Install Prewikka

Prewikka is the graphical frontend to Prelude, using a web server.

Installation

Prewikka requires two databases: one to get the Prelude alerts (which is the same as configured before), and one to store its own data (prewikka). Actually, the Ubuntu packages does only create the prewikka database, and does not configure access to Prelude alerts, so alert installation needs to be done manually.

Install Prewikka

apt-get install prewikka

The package will install required dependencies (python, for ex), and will ask for the database configuration. As for Prelude,
we choose to use dbconfig-common, give the administrator password and
press enter for the DB password to let dbconfig-common generate one for
us.

Configure Prelude-Manager Access

Get the password from prelude-manager configuration file /etc/prelude-manager/prelude-manager.conf and edit prewikka configuration file /etc/prewikka/prewikka.conf:

vi /etc/prewikka/prewikka.conf

[idmef_database]
type: mysql
host: localhost
user: prelude
pass: **********
name: prelude

The [database] section is automatically configured by dbconfig-common, so do not modify it.

Web Server Configuration:

The configuration is explained in file /usr/share/doc/prewikka/README.Debian. You can choose between 3 configurations:

• Apache / CGI setup with VirtualHost
• Apache / mod_python setup with VirtualHost
• Prewikka from the command line tool

As an example I’ll use the mod_python setup.

apt-get install libapache2-mod-python

 Add a VirtualServer to your apache configuration with the following content:

NameVirtualHost *<VirtualHost *>        ServerAdmin admin@domain.com        <Location />                SetHandler mod_python                PythonHandler prewikka.ModPythonHandler                PythonOption PrewikkaConfig /etc/prewikka/prewikka.conf        </Location>

        <Location /prewikka>                SetHandler None        </Location>

        Alias /prewikka /usr/share/prewikka/htdocs        Alias /htdocs /usr/share/prewikka/htdocs</VirtualHost>

Restart you apache webserver and you can login to the prewikka interface.

Note: you can of course always us a setting for apache like:

NameVirtualHost xxx.xxx.xxx.xxx:80
<VirtualHost prewikka.yourdomain.tld:80>

This is usefull when you have other services running on your apache server.

Part 2: Installing And Configuring Snort

I will not write the complete howto for this since there is a hwto for snort: Intrusion Detection: Snort, Base, MySQL, and Apache2 On Ubuntu 7.10 (Gutsy Gibbon) (Updated).

I’ll describe here the steps necessary to have snort logging to prelude. In this setup you also don’t need to install a mysql database and the base webinterface since snort will log to prelude and you can use the prewikka interface to see the snort alerts. 

Follow all of the steps described in the howto above and replace the entry below with the new one:

Replace 

./configure -enable-dynamicplugin –with-mysql
make
make install

With

./configure -enable-dynamicplugin –eanble-prelude
make
make install

Instead of doing:

Scroll down the list to the section with “# output database: log, mysql, user=“, remove the “#” from in front of this line.
Change the “user=root” to “user=snort”, change the “password=password” to “password=snort_password“, “dbname=snort“
Make note of the username, password, and dbname. You will need this information when we set up the Mysql db.
Save and quit.

Do:

Scroll down the list to the section with “# output alert_prelude: profile=snort“, remove the “#é in front of this line and that’s it.

From step 5 on (5. Set up the Mysql database.) everything can be skipped.

Now we have to register the snort agent to the prelude manager:

prelude-adduser register snort “idmef:w” <manager address> –uid snort –gid snort

On the prelude manager server:

prelude-adduser registration-server prelude-manager

This will register the snort agent to the prelude manager, as you did above for the prelude-lml.

Once the registration process is complete run:

snort -c /etc/snort/snort.conf

If everything goes right than you will see:

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
- Connecting to 127.0.0.1:4690 prelude Manager server.
- TLS authentication succeed with Prelude Manager.

The entry eth0 depends on the ethernet adapter you specified. Important is that you see that snort is connecting to the prelude manager server and tls authentication was successfull.

If the agent is connecting, and you see snort in the agent list of prewikka than you can stop the process with ctrl-c and issue:

snort -c /snort/snort.conf -D

 to start snort as a daemon. In the line above you can always add -i ethX if you don’t listen on all network interfaces and want to specify a specific interface.

Everybody knows the problem, you have a IDS tool(s) installed and every tool has his own interface. Prelude will allow to log all of the events to the prelude database
and be consulted using one interface (prewikka). This howto will
describe how to install and configure the different tools that will
make up the complete solution.

Intrusion Detection: Snort (IDS), OSSEC (HbIDS) And Prelude (HIDS) On Ubuntu Gutsy Gibbon

Everybody knows the problem, you have a IDS tool(s) installed and every tool has his own interface.

Prelude will allow to log all of the events to the prelude database and be consulted using one interface (prewikka). This howto will describe how to install and configure the different tools that will make up the complete solution.

This howto is based on bits and scraps I found in order to resolve some issues, parts from the manuals and my own experiance with installing the complete solution.

For more information on snort visit: www.snort.org

For more information on ossec visit: www.ossec.net

For more information on prelude visit: www.prelude-ids.org

Prerequisites:

Let’s just assume you followed the The Perfect Server – Ubuntu Gutsy Gibbon (Ubuntu 7.10). If not follow that howto and only install / add those part’s you havent got installed on your system.

The following packages are useful, so please check that they are installed correctly:

apt-get install ntpdate
apt-get install dbconfig-common

Installing And Configuring Prelude

Normally, we would have to compile and install libprelude, libpreludedb, and then create the databases. Luckely enough the packages are provide by the Ubuntu repositories.

Prelude Manager

apt-get install prelude-manager

- Using default TLS settings from /etc/prelude/default/tls.conf:
– Generated key size: 1024 bits.
– Authority certificate lifetime: unlimited.
– Generated certificate lifetime: unlimited.

– Creating analyzer prelude-manager.
– Creating /etc/prelude/profile/prelude-manager…
– Allocated ident for prelude-manager: 4232957740008155.
– Generating RSA private key… This might take a very long time.
[Increasing system activity will speed-up the process.]

