ensim/Red Hat/Fedora Users
mkdir /var/www/html/mailscanner-mrtg
cp web/* /var/www/html/mailscanner-mrtg/

Continued... FOR ALL USERS
pico -w /etc/httpd/conf/httpd.conf
Add this line to the very bottom
Include /etc/httpd/conf/mailscanner-mrtg.include
Ctrl + X to quit, y to save

Run this command 3 times. Ignore the errors and wait, it takes a few seconds each time.
mrtg /etc/mrtg/mailscanner-mrtg.cfg
-- IGNORE THE ERRORS (They are normal) --

service httpd restart
If this fails, check that you copied the file mailscanner-mrtg.include to the /etc/httpd/conf folder. Also recheck that you added the Include line above. If all else fails comment out the Include line and post your errors. DO NOT CONTINUE until httpd restarts successfully.

pico -w /etc/crontab
Add this line to the bottom of the file
0-59/5 * * * * root /usr/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg >> /dev/null
Ctrl + X to quit, y to save

Go to http://hostname.domain.com/mailscanner-mrtg

Email with attachments from command line

Sending emails from command line
I�ll describe possible ways to send emails from the command line. Of course there are much nicer ways to do it, but you may be in the situation (such as the one that drove me to do a deeper research and come out with this solution) and will need an easy and fast way to send mails from the prompt.

Simple text emails:
You can send simple emails by using the already installed sendmail program with the following command at the prompt:

echo "Simple, small body Text goes here" | mail -s "The Subject goes here" user@domain.com

If you have already typed a message in a text file, then import the text into the body of the email you are sending by using command:

mail -s "The Subject goes here" user@domain.com < text_file

Disadvantage: the email will be sent using header From: root@host.domain.com

Advanced emails with attachments:
If you need to send emails containing attachments, then I�ll recommend you to use an additional program not included on the standard Linux distributions, since there it were no way I could find a way to use the build in tools to do it.
This is a mature software, very well documented and with constant development to keep up to date and using most possible features we�ll need.
Program: Email
Version: 2.2.2
WebSite: http://email.cleancode.org/

As root:
Create a temp folder to download the source:
mkdir email
cd email
wget http://email.cleancode.org/download/email-2.2.2.tar.gz
tar �zxvf email-2.2.2.tar.gz
cd email-2.2.2

Run the following commands to have it installed:
./configure

Create the installation file:
make

Run the installation:
su -c 'make install'

At the end you�ll get the program installed with:
Binary directory: /usr/local/bin
Email Files /usr/local/etc/email

Edit the configuration file:
You can select to send email by SMTP or by sendmail.
I personally use sendmail for easiness.
pico -w /usr/local/etc/email/email.conf

For sendmail:
Comment out lines: (add # at the beginning of the line)
#SMTP_SERVER = '127.0.0.1'
#SMTP_PORT = '25'

Uncomment line: (remove # from the beginning of the line)
SENDMAIL_BIN = '/usr/lib/sendmail -t -i'

Set sender personal info with something like:
MY_NAME = 'System Administrator'
MY_EMAIL = 'info@domain.com'
REPLY_TO = 'info@domain.com'

Exit and save
Ctrl x
y

For SMTP:
You got the idea, just fill out SMTP variables with proper info.

Edit the signature file:
pico -w /usr/local/etc/email/email.sig

Set it as appropriate with relevant info.
I�d recommend removing line: (to keep system privacy)
On System: %h

Exit and save
Ctrl x
y

System installed and configured.

Some usage example:
Let say you are using Mailsacanner with ClamAV, and a valid attachment was removed, then a customer contacted you with the email MailScanner sent him, including the file name and info and the path were the attachment was quarantined:
It�ll read something like:

...
The original e-mail attachment "file_name.zip"
� �
Note to Help Desk: Look on the E-MailSystem MailScanner in /var/spool/MailScanner/quarantine/20040730 (message i6UKnWp02396)
�

With that info will do:
cd /var/spool/MailScanner/quarantine/20040730/i6UKnWp02396

Verify the mentioned file exists:
ls
decompressed_file_name.pdf file_name.zip

Execute the email command to send the attachment:
email -s "Attachment" -a file_name.zip user@domain.com

Info: -s = Subject -a = Attachment

For the email body, the system default editor will open up, usually vi
Type in whatever message you want to tell:
To start typing:
Shift a

Dear customer:
Find attached the removed file.

