Exim Hardening Practices

There isn't any way within cPanel to prevent the bounce back as it's an informative measure so the customer knows their emails are being rejected. 

As for recommended and effective measures to stop spammers, I have a guide I've written that isn't yet completed that details some steps you can take to make it easier to track down spammers. It isn't possible so long as you have email services running to prevent spamming entirely. I'll go ahead and post what I have currently for that guide in case it might be of help:

Exim Hardening Practices

The intention of this guide is to provide some steps to help tighten the email sending practices on a machine in order to facilitate both determining the legitimate sender of an email as well as preventing spoofing on the machine.

WHM Options to Enable

1. Preventing nobody from sending emails

WHM > Tweak Settings, select “On” for the following option:

Prevent “nobody” from sending mail [?]

Prevent the user “nobody” from sending out mail to remote addresses
(PHP and CGI scripts generally run as “nobody” if you are using mod_php or have Suexec disabled.)

Then click the “Save” button to save the configuration change.

If you are using DSO for the PHP handler, this option is not advised. You can see in WHM > Apache Configuration > PHP and SuExec Configuration area which PHP handler is being used on the machine. 

The default handler for new cPanel installations would be suPHP, which would work for the above option. If you are using an older setup with DSO, it would be recommended to change to suPHP for better tracking on who is running PHP processes for scripts that send emails anyway.

2. Setting the Sender header when the email sender tries to spoof the sender

WHM > Exim Configuration, select the following:

Set the Sender: Header when the mail sender changes the sender (-f flag passed to sendmail).

Then click the “Save” button to save the configuration change.

3. Adding MailHeaders for PHP

WHM > EasyApache (Apache Update) > Step 6 Exhaustive Options List in the PHP section (PHP 4 and/or PHP 5), select the following:

MailHeaders

For more information on this option, please see CHOON.NET : Resources : Scripts & Patches : PHP Mail Header Patch 

Exim Configuration Changes

1. All logging for exim log file

WHM > Exim Configuration > Advanced Editor, add the following in the topmost box:

Code:

log_selector = +all

Then click the “Save” button to save this configuration change. This adds extra logging to /var/log/exim_mainlog on Linux (or /var/log/exim/mainlog on FreeBSD) such as subject and command path.

2. Stopping spoofing from webmail and SMTP authenticated users

WHM > Exim Configuration > Advanced Editor, add the following in the second box where it has begin acldirectly above it:

Code:

acl_check_data:
deny
 authenticated  = *
 condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
  { !eqi{$authenticated_id} {${address:$header_From:}} }\
 }\
 }
 message  = Your FROM must match your authenticated email user.

This will prevent users from changing their identity in webmail or their email client, which would be spoofing an email identity other than the logged in user.

Removing sendmail

Finally, since sendmail spoofing cannot be prevented easily, moving sendmail binary on the system would be the best way to cut down on spoofing and spamming. You can simply run the following command:

Code:

mv /usr/sbin/sendmail /usr/sbin/sendmail.bak`date +"%Y%m%d%H%M%S"`

If your sendmail is not at /usr/sbin/sendmail, you could run whereis to locate it:

Code:

whereis sendmail

Please note that any forced cPanel updates (/scripts/upcp --force) or exim updates (/scripts/eximup) would replace the missing binary. You will need to manually move the file each time those scripts are executed or use /scripts/postupcp and /scripts/posteximup files to run the command to move the file again. The script could simply have the following content:

Code:

#!/bin/sh

mv /usr/sbin/sendmail /usr/sbin/sendmail.bak`date +"%Y%m%d%H%M%S"`

After creating the scripts, ensure they has execute permissions to run:

Code:

chmod +x /scripts/postupcp
chmod +x /scripts/posteximup

Please note that you cannot make the sendmail binary file immutable with blank contents as it is still replaced during eximup regardless, so the only viable option to keep it from being replaced would be to create the previously mentioned scripts.