– Generating 1024 bits RSA private key…

During the installation, the manager will create the profile for the prelude user. It can take a (very) long time, since GnuTLS tries to access /dev/random instead of /dev/urandom
(for security reasons). This may change in the future (maybe using an
option to have a faster generation, but crytographically less secure).

dbconfig will then ask you if you want it to configure the database
automatically. If you don’t want to, just say no, and configure
everything manually (the sql scripts are in directory /usr/share/libpreludedb/). Let’s suppose the answer is yes.

Note: the number of questions may change, depending on debconf verbosity (set using dpkg-reconfigure debconf), and dbconfig parameters, in file /etc/dbconfig-common/config.

configure database with dbconfig-common: yes
database type:

Set the type to the database you previously installed. In this case mysql.

Database admin password: ******

dbconfig-common will ask for a password for the ‘prelude’
user. If you don’t provide any (just pressing enter), it will generate
a random one. Don’t worry, the configuration file will be update
automatically.

dbconfig-common: writing config to /etc/dbconfig-common/prelude-manager.conf

Creating config file /etc/dbconfig-common/prelude-manager.conf with new version
granting access to database prelude for prelude@localhost: success.
verifying access for prelude@localhost: success.
creating database prelude: success.
verifying database prelude exists: success.
populating database via sql… done.
dbconfig-common: flushing administrative password
Starting Prelude Manager: prelude-manager.

The Ubunty package automatically
creates the user and the database for prelude. If you want to change the password, do so first in mysql and after in /etc/prelude-manager/prelude-manager.conf.

Prelude-Manager should now be running:

ps auxw | grep manager

prelude 28530 0.0 0.1 59384 4480 ? Ssl 13:49 0:00 /usr/sbin/prelude-manager

The first part is over, you now have a manager up and running.

Listen address:

The default listen address is localhost (127.0.0.1). This means that you have to change this to add sensors on different hosts in order for the agents to be able to reach the prelude-manager.

Edit  /etc/prelude-manager/prelude-manager.conf:

listen = xxx.xxx.xxx.xxx

Restart the server, and check the address (if you changed the address):

# /etc/init.d/prelude-manager stop

Stopping Prelude Manager: prelude-manager.

# /etc/init.d/prelude-manager start

Starting Prelude Manager: prelude-manager.

# netstat -pantu | grep prelude

tcp 0 0 192.168.66.1:4690 0.0.0.0:* LISTEN 30544/prelude-manager

Prelude-LML

You need to install prelude-lml on every host you want to monitor. Prelude-LML will analyze your logs and reports event to the managers.

# apt-get install prelude-lml

…
Starting Prelude LML: prelude-lml.

Before it can be used, two things needs to be done:

• The address of the manager must be configured on the lml
• The manager won’t trust sensors, until they are registered

Manager address

If you changed the address the manager is listening on, you need to change the address in the client config on every machine you install prelude-lml .

The adress of the manager is stored in file /etc/prelude/default/client.conf:

[prelude]server-addr = 127.0.0.1

Registering the sensor

Registering the sensor is a four-step process, which requires to run commands on both the sensor and the manager:

On the LML client, run the register command:

prelude-adduser register prelude-lml “idmef:w” <manager address> –uid 0 –gid 0

Tip: if you don’t remember the command, just run prelude-lml. Since it is not registered, it will fail, but is smart enough to display the help:

# prelude-lml
- Subscribing plugin pcre[default]
- pcre plugin loaded 394 rules.
- Monitoring /var/log/messages through pcre[default]
* WARNING: /var/log/everything/current does not exist.
prelude-client: error starting prelude-client: could not open ‘/etc/prelude/profile/prelude-lml/analyzerid’ for reading

Profile ‘prelude-lml’ does not exist. In order to create it, please run:
prelude-adduser register prelude-lml “idmef:w” <manager address> –uid 0 –gid 0.

LML must be registered with uid and gid 0, since the process will be executed as root (to be able to analyze logs).

LML will then one for the One-Time Password(OTP), which will be provided by the manager:

Enter the one-shot password provided by the “prelude-adduser” program:
- enter registration one-shot password:

On the manager, run the following:

prelude-adduser registration-server prelude-manager

…
– Starting registration server.
– generated one-shot password is “dummypass”.
…

Enter the password to the LML prompt:

– enter registration one-shot password:
- confirm registration one-shot password:
- connecting to registration server (127.0.0.1:5553)…
- Anonymous authentication to registration-server successful.
- Sending certificate request.

The LML is now waiting for the Manager to sign the certificate.

On the manager, validate the certificate signing request:

- Anonymous authentication one-shot password check successful.
- Waiting for client certificate request.
- Analyzer with ID=”3559090256170900″ ask for registration with permission=”idmef:w”.
Approve registration [y/n]: y
The certificate is generated and sent to the client:
- Registering analyzer “3559090256170900″ with permission “idmef:w”.
- Generating signed certificate for client.
- Sending server certificate to client.
- ::ffff:127.0.0.1:47054 successfully registered.

On the client you will see:

LML registration is successful
- Receiving signed certificate.
- Receiving CA certificate.
- prelude-lml registration to 127.0.0.1 successful.

Now, the manager and the sensor have a trust relation, and can send messages to each other.

This process takes some time, but it increases security and th communication between the sensor and the manager is encrypted.
Finally, the LML sensor should be up too:

/etc/init.d/prelude-lml start

Starting Prelude LML: prelude-lml.
ps auxw | grep lml
root 1946 0.3 0.0 20856 3424 ? Ss 14:35 0:00 /usr/bin/prelude-lml -d -q -P /var/run/prelude-lml.pid

This concludes the first part.

