Monthly Archives: November 2010

Plesk clear qmail queue

Posted on by
11

I will describe today how you can clear the queue for qmail, for a server that is running Plesk. First of all you should use one of the methods described with caution. The second method described is an automation of the first method and this is why I will include both of them. This method only removes the messages from the queue, and nothing else is lost.

First of all check the number of messages from the queue using the qmail-qstat tool:

[root@test /]# /var/qmail/bin/qmail-qstat
messages in queue: 22463
messages in queue but not yet preprocessed: 22

To remove the messages from the queue ALWAYS stop the qmail service first, to avoid having to reconfigure it again:

service qmail stop

Once the service is stopped execute the following commands one by one (based on the number of files stuck in the queue, this may take a while):

find /var/qmail/queue/mess -type f -exec rm {} \;
find /var/qmail/queue/info -type f -exec rm {} \;
find /var/qmail/queue/local -type f -exec rm {} \;
find /var/qmail/queue/intd -type f -exec rm {} \;
find /var/qmail/queue/todo -type f -exec rm {} \;
find /var/qmail/queue/remote -type f -exec rm {} \;

Finally start the mail service and recheck the queue to ensure that all the messages have been removed:

service qmail start

To automate this process I have two scripts available (basically are performing the same operations as above). For those that receive oversized file truncating errors please use the 2nd script – it takes a little longer but gets the job done.

wget http://dragos.fedorovici.com/qmailclear.sh
wget http://dragos.fedorovici.com/qmailclean.sh
sh qmailclean.sh
sh qmailclear.sh

check and hide BIND version

Posted on by
2

Nowadays, the security of a Linux server starts with the security of each application. Running an outdated software version (Apache, MySQL, Exim, Bind) would leave your server vulnerable, as many of those old version have a bunch of security issues. This is why a good starting point would be to hide your services versions, as this information can be useful to an attacker, to focus on the specific version that you are running.

BIND (or named) is the most commonly used DNS (Domain Name Server) on the Internet. Many BIND version are vulnerable to different types of attacks, and this is why we will focus this small tutorial on how to hide your BIND version, on the Chaos class (CH):

[dragos@dragos-laptop ~]$ dig @domain.com -c CH -t txt version.bind

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> @auxell.ro -c CH -t txt version.bind
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65190
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.            CH    TXT

;; ANSWER SECTION:
version.bind.        0    CH    TXT    “9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2”

;; AUTHORITY SECTION:
version.bind.        0    CH    NS    version.bind.

;; Query time: 38 msec
;; SERVER: 85.204.103.34#53(85.204.103.34)
;; WHEN: Sun Nov 14 00:09:19 2010
;; MSG SIZE  rcvd: 91

As you can see on the output the version that I’m running on one of my servers is 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2. This could help an attacker to focus his ‘work’ on this version’s vulnerabilities (if any), and this is why I will hide to version, at least to make his work less easy.

For this you will need to open the configuration file of the BIND service (since I’m running it on a chroot environment the path for it is /var/named/chroot/etc/named.conf), and find the option directive. Here I will add a new entry with this format: version “desired string”; .

vi /var/named/chroot/etc/named.conf

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
version “Try again, fail again. Fail better.”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below.  Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

Finally, save and restart the DNS server and perform the same query again:

[root@server ~]# service named reload
Reloading named:                                           [  OK  ]

[dragos@dragos-laptop ~]$ dig @domain.com -c CH -t txt version.bind +short
“Try again, fail again. Fail better.”

ProFTPD Telnet IAC processing stack overflow

Posted on by
Reply

If you are running a Linux server with Plesk control panel,  please be aware there was a flaw discovered in the ProFTPD server that potentially allows unauthenticated attackers to compromise your server. The problem is caused by a buffer overflow in the pr_netio_telnet_gets() function for evaluating TELNET IAC sequences. The ProFTPD bug report is available here: http://bugs.proftpd.org/show_bug.cgi?id=3521

A Proftpd update for Plesk has been provided by Atomic Rocket Turtle. To apply the update, execute the commands below:

wget -O – http://www.atomicorp.com/installers/atomic | sh
yum upgrade psa-proftpd

Please review http://www.parallels.com/products/plesk/ProFTPD for updates to this security issue.