Regards,

To finish typing press:
[ESC]
To quit vi type:
:exit

As soon as vi exists, the email will be sent, and will give you a nice progress bar.

Read the README file for more usage options and tweaks.
pico /path/to/download/folder/email-2.2.2/README

Credits: http://www.integrese.com/

Easy Mailscanner + Clam Antivirus + SpamAssassin Updated 5/9/2003

We have put together the following package which will install Mailscanner, Clam Antivirus and SpamAssassin on your Ensim 3.1, or Ensim Pro 3.5 server.

This package installs:
Mailscanner 4.22
Clam Antivirus 0.60
SpamAssassin 2.55

We have tested it on upgrades from 4.11 + Mailscanner versions without issues. If you have an older Mailscanner install, we would recommend uninstalling it first and deleting the /etc/MailScanner folder before running this package.

This package does not use f-prot as you need a commercial license for use in a business environment.

Installation:

1) Make sure you are su root (or -)

2) Download the appropriate installer to a folder on your server, then install it

Ensim Pro 3.5.x

wget http://download.cheetaweb.com/mails...it-3.5.0.tar.gz
tar -zxvf mailscanner-kit-3.5.0.tar.gz
cd mailscanner-kit-3.5.0
./mailscanner-clamav-spamassassin-3.5.0.sh

Ensim 3.1.x
wget http://download.cheetaweb.com/mails...t-0.2.72.tar.gz
tar -zxvf mailscanner-kit-0.2.72.tar.gz
cd mailscanner-kit-0.2
./mailscanner-ensim-0.2.sh

3) You will need to configure MailScanner as described

service sendmail stop
chkconfig --del sendmail
chkconfig --level 2345 MailScanner on
service MailScanner start

*NOTE 1* For Ensim 3.1 installs, this package requires that you be running a perl 5.6.0 environment.

*NOTE 2 * If your /home partition is mounted separately from /, you will need to change the the Incoming Queue to the following after installation, or Mailscanner will not run:

Incoming Queue Dir = /var/spool/mqueue.in

You will also need to edit /etc/cron.d/mqueuecron to run more frequently, i.e.

*/10 * * * * root /usr/lib/opcenter/virtualhosting/MailQueueCleaner

*NOTE 3* SpamAssassin is configured to only tag emails by default. You will need to reconfigure the delivery preferences in MailScanner.conf if you wish it to delete, bounce or otherwise remove the messages that have been tagged as spam.

Credits: http://www.cheetaweb.com/

Set up Tripwire on RedHat

Install tripwire

It's installed by default, but if it isn't, grab your RedHat disks, and install it:

---------------------

# rpm -ihv /mnt/cdrom/RedHat/RPMS/tripwire-2.3.1-5.i386.rpm
# /etc/tripwire/twinstall.sh

---------------------

Clean the policy file
Go over to /etc/tripwire, and clean out the policy file with this handy script:

---------------------

# cat > ./cleantw.pl
#!/usr/bin/perl

while (<>){
#look at the line, and check for a line that can be
# Construed as a file name
CASE:{
( m|(^s*)(/[/w._-]+)(s+->.*)| ) and do {
print $1;
print "#" unless (-e $2);
print "$2$3n";
last;
};

print $_;
}
};
^D
#

---------------------

Now clean out the crap in the sample policy file they have.

---------------------

# perl cleantw.pl < twpol.txt > cleanedpol.txt

---------------------

Edit the file. You'll need to change the hostname that is defined somewhere around the 65th line to match what comes out of the 'hostname' command. You'll also need to change some of the parameters for things that are monitored (Log rotating changes inodes for a given filename).