Having a great defense involves proper detection and recognition of an
attack. In our security world we have great IDS tools to properly
recognize when we are being attacked as well as firewalls to prevent
such attacks from happening. However, certain attacks are not blindly
thrown at you – a good attacker knows that a certain amount of
reconnaissance and knowledge about your defenses greatly increases the
chances of a successful attack. How would you know if someone is
scanning your defenses? Is there any way to properly respond to such
scans? You bet there is…

Meet the Anti-Nmap: PSAD (EnGarde Secure Linux)

(by Eckie S. from Linuxsecurity.com)
The Port Scan Attack Detector (psad) is an excellent tool for detecting various types of suspicious traffic, including port scans from popular tools such as Nmap, DDoS attacks, and other efforts to brute force certain protocols on your system.  By analyzing firewall logs, psad can not only pick up on certain attack patterns, but even manipulate firewall rules to properly respond to suspicious activity.
This article will walk the reader through an EnGarde Secure Linux implementation of psad, from the initial iptables rules setup to the deployment of psad on the server side.  By the end of the article, the user will be able to detect certain Nmap scans and have psad respond to these scans by blocking the source.
 

Prerequisites

You will need:

  – A machine with EnGarde Secure Community 3.0.18 or above installed to do your development on.  These commands should NOT be run on a production server since psad will eventually deny any type of access from the remote scanning machine!
  – A separate machine on the same network with Nmap installed on it.  You will be running certain scans on the server from this machine.
Once you have all the above you may log in as root, transition over to sysadm_r, and disable SELinux:

newrole -r sysadm_r
  [psad_server]# newrole -r sysadm_r
  Authenticating root.
  Password:

  [psad_server]# setenforce 0

Throughout the HowTo, the server will be referred to as psad_server and the Nmap scanning machine as nmap_scanner.
 

Install psad

EnGarde Secure Linux makes the installation of psad a breeze due to its Guardian Digital Secure Network (GDSN).  You can install the package through the command line:

apt-get install psad
…or log in to WebTool and download the package from the package manager interface.
We shall get around to the setup of psad after we configure the firewalls on psad_server to log packets:
 

iptables Rules Setup

Since iptables is installed out of the box on EnGarde Secure Linux, you only have to run two simple commands to start logging packets with iptables:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
From here on out incoming packets (especially those of Nmap scans) will be logged.  Let’s see if we can start detecting such scans by setting up psad to do so.
 

psad Configuration

On psad_server, use your favorite editor to modify the /etc/psad/psad.conf file.  We’re interested in the following tunables:
 
   EMAIL_ADDRESSES
  HOSTNAME
  SYSLOG_DAEMON
  ETC_SYSLOGNG_CONF
 
The EMAIL_ADDRESSES should be whichever email addresses you wish to have psad send feedback to.  This feedback includes error messages and alerts of potential dangerous scans depending on danger levels which can be fine-tuned for your purposes.
 - The HOSTNAME tunable will be the hostname of the psad_server machine.
 - The SYSLOG_DAEMON refers to the logging daemon for the machine.  For EnGarde Secure Linux, this should be set to ’syslog-ng’.
 - The ETC_SYSLOGNG_CONF refers to the direct path of the syslog-ng daemon’s configuration file.  For EnGarde Secure Linux, this should be set to ‘/etc/syslog-ng.conf’.
 - Once you’ve properly configured those tunables, you can start the psad daemon:

/etc/init.d/psad start
  [psad_server]# /etc/init.d/psad start
  [ SUCCESSFUL ] psad Daemons
 

Note: 

As far as danger levels are concerned, these range from one to five<br /> and are assigned to the IP addresses from which an attack or scan is detected. They are assigned based on the number of packets sent, port range, thetime interval of the scan, whether or not the signatures of the packets match up with psad signature attacks, and the IP address where the packet originated from. Depending on the number of such packets, a level is assigned as per the configuration file.  For more information on danger levels and ideas for fine-tuning them, please refer to the resources at the end of the article.
 

psad  – Active Detection

We will now use psad to detect certain Nmap scans.  On the Nmap scanning machine, run a TCP connect() scan by executing the following:

nmap -sT 1.2.3.4
Replace 1.2.3.4 with the IP address of your psad_server.
If we check the /var/log/psad/fwdata file on the psad_server, you will find the following:
  Feb  2 11:58:11 psad_server kernel: IN=eth0 OUT=
  MAC=00:0c:29:78:22:73:00:0c:76:4b:f6:3e:08:00 SRC=5.6.7.8
  DST=1.2.3.4 LEN=60 TOS=0×00 PREC=0×00 TTL=64 ID=23609 DF PROTO=TCP
  SPT=49021 DPT=113 WINDOW=5840 RES=0×00 SYN URGP=0
We can see that SRC will have the IP address of the nmap_scanner machine, and DST will have the address of the psad_server.  Also note that PROTO=TCP, showing that the attack was a TCP connect() scan.
If you had previously configured psad to send email alerts, you will begin receiving emails concerning this scan showing lots more data than these log messages can ever produce.  There are configuration tunables in the /etc/psad/psad.conf file to limit and even disable email:
  EMAIL_LIMIT
  ALERTING_METHODS
  EMAIL_ALERT_DANGER_LEVEL
EMAIL_LIMIT defines the maximum number of emails a configured user will receive for a given IP address.
ALERTING_METHODS can be set to noemail, nosyslog, and ALL, depending on whether you want only syslog-ng messages, email alerts, or both.
EMAIL_ALERT_DANGER_LEVEL is the minimum danger level that must be hit in order for psad to send email alerts concerning a detection.  The default setting is one, so you can expect lots of emails for this tutorial’s purpose.
Here is an example email showing psad output of the previous Nmap scan:

Subject: [psad-alert] DL2 src: nmap_scanner.yournetwork.com dst:
    psad_server.yournetwork.com

         Danger level: [2] (out of 5)

    Scanned UDP ports: [32772: 1 packets, Nmap: -sU]
       iptables chain: INPUT, 1 packets

               Source: 5.6.7.8
                  DNS: nmap_scanner.yournetwork.com
             OS guess: Linux (2.4.x kernel)

          Destination: 1.2.3.4
                  DNS: psad_server.yournetwork.com

   Overall scan start: Mon Feb  2 11:57:19 2008
   Total email alerts: 2
   Complete TCP range: [64-49400]
   Complete UDP range: [32772]
      Syslog hostname: unknown

         Global stats: chain:   interface:   TCP:   UDP:   ICMP: 
                       INPUT    eth0         40     1      0     