[How To] Mount an additional drive

Posted on by
2

In this article I will describe how you can mount an additional drive on a Linux machine. First of all you will need to ensure that the OS is able to see both drives correctly, using the fdisk command:

root@server [~]# fdisk -l
Disk /dev/sda: 160.0 GB, 160040803840 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          32      257008+  83  Linux
/dev/sda2              33       18948   151942770   83  Linux
/dev/sda3           18949       19457     4088542+  82  Linux swap / Solaris

Disk /dev/sdb: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Disk /dev/sdb doesn’t contain a valid partition table

As you can see, the second drive (/dev/sdb) doesn’t contain a valid partition table so we will need first to create a partition:

root@server [~]# /sbin/fdisk /dev/sdb
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel. Changes will remain in memory only,
until you decide to write them. After that, of course, the previous
content won’t be recoverable.

The number of cylinders for this disk is set to 19457.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Command action
e   extended
p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-19457, default 1):
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-19457, default 19457):
Using default value 19457

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

To recap, you will need to run /sbin/fdisk on the second drive (/dev/sdb) , then you will type ‘n’ in order to create a new partition, ‘p’ to have it created as a primary partition, you will need to set the desired partition number (in the above example is 1) and leave everything else as default. The partition that is created is /dev/sdb1 (as I set 1 as the partition number). Once the partition is created we will need to format it:

/sbin/mkfs -t ext3 /dev/sdb1

A mount point for the new partition needs to be created and you will need to assign a label to this mount point:

mkdir /backup
/sbin/e2label /dev/sdb1 /backup

In order to have the new partition mounted automatically after a reboot, you will need to add a new line in /etc/fstab that should include the label assigned, the mount point, the partition type ect:

vi /etc/fstab and add:
LABEL=/backup   /backup   ext3   defaults   1 2

Finally, mount the new created partition

mount /backup

and check the results:

[root@server ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3             108G   54G   50G  53% /
/dev/sda1              99M   24M   70M  26% /boot
none                  498M     0  498M   0% /dev/shm
/usr/tmpDSK           485M   12M  449M   3% /tmp
/tmp                  485M   12M  449M   3% /var/tmp
/dev/sdb1              74G   85M   70G   1% /backup

Set “Default email address” to fail automatically

Posted on by
Reply

Your default email address is listed under Default Email Account. This is a mailbox that is set up automatically when your cPanel account is created (account’s username and password are the same as your cPanel account username and password), it cannot be deleted or renamed, and has no quota. Your “default email address” is the one, which can be used as a “catch all” (catch all mails addressed to anything@mydomain.com). Using a catch all can be a blessing and sometimes a curse.

If you are wondering on what you should set for the default email address, my suggestion would be to have this value always set as :fail:, and not :blackhole: or your default email address (situation when you will notice a high amount of spam on this mailbox). The reasons behind this option are:

1. :blackhole: first accepts the email and receives it, then is sending it to /dev/null. This is a big waste of your bandwidth.

2. :fail: stops the email from being received, because verify = recipient occurs at the RCPT phase of the SMTP exchange before any data has been received. No bounce is sent and the exchange simply terminates with an SMTP error code. This means much less processing resources on your SMTP server and much less bandwidth (you don’t actually receive the email).

To set the default email address to :fail for every existent cPanel account you could simply run this:

cp -r /etc/valiases /etc/valiases.back
sed “s/^\*:.*/\*: :fail: No such person at this address/g” -i /etc/valiases/*

For new created cPanel accounts you can always force this by default from WHM (WebHost Manager) -> Tweak Settings -> Mail and set Default catch-all/default address behavior for new accounts to fail.