---------------------

/var/run -> $(SEC_INVARIANT)
/var/log -> $(SEC_INVARIANT)
/var/tty[1-8] -> $(SEC_INVARIANT)

---------------------

Finishing up

---------------------

# /usr/sbin/twadmin -m P cleanedpol.txt
# /usr/sbin/tripwire --init

---------------------

Credits: http://www.afonsoconsulting.com/

Chkrootkit

Installing CHKROOTKIT

(Version 0.42b Sep 20 2003)

SSH as admin to your server. DO NOT use telnet

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Credits: http://www.cheetaweb.com/

Use SFTP (Secure FTP via SSH2) instead of FTP

NOTE: If you have SSH set up on your server, your server is ready to be an SFTP server. SFTP uses SSH.

What does this How-To show you?

a. How to install, setup and use an SFTP client to connect to your box using SSH2 to download/ upload files rather than FTP.

b. How to block port 21 (the default FTP port) which you don't need anymore.

c. How to uninstall and remove the FTP server from your box (if you don't need it anymore).

Why you should NOT use normal FTP

Most people use normal unsecure FTP do upload and download files to their servers using an FTP client from home.

The problem with this is that YOUR USERNAME AND PASSWORD are sent in PLAIN TEXT - a hacker can easily get this information and use it to gain access to your server.

What is secure FTP or SFTP?

SFTP basically removes the need to use FTP, and instead uses SSH to connect to your server to upload or download files. Choose SSH2 to connect (as you should anyway with your SSH client) and your connection will be secure.

What are the advantages of SFTP?

a. Your username and passwords are secure.

b. You can disable the FTP server - ftpd (proftpd or pure-ftpd) - on your server which should reduce server overhead. SFTP uses SSH to transfer files, not FTP.

c. You can block port 21 with your firewall. One less port to worry about.

Let's begin...

1. Download and install an SFTP client on your home computer.

You can use WS-FTP Pro, or CuteFTP Pro, which has SFTP built-in. I prefer to use a free open-source one called Filezilla which you can download and install here:

http://sourceforge.net/project/show...lease_id=183014

NOTE: Filezilla uses part of PUTTY to work, so you may need to install PUTTY on your computer too.

2. Set up your SFTP client.

If you are using Filezilla:

a. Open the program.
b. Click on Edit.
c. Click on Settings.
d. Open Connection tree.
e. Click on SFTP settings.
f. Leave Use Compression as default.
g. Choose to Use SSH2 (a more secure SSH connection).
h. Click OK.

i. Click on File.
j. Click on File Manager.
k. Click on New Site.
l. Enter your server SSH IP address in Host.
m. Choose SSH2 for ServerType - the port number should be 22.
n. Change the port number if you have a custom one for SSH.
o. Choose Normal for LogonType.
p. Enter your SSH username and password.
q. Click on Save and Exit.

Done! Try connecting to your server now via SSH2 using your SFTP client by clicking on the connect icon on the toolbar (most left). It should work. If it doesn't, check your Host SSH IP address again, Port number, Username and Password. Remember, it's the same settings as your SSH client (e.g. PUTTY).

3. Block port 21 (the default FTP port) in your server using your favorite firewall.

If you are using APF 0.91:

pico -w /etc/apf/conf.apf

Find:

IG_TCP_CPORTS="

and remove 21 from the list.

Then find:

EG_TCP_CPORTS="

and remove 21 from the list.

Then find:

EG_UDP_CPORTS="

and remove 21 from the list as well.

This will prevent port 21 from ever being used.

Don't forget to restart apf after this by running this command:

service apf restart

4. Remove the FTP server from your box by uninstalling FTP.

Find out what FTP server software you are using by running either commands:

service proftpd status

service pure-ftpd status

Then find out which RPM version of the software you are using by running either commands:

If you're using ProFTP run this:

rpm -qa | grep proftpd

Cut and paste the rpm name into your Notepad - you'll need it.

OR if you're using PureFTP run this:

rpm -qa | grep pure-ftpd

Cut and paste the rpm name somewhere.

Then run this command to uninstall FTP:

rpm -e (full rpm name)

Done!

Check to make sure if the FTP client has been uninstalled successfully by running this again:

service proftpd status

service pure-ftpd status

OpenSSH public key login (no password)

How to connect to your linux server using OpenSSH and public keys.

This is for OpenSSH2 protocol only !

Ok, here we go....

To generate keys on a linux desktop / workstation :

First, in a local shell (on your machine as your normal user) you must generate your keys.