[+] TCP scan signatures:

   “P2P Napster Client Data communication attempt”
       dst port:  5555 (no server bound to local port)
       flags:     SYN
       sid:       564
       chain:     INPUT
       packets:   1
       classtype: policy-violation
As you can see, psad does a wonderful job of taking packet data from logs, analyzing it and producing useful information on the type of scans used.
 

psad  – Active Defense

One of the more prominent features of psad is its active defense implementation – being able to detect Nmap scans is nice, but how do you respond?  Let’s configure psad to automatically block the source of such scans upon detection.
Before implementing this feature, it is obvious for certain security veterans who are reading this article that there is a definite tradeoff for enforcing an active response policy.  Although malicious traffic will be blocked, there is always the risk of blocking out valid traffic.  Certain attackers can exploit active defenses and turn it against the target by attempting to spoof valid addresses, thus blocking out otherwise harmless traffic.
This only happens in cases where the active response system has been configured to respond to nearly ALL types of potentially harmful traffic, including port scans or port sweeps.  This also applies to traffic which does not require bidirectional communication with the target.  A better strategy to employ is to only respond to traffic where bidirectional communication is required i.e. TCP connections.  Even then, one must take care to tailor their active response to certain types of TCP connections, such as attempted SQL injection attacks, etc.  Please be sure you are absolutely positive of how your detection scheme is working before deploying an active defense.
Using your favorite editor, modify the /etc/psad/psad.conf file.  We’re interested in the following tunables:
  ENABLE_AUTO_IDS
  AUTO_IDS_DANGER_LEVEL
  ENABLE_AUTO_IDS should be set to ‘Y’ to enable the automated IDS response.
  AUTO_IDS_DANGER_LEVEL, for this HowTo’s sake, will be set to ‘3′.  This danger  level is customizable and the setting we use in this HowTo is for demonstration  purposes only.
Restart the psad on the psad_server:

/etc/init.d/psad restart
  [psad_server]# /etc/init.d/psad restart
  [ SUCCESSFUL ] psadwatchd Daemon
  [ SUCCESSFUL ] psad Daemon
  [ SUCCESSFUL ] kmsgsd Daemon
  [ SUCCESSFUL ] psad Daemons
From the nmap_scanner machine, we’ll run an Nmap SYN scan along with the ‘-P0′ switch – this type of scan uses no ping and does not fully complete a TCP connection, resulting in fast scans.  This usually requires root privileges, and is considered more of a dangerous scan – just the type of scan that psad detects at a higher danger level.

nmap -sS -P0 -n 1.2.3.4
Replace the ‘1.2.3.4′ with the IP address of your psad_server machine.
psad will detect the SYN scans, and since the danger level of this scan is 3, it manipulates the iptables rules to block the source of the scans.  This can be verified on the psad_server by running the following command:

psad –fw-list
  [psad_server]# psad –fw-list
[+] Listing chains from IPT_AUTO_CHAIN keywords…

Chain PSAD_BLOCK_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  820 36080 DROP       all  –  *      *       5.6.7.8              0.0.0.0/0

Chain PSAD_BLOCK_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  –  *      *       0.0.0.0/0            5.6.7.8

Chain PSAD_BLOCK_FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  –  *      *       0.0.0.0/0            5.6.7.8
    0     0 DROP       all  –  *      *       5.6.7.8              0.0.0.0/0
You will even receive an email alerts that inform you of the scan detection, as well as an email informing you that iptables rules have been added to auto-block the nmap_scanner!
 

Wrapping It All Up

Congratulations, you’ve successfully implemented psad to actively detect and respond to signature Nmap scans!
Keep in mind this is one of the more basic setups for psad.  You can go even further and adjust danger levels to suit degrees of paranoia, put psad into forensics mode, incorporate the software with DShield, and even manually use psad to manipulate iptables rules.  A great resource for psad research is ‘Linux Firewalls’ by Michael Rash.  Rash includes several chapters on psad covering not only theory but advanced implementation of psad from start to finish.  If you wish to gain suggestions for an advanced, finely-tuned active defense setup with psad, be sure to check this book out!
Have fun implementing an active defense against those who try to scan your system!
 

Resources

http://www.linuxsecurity.com
http://www.guardiandigital.com

“‘Linux Firewalls’ by Michael Rash”

‘Knock, Knock, Knockin’ on EnGarde’s Door’

Linux Rst-B is a backdoor that can be used to add your server to botnets (see http://www.heise.de/newsticker/meldung/103563 (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.

How To Check If Your Server Is Infected With The Linux/Rst-B Backdoor (Debian Etch)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 02/15/2008
Linux Rst-B is a backdoor that can be used to add your server to botnets (see http://www.heise.de/newsticker/meldung/103563 (in German)). This short guide explains how you can install and use the Sophos Linux/RST-B detection tool to check your Debian Etch server and find out if it is infected with Linux Rst-B.
I do not issue any guarantee that this will work for you!
 

1 Download And Install The Sophos Linux/RST-B Detection Tool

I want to install the Linux/RST-B detection tool in the /usr/local/sbin directory (so that the detection tool is in our PATH later on):

cd /usr/local/sbin
wget http://www.sophos.com/support/cleaners/detection_tool.tar.gz
tar xvfz detection_tool.tar.gz
You should then find the contents of the tar.gz file in the /usr/local/sbin/detection_tool directory.
There are two ways of installing the detection tool: you can either use the pre-compiled binary that you can find in the /usr/local/sbin/detection_tool/pre-compiled directory, or you compile it yourself. I’ll show both ways now.
 