Cautionary Note: Once sendmail is no longer working on the machine, your users will no longer be able to use it for scripts. They must use SMTP authentication in scripts rather than functions that call the sendmail binary. Most major applications such as Joomla do have an option to use SMTP authentication instead, but you are going to have many customers who relied on scripts that used PHP mail() function calling sendmail or who called sendmail directly, and those users will be impacted by this change. Please ensure that your users are well aware this is going to happen before removing sendmail functionality. It is best to test the repercussions it will have on services on your machine before making such a change permanent.

Moving /home Data From Old System To a New Linux System

Copy all files and directories using scp

The easiest way to copy all files (including hidden dot files) is as follows using the scp command:
$ scp -r /home/you/. you@new-system:/home/youOR
$ scp -r /home/you/. you@192.168.1.100:/home/you

Recommended Tool

I recommend using the rsync command - a fast and extraordinarily versatile file copying tool as follows. Login to your old laptop and type:

$ cd /home/you
$ rsync -avz * user@newsystem:/home/user/
OR
$ rsync -avz * user@192.168.1.10:/home/user/

Increase /tmp Partition Size in cPanel and secure it

cPanel’s new securetmp script is handy to prevent users from executing malicious code in /tmp or /var/tmp but if your software is like a lot out there and doesn’t have any garbage collection, you’ll find your /tmp partition filling up quickly. By default, cPanel’s script uses a limit of 512MB, and for those with large session data files (storing image data, for instance) this amount is fairly small. I played around with the script and although the 512MB value is easily changed, a good amount of the code would have to be tweaked in order to re-do an existing secured /tmp.

I have included below the sequence of commands I used to expand the “partition” to 1GB. I quote it because it’s not really a partition in the normal sense, but a 1GB file mounted as a loop block device. Note that in the instructions below I only stop MySQL, which is due the mysql.sock file it uses, however you will want to stop any other processes using /tmp as well. You can find these by running lsof|grep /tmp and using the output PID/process name to stop accordingly (commonly you will also need to stop the cpanel and apache services as well).

Here are the steps:

# /etc/init.d/mysql stop
# cp -af /var/tmp /var/tmp.bak
# umount /var/tmp
# umount /tmp
# rm -f /usr/tmpDSK
# dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1048576
# mkfs /usr/tmpDSK
# tune2fs -j /usr/tmpDSK
# mount -t ext3 -o nosuid,noexec,loop /usr/tmpDSK /tmp
# mount -o bind,noexec,nosuid /tmp /var/tmp
# cp -a /var/tmp.bak/* /tmp/
# rm -rf /var/tmp.bak/
# chmod 1777 /tmp
# /etc/init.d/mysql start

You should now see the increase /tmp partition size:

root@server [~]# df -h|grep tmp
/usr/tmpDSK           1006M   13M  993M   1% /tmp

OR Follow below steps:

1. Stop cpanel, apache (litespeed), mysql services:
/etc/init.d/cpanel stop
/etc/init.d/httpd stop
/etc/init.d/lsws stop
/etc/init.d/mysql stop

2. Umount /tmp and /var/tmp:
umount -l /tmp
umount -l /var/tmp

3. Move /usr/tmpDSK file to another location (just in case you’ll need to mount it somewhere else to preserve data):
mv /usr/tmpDSK /usr/tmpDSK_back

4. Modify /scripts/securetmp to set tmpdsksize to desired size:
vi /scripts/securetmp

$tmpdsksize = 2048000

5. Run:
/scripts/securetmp

6. Start cpanel, apache (litespeed), mysql services:
/etc/init.d/cpanel start
/etc/init.d/httpd start
/etc/init.d/lsws start
/etc/init.d/mysql start

How to check whether email accounts have been compromised

How to check whether email accounts have been compromised

When you see there is a suspicious issue with the behavior of exim, check to see if any email accoount has been compromised. For eg: please see the following log;