------------------------

ssh-keygen -q -t rsa -f $HOME/.ssh/id_rsa -C your_key_name_here

------------------------

(replace your_key_name_here with your key name ;-) can be anything, just no spaces )
You will be prompted for a passphrase, enter a sentence at least 10 or 15 words long that you will remember !

You will be prompted again, re-enter the passphrase

You then go back to the shell prompt.

now you can go to ~/.ssh/ and see the files there :

id_rsa
id_rsa.pub
known_hosts

the id_rsa.pub is your public key.

There are agents that can enter your passphrase for you automatically
Check out http://www.gentoo.org/proj/en/keychain.xml
or read this Redhat document fully
http://www.redhat.com/docs/manuals/...ent-config.html

###########################################

To generate keys on a Windows desktop / workstation :

Get puTTY from http://www.chiark.greenend.org.uk/~...y/download.html
Make sure you get the .exe files for puTTY, puttygen and pageant and also get the puttydoc.zip Unzip puttydoc and read the howtos in there as to generating your keys and using pageant.
Then use the putty generated public key in the server side section of my howto.

###########################################

To install the public key on the server (either generated by puttygen or ssh-keygen)

Log in as admin on the server.

While still in /home/admin

------------------------

mkdir .ssh
chmod 700 .ssh
cd .ssh
vi authorized_keys2

------------------------

hit i then add

------------------------

ssh-rsa

------------------------

followed by a space, then paste in your public key

( tip: vi the id_rsa.pub on your local machine and copy the contents, including the name at the end that you gave it , but be careful not to get any line breaks when you copy, it should be just one line)

Now hit Esc, then hit :wq to save and exit

then

------------------------

chmod 600 authorized_keys2

------------------------

now su - to root
enter

------------------------

service sshd restart

------------------------

Then logout from the server.

Log back in in the usual way, but now you will be asked for the passphrase.

Seems silly, but bear in mind that you are not sending the passphrase out over the net, it all takes place on your machine.

If you want to limit the connection for this key to your own hostname / ip address (client machine or for server to server) just add

host=xxx.xxx.xxx.xxx

before the ssh-rsa in authorized_keys2 , remembering to leave a space before ssh-rsa

(the x's being your ip or just enter your hostname if its real !)

host=192.168.10.1 ssh-rsa pasteyourkeyhereexamplekeytextexamplekeytext your_key_name

It's done :-)

If you specify dsa in the keygen you will generate a DSA key, just remember to change rsa to dsa everywhere in this how to, except in the authorized_keys2 file where it should be ssh-dss

This howto should work for any linux servers with a reasonably current version of OpenSSH installed, and assuming that you haven't changed the authorization config to prevent key logins.

If the key login fails, you will still be able to use your password as normal ;-)

To disable password based logins :

Once you have the keys generated, set up on the server and you have tested the system, you can disable keyboard based logins.

This ensures that only the public key holders can ssh into the server.

ssh into the server as admin then,

------------------------

su -
vi /etc/ssh/sshd_config
/#PasswordAuthentication
i

------------------------

remove the # (uncomment the line) and change yes to no

hit Esc

------------------------

:wq

------------------------

then restart sshd

------------------------

service sshd restart

------------------------

Easy CURL 7.10.4 w/SSL

We've put together these RPM's for libcurl 7.10.2 with SSL support. They upgrade over the stock RH ones. Installation is via rpm -Uvh

Applicability (RH 7.2 / 7.3 required) :

Webppliance 3.1
Webppliance Pro 3.5
cPanel 6
Plesk 5.0

These are also Modernbill compatible on all above panel types.

Downloadables:

curl-7.10.4-1.i386.rpm
curl-devel-7.10.4-1.i386.rpm

MD5 Checksums

37a04f7db8c34fddbb309d067d16a453 curl-7.10.4-1.i386.rpm
e09253b7c227573f4e5b10d3987f433b curl-devel-7.10.4-1.i386.rpm

Credits: http://www.cheetaweb.com/

APF Firewall 0.9.4-7

Just thought I'd update the howto's for APF.

Type ifconfig

Find out if it�s using eth0 or eth1.