1.1 Use The Pre-Compiled Binary

To use the pre-compiled binary, we can either simply create a symlink called rst_detection_tool from the /usr/local/sbin directory to detection_tool/pre-compiled/detection_tool:

cd /usr/local/sbin
ln -s detection_tool/pre-compiled/detection_tool rst_detection_tool
Or we move detection_tool/pre-compiled/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/pre-compiled/detection_tool rst_detection_tool
 

1.2 Build The Detection Tool From The Sources

To compile the detection tool from the sources, we first install the package build-essential:

apt-get install build-essential
Afterwards we build the detection tool as follows:

cd /usr/local/sbin/detection_tool
make
This creates the program /usr/local/sbin/detection_tool/detection_tool. I want to have it directly in the /usr/local/sbin directory and name it rst_detection_tool, so we can either create a symlink:

cd /usr/local/sbin
ln -s detection_tool/detection_tool rst_detection_tool
Or we move detection_tool/detection_tool to /usr/local/sbin and rename it to rst_detection_tool:

cd /usr/local/sbin
mv detection_tool/detection_tool rst_detection_tool
 

2 Use The Linux/RST-B Detection Tool

Now we can use the detection tool as follows:
Outside the /usr/local/sbin directory:

rst_detection_tool [-v] <path>
Inside the /usr/local/sbin directory we must prepend ./:

./rst_detection_tool [-v] <path>
So if you want to scan your whole file system, you’d simply use:

rst_detection_tool /
or

./rst_detection_tool /
if you are in /usr/local/sbin.
On a clean system the output looks as follows:

server2:/usr/local/sbin# ./rst_detection_tool /
Sophos Rst-B Detection Tool
—————————
Copyright (c) 2008 Sophos Plc. All rights reserved.

Scanned 43134 files, found 0 infections of Linux/Rst-B.
End of scan.
server2:/usr/local/sbin#
 

3 Links

• Sophos Linux/RST-B Detection Tool: http://www.sophos.com/rst-detection-tool
• Debian: http://www.debian.org

Configuring the Token Client

Download and install a WiKID Token client. You can manually validate yourself as a user from the WiKIDAdmin web interface. Once validated, select the Domain associated with the PPTP VPN:

Enter the PIN:

And you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want:

Now, bring up the PPTP connection we created earlier and enter the WiKID one-time passcode into the password box along with the appropriate username:

You should see a “Connecting…” window followed by a notice that you are connected:

Congratulations!
If you are getting an error, check both /var/log/messages on the pptp server and the WiKID logs via the WiKIDAdmin web interface for potential problems.

Configure the Windows PPTP VPN Client

Start the New Connection Wizard: Start -> Settings -> Network and Dial-up Connections -> Make New Connection

Click Next to start the Wizard.

Select Connect to a private network through the Internet.

Select to not dial an initial connection (assuming you have broadband internet access).

Enter the hostname or IP address of the PPTP VPN server.

Select whether this connection should be just for you or for all users.

Do not enable Internet Connection Sharing.

Give the connection a name.

Click Finish.

PPTP does not have the best history in terms of security. The original Microsoft implementation for PPTP faired very poorly. MS-CHAPV2 solved these weaknesses – for wired networks. Unfortunately, back in 2004, Joshua Wright released a version of ASLEAP capable of brute-force attacking PPTP passwords
in a wireless environment. As a systems administrator for the VPN, you
can’t tell if a user is connecting via some public WiFi service where
someone might be running a tool like ASLEAP. Yet, the presense of PPTP
client software on Windows machines makes using PPTP very tempting. The
best answer to this problem is to utilize two-factor authentication. If
a one-time passcode is brute-forced, it won’t matter as it can’t be
used again.

Security Issues and Poptop

PPTP does not have the best history in terms of security. The original Microsoft implementation for PPTP faired very poorly. MS-CHAPV2 solved these weaknesses – for wired networks. Unfortunately, back in 2004, Joshua Wright released a version of ASLEAP capable of brute-force attacking PPTP passwords in a wireless environment. As a systems administrator for the VPN, you can’t tell if a user is connecting via some public WiFi service where someone might be running a tool like ASLEAP. Yet, the presense of PPTP client software on Windows machines makes using PPTP very tempting. The best answer to this problem is to utilize two-factor authentication. If a one-time passcode is brute-forced, it won’t matter as it can’t be used again.
This document describes how to install and configure the open source Poptop PPTP VPN server with two-factor authentication from WiKID Systems.
 

Install Poptop

Choose your appropriate repo, here is FC6:

# rpm -Uvh http://poptop.sourceforge.net/yum/stable/fc6/i386/pptp-release-4-2.fc6.noarch.rpm

yum –enablerepo=poptop-stable install pptpd

yum install pptp

http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_3.htm#pforward
For ppp to work, the packet forwarding must be enabled. Edit /etc/sysctl.conf with your favourite editor and change the line:

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1 

The change will be effective on the next reboot. To enable it immediately:

sudo sysctl -p

We also need radiusclient:

yum install radiusclient

I created a sym link to the microsoft dictionary in /etc/radiusclient:

ln -s /usr/share/freeradius/dictionary.microsoft dictionary.microsoft

Edit /etc/radiusclient/servers and add wikid server along with a s shared secret:

#Server Name or Client/Server pair              Key
#----------------                               ---------------
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
your.wikidserver.com                         wikidserver_secret

Please note that pptpd by default has a 100 connections limit. You can override it by the “connections” parameter in the pptp.conf file. Read the remarks in the file.

You need port 47 and 1723 open for pptp traffic:

iptables -A INPUT -p tcp –dport 1723 -j ACCEPT

iptables -A INPUT -p 47 -j ACCEPT

Edit /etc/pptpd.conf with your favorite editor:

option /etc/ppp/options.pptpd
logwtmp
localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

Set your remote IP range using remoteip.

Edit /etc/ppp/options.pptp

lock
noauth
refuse-eap
refuse-chap
refuse-mschap
nobsdcomp
nodeflate
ms-dns 74.188.41.129
plugin radius.so

Obviously, plugin radius.so specifies that we will use Radius.

Edit /etc/radiusclient/radiusclient.conf

auth_order      radius,local
login_tries     4
login_timeout   60
nologin /etc/nologin
issue   /etc/radiusclient/issue
authserver      your.wikidserver.com 1812
acctserver      localhost
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local     /bin/login

Edit /etc/radiusclient/servers and add server and secret:

<wikid_server_ip>                                        wikidserver_secret

Start the pptpd service:

service pptpd start
 

Configure the WiKID server

Log into the WiKID server using the WiKIDAdmin browser interface and click on the Domains Tab (If you already have a domain setup, you can skip this step.)