2011-11-01 15:01:13 [22561] 1RLMON-0005rt-OR <= test@domain.com H=(uuoulhgwf) [50.50.50.50]:47384
I=[100.100.100.100]:25 P=esmtpa A=dovecot_login:test@domain.com S=2291 T="\252k\260\352\263\261\262\364\274W\244j\263n\273I
\260t\244\321\250\317\251\312\274\244\257\273 \244k\251\312\274\351\247j\252\272\257\265\304_cxgwe"
from <test@domain.com> for linpr84@yahoo.com.tw sandyhung212@yahoo.com.tw eric_shieh0225@yahoo.com.tw
k1672x2@yahoo.com.tw blue12820@yahoo.com.tw briste00@yahoo.com.tw lisa34052@yahoo.com.tw ekke9889@yahoo.com.tw
ca438383@yahoo.com.tw rose-7945@yahoo.com.tw kenny559855@yahoo.com.tw z0913437700@yahoo.com.tw andre1528@yahoo.com.tw
jintinw@yahoo.com.tw m5200529@yahoo.com.tw 0930851353@yahoo.com.tw s58223315@yahoo.com.tw cherry80829@yahoo.com.tw
yanshu1234@yahoo.com.tw

You can use the following command to get the dovecot logins to the email accounts in the server(attempts via email client)

egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1

For eg:

root@ [~]# egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1
--------
 294 dovecot_login:support+domain1.com
 309199 dovecot_login:test@domain.com
-------

The email account test@domain.com was logged in 309199 times. So it is definitely compromised.

To get the actual details, ie the details about the email account logged in via webmail, use the following command,
Eg:

root@ [~]# grep "/webmail/x3/?login=1" /usr/local/cpanel/logs/access_log | grep test@domain.com | grep -Ev
 'cPanel_magic_revision|squirrelmail|roundcube|horde'

 30.40.50.60 proxy test@domain.com [11/01/2011:22:33:30 -0000] "GET /webmail/x3/?login=1 
HTTP/1.1" 200 0 "http://webmail.domain.com/webmaillogout.cgi" "Mozilla/4.0 (compatible; 
MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1)"30.40.50.60 proxy 
test@domain.com [11/01/2011:22:33:34 -0000] "GET /webmail/x3/mail/passwdpop.html?redirectdomain
=&email=larry&domain=domain.com HTTP/1.1" 200 0 "http://webmail.domain.com/webmail/x3/?login=1"
 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.1)"

Viruses that get into the PC affect the email client to get the password of the email accounts. It will then send spam emails using the email client from that PC in back ground. Viruses can also send the email/password details to a remote server from where the spammers can send bulk emails.

To get the dovecot login count for the last 1 to 2 hours on the server use the below command,

hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog |egrep
-o 'dovecot_login[^ ]+' | sort|uniq -c|sort -nk 1

For example:

root@ [~]# hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog |egrep -o 'dovecot_login[^ ]+' | sort|uniq -c|sort -nk 1

   1585 dovecot_login:test@domain.com

About these ads

MailIP Blacklist And SpammingScript to check path for the script used for spamming

Top 5 users sending maximum emails on the server:

 grep "<=.*P=local" /var/log/exim_mainlog | awk '{print $6}' | sort | uniq -c | sort -nr | head -5

 eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local senders by message count" | tail -5 | awk '{print $1,$NF}'

Top 5 mail receivers:

egrep "(=>.*T=virtual_userdelivery|=>.*T=local_delivery)" /var/log/exim_mainlog | awk '{print $7}' | sort | uniq -c | sort -nr | head -5

eximstats /var/log/exim_mainlog | grep -A7 "Top 50 local destinations by message count" | tail -5 | awk '{print $1,$NF}'

Script to check path for the script used for spamming

Wordpress 404 page error + The requested URL /about-us/ was not found on this server.

wordpress 404 page error + The requested URL /about-us/ was not found on this server.

this issue will be  fixed by creating .htacess file below

RewriteEngine on

<IfModule mod_rewrite.c>
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>