Usually its eth0 but if its not, change it in conf.apf or you�ll be completely blocking the server from access

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
pico -w /etc/apf/conf.apf

RESV_DNS="1"

All SYSCTL options should be set to 1 EXCEPT for
SYSCTL_OVERFLOW="0"
SYSCTL_SYNCOOKIES="0"

USE_DS="1"
USE_AD="1"

FOR PLESK:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="37,53,873"

EGF="1"
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873"
EG_UDP_CPORTS="53,873"

For CPANEL:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,993,995,2082,2083,20 86,2087,2095,2096"
IG_UDP_CPORTS="37,53,873"

EGF="1"
EG_TCP_CPORTS="20,21,22,25,37,53,43,80,113,443,465,873,2087,2089"
EG_UDP_CPORTS="53,873"

apf �s to start firewall.

If you are not kicked out of SSH and you can type commands after it loads, that means it�s installed correctly.

pico -w /etc/apf/ad/conf.antidos

LP_KLOG="1"

USR_ALERT="1"
USER = �root�
ARIN_ALERT="1"

pico -w /etc/apf/conf.apf

change DEVM to 0

apf -r

Antidos via APF Firewall

Antidos is a really nice feature of the APF firewall, but it's not automatically turned on when you install and run APF.

First you probably want to make sure APF is running nicely for a few days and you have your own IP listed in the "allow_hosts.rules" file so you can't lock yourself out. You also want to understand how to access the EV1 remote console (from your EV1 account manager), just in case you do lock yourself out.

And to be even more safe, lets set DEVEL_MODE to "1" (on) and we need to setup USE_AD to enable the use of antidos, so find and edit these:

pico -w /etc/apf/conf.apf

DEVEL_MODE="1"

USE_AD="1"

apf -r

Now APF will quit in 5 minutes. Don't forget to put DEVEL_MODE back when everything is OK!

Your server will not be firewalled after 5 minutes! If you are under attack right now this might not be such a good thing to disable.

If you installed APF with the normal installer most of the settings for antidos should be OK. We only need to change a few things, find and change these:

pico -w /etc/apf/ad/conf.antidos

LP_KLOG="1"
IPT_BL="1"

USR_ALERT="1"
USER = �root�
ARIN_ALERT="1"

You can test run it manually (it's just a shell script):

/etc/apf/ad/antidos -a

It doesn't say anything if it liked the config file and your system, and if you ran it for the first time, you will find it created a blank log file at:

/var/log/apfados_log

You need to have antidos set to run via cron. If you have "crontab -e" all set up you can use that to set it up. Some panels let you edit the root cron job file from the panel.

This is a critical setup point, if not done, antidos will simply not operate.

Here's an example line, I added this to my root crontab:

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

This will run antidos every two minutes. The author of antidos doesn't recommend running it once a minute as it may cause a bottleneck for itself and the CPU. Likewise running it beyond a period of once every 5 minutes is not recommended either, for obvious reasons.

You can check to see if it's being run with something like this:

tail -30 /var/log/cron

Now restart apf again:

apf -r

Try to access a few of your sites and if you are not locked out and happy with everything you can set DEVEL_MODE to "0" (off) :

pico -w /etc/apf/conf.apf

DEVEL_MODE="0"

apf -r

At this point it would be nice to test to see if it actually works, I leave that up to you to figure out how or maybe someone else can post some ideas. I would be very careful, you don't want to DOS the wrong server.

If for some reason you find out it's locking the wrong people out and want to turn it off, take this line out of root cron:

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

And blank out this file:

/etc/apf/ad/ad.rules

You can look in the log file to see what went wrong:

/etc/apf/ad/apfados_log

And don't forget to restart apf:

apf -r

For more info on the settings, see the doc files at:
http://rfxnetworks.com/apf.php

Booservers - All about dedicated servers

Install Mailscanner MRTG

Email with attachments from command line

Easy Mailscanner + Clam Antivirus + SpamAssassin *Updated 5/9/2003*

Set up Tripwire on RedHat

Chkrootkit

Use SFTP (Secure FTP via SSH2) instead of FTP

OpenSSH public key login (no password)

Easy CURL 7.10.4 w/SSL

APF Firewall 0.9.4-7

Antidos via APF Firewall

Easy Mailscanner + Clam Antivirus + SpamAssassin Updated 5/9/2003