Click on Create a New Domain,

Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click “Create”.

Click Network Clients tab and on “Create a new Network Client”.

Enter the information requested. For the IP Address, use the IP address of the PPTP server. Select Radius and the domain you just created. Click “Add” when you’re finished.

On the next page, enter the shared secret you entered in /etc/raddb/server. You do not have to enter any information under “Return Attributes”.

Important: From the WiKID server’s console or via SSH, you will need to run “wikidctl restart” to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run “stop” and “start”.)

This guide explains how to set up mod_chroot
with Apache2 on a Debian Etch system. With mod_chroot, you can run
Apache2 in a secure chroot environment and make your server less
vulnerable to break-in attempts that try to exploit vulnerabilities in
Apache2 or your installed web applications.

Chrooting Apache2 With mod_chroot On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 02/11/2008
This guide explains how to set up mod_chroot with Apache2 on a Debian Etch system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications.
I do not issue any guarantee that this will work for you!
 

1 Preliminary Note

I’m assuming that you have a running Debian Etch system with a working Apache2, e.g. as shown in this tutorial: The Perfect Setup – Debian Etch (Debian 4.0). In addition to that I assume that you have one or more web sites set up within the /var/www directory (e.g. if you use ISPConfig).
 

2 Installing mod_chroot

To install mod_chroot, we simply run:

apt-get install libapache2-mod-chroot
Then we enable mod_chroot and restart Apache:

a2enmod mod_chroot
/etc/init.d/apache2 force-reload
 

3 Configuring Apache

I want to use the /var/www directory as the directory containing the chroot jail. Debian’s Apache uses the PID file /var/run/apache2.pid; when Apache is chrooted to /var/www, /var/run/apache2.pid translates to /var/www/var/run/apache2.pid. Therefore we create that directory now:

mkdir -p /var/www/var/run
chown -R root:root /var/www/var/run
Now we must tell Apache that we want to use /var/www as our chroot directory. We open /etc/apache2/apache2.conf, and right below the PidFile line, we add a ChrootDir line:

vi /etc/apache2/apache2.conf

[...]
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile /var/run/apache2.pid
ChrootDir /var/www
[...]

Next we must tell our vhosts that the document root has changed (for example, a DocumentRoot /var/www translates now to DocumentRoot /). We can do this either by changing the DocumentRoot directive of each vhost, or more easier, by creating a symlink in the file system.

3.1 First Method: Changing The DocumentRoot

Let’s assume we have a vhost with DocumentRoot /var/www. We must now open the vhost configuration of that vhost and change DocumentRoot /var/www to DocumentRoot /. Accordingly, DocumentRoot /var/www/web1/web would now translate to DocumentRoot /web1/web, and so on. If you want to use this method, you must change the DocumentRoot for every single vhost.
 

3.2 Second Method: Creating A Symlink In the File System

This method is easier, because you have to do it only once and don’t have to modify any vhost configuration. We create a symlink pointing from /var/www/var/www to /var/www:

mkdir -p /var/www/var
cd /var/www/var
ln -s ../../ www

/etc/init.d/apache2 stop

ln -s /var/www/var/run/apache2.pid /var/run/apache2.pid
/etc/init.d/apache2 start
That’s it. You can now call your web pages as before, and they should be served without problems, as long as they are static HTML files or using mod_php.

If you are using CGI, e.g. Perl, suPHP, Ruby, etc., then you must copy the interpreter (e.g. /usr/bin/perl, /usr/sbin/suphp, etc.) to the chroot jail together with all libraries needed by the interpreter. You can find out about the required libraries with the ldd command, e.g.

ldd /usr/sbin/suphp

server2:/var/www/web1/log# ldd /usr/sbin/suphp
        linux-gate.so.1 =>  (0xffffe000)
        libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0xb7e34000)
        libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7e0f000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0xb7e03000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7cd2000)
        /lib/ld-linux.so.2 (0xb7f23000)
server2:/var/www/web1/log#
If you’ve copied all required files, but the page still isn’t working, you should take a look at the Apache error log. Usually it tells you where the problem is. Also read http://core.segfault.pl/~hobbit/mod_chroot/caveats.html for known problems and solutions.
 

4 Links

• mod_chroot: http://core.segfault.pl/~hobbit/mod_chroot
• Apache: http://httpd.apache.org
• Debian: http://www.debian.org

Configure Virtualmin

Introduction

Virtualmin is a powerful and flexible hosting control panel that integrates with webmin. We will be using it to provide the virtual hosting functions such as creation of domains, accounts and maintaining configurations on the system.

 

Start Services

You need to start up services that are required to be able to configure virtualmin. Start the following services:

service named start
service spamassassin start
service spamass-milter start
service clamav-milter start
service postfix start
service dovecot start
service imapproxy start
service httpd start
 

Initial Settings

MySQL

Webmin needs to be able to communicate with mysql since we have set a password for mysql we need to set that up in webmin, go to servers ? mysql and enter this information:

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Configure Features

You need to enable the features and plugins that we want to use. On login this is the screen that you will see.

• Enable the following features and save
  • Home directory
  • Administration user
  • Mail for domain
  • BIND DNS domain
  • Apache website
  • Webalizer reporting
  • Log file rotation
  • Mysql database
  • Webmin user

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Configure Server Templates

Server template are used to customize the services and to create packages for different hosting account types.
 

Apache Template

You can make changes to the way apache virtual hosts are created by editing this template, The defaults however will do for purposes of this howto.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Domain Owner Template

This template is used to configure various server limits such as number of mailboxes,aliases,databases,virtual servers and other options like bandwidth limits, admin abilities. For this howto we will use the default values.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Home Directory Template

This template allows you to set a skel directory to hold setting for new users for this howto we will use the defaults.
 

Administration User

This template lets you set the quota for the virtual server and the admin user for this howto we will use the default quota 1GB.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Mail For Domain Template

This template sets various mail related options, we will modify the email message sent on server creation to have the content below:

The following virtual server has been set up successfully :
Domain name:             ${DOM}
Hosting server:          ${HOSTNAME}
${IF-VIRT}
Virtual IP address:      ${IP}
${ENDIF-VIRT}
Administration login:    ${USER}
Administration password: ${PASS}
${IF-WEBMIN}
Administration URL:      ${WEBMIN_PROTO}://www.${DOM}:${WEBMIN_PORT}/
${ENDIF-WEBMIN}
${IF-WEB}
Website:                 http://www.${DOM}/
${IF-WEBALIZER}
Webalizer log reporting: Enabled
${ELSE-WEBALIZER}
Webalizer log reporting: Disabled
${ENDIF-WEBALIZER}
${ENDIF-WEB}
${IF-MAIL}
Email domain:            ${DOM}
SMTP server:             mail.${DOM}
POP3 server:             mail.${DOM}
Webmail:                 webmail.${DOM}
${ENDIF-MAIL}
${IF-DNS}
DNS domain:              ${DOM}
Nameserver:              ${HOSTNAME}
${ENDIF-DNS}
${IF-MYSQL}
MySQL database:          ${DB}
MySQL login:             ${MYSQL_USER}
MySQL password:          ${PASS}
${ENDIF-MYSQL}
${IF-POSTGRES}
PostgreSQL database:     ${DB}
PostgreSQL login:        ${USER}
PostgreSQL password:     ${PASS}
${ENDIF-POSTGRES}

We will leave the other options as the defaults.

 

BIND DNS Domain Template

This template is used to customize the zones that will be created by virtualmin. The changes to be made are adding a spf record, add the following records to auto generated text box (replace ns1.home.topdog-software.com. with your slave server):

@     IN NS ns1.home.topdog-software.com. ;slave
admin IN A 192.168.1.6 ;virtualmin
webmail IN A 192.168.1.5 ;webmail

In the directives text box add the following with the IP address of your slave server such that the slave is allowed to do zone transfers.

allow-transfer { 192.168.1.2; };

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

MySQL Database Template

Contains options on creation of databases by virtualmin, for the howto we will use the defaults.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Webmin Login Template

Contains option on creation of new users by virtualmin, for the howto we will use the defaults.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Create Virtual Server

Finally we have a working virtual server system, lets create our first virtual server. Go to servers ? virtualmin virtual servers and click add new virtual server, owned by new user.

Fill in the require fields and click create.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

(JavaScript must be enabled in your browser to view the large image as an image overlay.)

Add a mail user to the domain. click on the domain name, then click edit mail and FTP users, then add user and fill in the information.

(JavaScript must be enabled in your browser to view the large image as an image overlay.)
 

Testing

Postfix

Test SMTP

telnet 192.168.1.5 25
Connected to localhost.
Escape character is ‘^]’.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

From:address@yahoo.com
To:andrew@example.com
Subject:This is a test
Hi
This is a test
.
250 2.0.0 Ok: queued as 4ACCC7C5A6

telnet 192.168.1.5 25
Trying 192.168.1.5…
Connected to localhost.
Escape character is ‘^]’.
220 tds mail cluster
ehlo me
250-hosting1
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
 

Test dkim

Send a mail to autorespond+dkim@dk.elandsys.com.
 

Test domainkeys

Send a mail to autorespond+dk@dk.elandsys.com.
 

Dovecot

Test POP3

telnet 192.168.1.5 110
+OK Dovecot ready.
user andrew.example
+OK
pass password
+OK Logged in.
quit
+OK Logging out.
 

Test IMAP

telnet 192.168.1.5 143
* OK Dovecot ready.
01 login andrew.example password
01 OK User logged in
01 list “” “*”

* LIST (\HasNoChildren) “.” “Trash”
* LIST (\HasNoChildren) “.” “Drafts”
* LIST (\HasNoChildren) “.” “Junk”
* LIST (\HasNoChildren) “.” “Sent”

* LIST (\HasNoChildren) “.” “INBOX”
01 OK List completed.
01 logout
* BYE LOGOUT received
01 OK Completed
 

BIND

dig example.com @127.0.0.1
 

Clamav-milter

We are using the test virus from www.eicar.org.

telnet 192.168.1.5 25
Connected to localhost.
Escape character is ‘^]’.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
.
550 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net
quit
221 2.0.0 Bye

Take a lot at your /var/log/maillog you should see something like this:

73BC87C4E4: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]:
5.7.1 virus Eicar-Test-Signature detected by ClamAV – http://www.clamav.net;
from=<address@yahoo.com> to=<andrew@example.com> proto=SMTP helo=<me>

Spamass-milter

We are using the test message from http://spamassassin.apache.org/gtube/.

telnet 192.168.1.5 25
Connected to localhost.
Escape character is '^]'.
220 tds mail cluster
helo me
250 hosting1
mail from:address@yahoo.com
250 2.1.0 Ok
rcpt: andrew@example.com
250 2.1.0 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
.
550 5.7.1 Blocked by SpamAssassin
quit
221 2.0.0 Bye

You will see this in your log files:

spamd: result: Y 1002 - AWL,GTUBE,MISSING_SUBJECT,TVD_SPACE_RATIO,UNPARSEABLE_RELAY scantime=0.5,size=723,user=root,uid=99,required_score=5.0,

Clamav Milter Setup

• Edit /etc/sysconfig/clamav-milter:

CLAMAV_FLAGS="
        --config-file=/etc/clamd.conf
        --force-scan
        --local
        --max-children=5
        --sendmail-cf=
        --outgoing
        --quiet
"
SOCKET_ADDRESS="local:/var/clamav/clmilter.socket"

• Patch the init file to fix socket permissions:

wget http://www.topdog-software.com/files/clamav-milter.patch
patch /etc/init.d/clamav-milter < clamav-milter.patch

 

MySQL Setup

Basic Config

• Listen only to the localhost, edit /etc/my.cnf under the mysqld section:

bind-address = 127.0.0.1

Set Root Password

• Set the root password:

service mysqld start
mysqladmin -u root password NEWPASSWORD

 

SpamAssassin Setup

Basic Config

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]

Create MySQL Database

• Create the database:

mysqladmin -p create bayes

• Populate the database:

mysql -p bayes < /usr/share/doc/spamassassin-$(rpm –qf %{VERSION} -q spamassassin)/sql/bayes_mysql.sql

• Create the user:

mysql -p
mysql> GRANT ALL ON bayes.* TO bayes@localhost IDENTIFIED BY ‘password’;
 

Configure To Use DB

• Edit the file /etc/mail/spamassassin/local.cf and add:

bayes_store_module  Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn       DBI:mysql:bayes:localhost
bayes_sql_override_username bayes
bayes_sql_username  bayes
bayes_sql_password  password

Configure FuzzyOCR

We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.
 

Create MySQL Database

• The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:

mysql -p < /usr/local/src/devel/FuzzyOcr.mysql

• Change the password:

mysqladmin -u fuzzyocr -p fuzzyocr password
 

Basic Settings

• Edit /etc/mail/spamassassin/FuzzyOCR.cf and set the basic options:

focr_path_bin /usr/bin:/usr/local/bin
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /tmp/FuzzyOcr.log

Make FuzzyOCR Use The Database

• Edit the file /etc/mail/spamassassin/FuzzyOcr.cf and add:

focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/lib/mysql/mysql.sock

SARE Rule Updates

• Import the GPG key used to sign the rules:

mkdir /etc/mail/spamassassin/sa-update-keys/
chmod 700 /etc/mail/spamassassin/sa-update-keys/
wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY
sa-update –import GPG.KEY

• Create the channels file /etc/mail/spamassassin/sare-sa-update-channels.txt:

updates.spamassassin.org
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_html_eng.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_header_eng.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_genlsubj_eng.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net

• Create an update script /usr/local/bin/update-sa:

#!/bin/bash
#
#
sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A &>/var/log/sa-updates.log

• Make it executable and add to cron:

chmod +x /usr/local/bin/update-sa
ln -s /usr/local/bin/update-sa /etc/cron.daily/
ln -s /usr/local/bin/update-sa /etc/cron.hourly/

 

Spamass-milter Setup

Basic Configuration

• Edit /etc/sysconfig/spamass-milter:

SOCKET=/var/run/spamass.sock
EXTRA_FLAGS="-m -r 8"

Patch

We need to patch the init file to fix the permissions of the socket created such that postfix is able to use the socket.

wget http://www.topdog-software.com/files/spamass-milter.patch
patch /etc/rc.d/init.d/spamass-milter < spamass-milter.patch

Apache Setup

Disable Modules

We will disable some modules that we are not using thus freeing up memory and also improving security.

• Edit /etc/httpd/conf/httpd.conf and comment out the modules as below.

#LoadModule ldap_module modules/mod_ldap.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule status_module modules/mod_status.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule mem_cache_module modules/mod_mem_cache.so

• Edit /etc/httpd/conf.d/proxy_ajp.conf and comment out as below:

#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

Listen To One IP For HTTPS

Apache has to be configured to listed to one address for port 443 as webmin will be using the same port. Edit /etc/httpd/conf.d/ssl:

Listen 192,168.1.6:443

Enable Gzip Compression

We setup gzip compression via the mod_deflate module to improve web server performance and to cut down on bandwidth usage by compressing responses to the client.

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \
\.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Set up logging for the deflate module:

DeflateFilterNote deflate_ratio
LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct." vhost_with_deflate_info
CustomLog logs/deflate_access_log vhost_with_deflate_info

Increase PHP Max Memory

Edit the file /etc/php.ini and set the following:

memory_limit = 64M

Enable Virtual Hosting

NameVirtualHost *:80

Create Default Virtual Host

This needs to be the first virtual host, it will be the default on the server the equivalent of the server with out virtual hosting.

<VirtualHost *:80>
        Servername localhost.localdomain
        Serveradmin root@localhost.localdomain
</Virtualhost>

Roundcube Webmail Setup

Create Database

• Create the database and add the roundcube user.

mysqladmin -p create roundcube
mysql -p
mysql> GRANT ALL ON roundcube.* TO roundcube@localhost IDENTIFIED BY ‘password’;

• Initialize the database:

mysql -u roundcube -p roundcube < /usr/share/doc/roundcube-0.1/SQL/mysql5.initial.sql
 

Basic Config

• Configure database DSN in /var/www/roundcube/config/db.inc.php:

$rcmail_config['db_dsnw'] = 'mysql://roundcube:password@localhost/roundcube';

• Configure roundcube in /var/www/roundcube/config/main.inc.php:

$rcmail_config['default_host'] = 'localhost';
$rcmail_config['default_port'] = 143;
$rcmail_config['virtuser_file'] = '/etc/postfix/virtual';
$rcmail_config['smtp_server'] = 'localhost';
$rcmail_config['smtp_port'] = 25;
$rcmail_config['smtp_helo_host'] = 'localhost';

Set Up Catch All Virtualhost

As we will be providing webmail for all domains that are created on the system we need to setup a catch all virtualhost that can display roundcube when ever a user accesses http://webmail.domainname. Edit /etc/httpd/conf/httpd.conf and append:

<VirtualHost *:80>
ServerName webmail.example.com
ServerAlias webmail.*
DocumentRoot /var/www/roundcube
<Directory /var/www/roundcube>
Options -Indexes IncludesNOEXEC FollowSymLinks
allow from all
</Directory>
</VirtualHost>

Firewall Setup

Introduction

This is a basic firewall it may not suit your needs, firewalling is an art so i recommend to read into it to improve on this basic one.

 

Basic Config

Add these rules in your configuration file /etc/sysconfig/iptables:

*raw  REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat  REROUTING ACCEPT [0:0]  OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle  REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]  OSTROUTING ACCEPT [0:0]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m multiport -j ACCEPT --dports 80,443,25,110,143,53
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp -m limit --icmp-type 8 --limit 5/min -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.1.5 -j ACCEPT
-A OUTPUT -s 192.168.1.6 -j ACCEPT
COMMIT

Activate Config

service iptables restart