Archive for the Security Category
Posted by mike Filed Under Security with Comments Off
There are network subnets that have been taken over by Spammers and run by bots. These networks are recorded and documented by Spamhaus and provide you a quick way to modify your firewall to eliminate these know blocks of Spam. You will need to have an iptables firewall and add this section to the firewall which will use the information found in the list to drop the subnets thus taking the load off your Postfix mail server.
The DROP list is maintained by Spanhaus and is found here:
http://www.spamhaus.org/DROP/
Here is a quote from the site:
“DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list, consisting of stolen ‘zombie’ netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.
DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.
The DROP list will NEVER include any IP space “owned” by any legitimate network and reassigned – even if reassigned to the “spammers from hell”. It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are “direct allocations” from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of “hijacked zombie” IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.”
In order to implement this, add this section close to the top or your firewall and create a text file in /etc/rc.d called banned. Add one subnet to each line as you see in the actual code below. Please use this information on your own risk…the subnets could change over time.
#####################################################
# BLOCK ZOMBIE NETBLOCKS #
#####################################################
BADIP=”/etc/rc.d/banned”
BANNED=$( grep -v -E “^#” $BADIP )
for ip in $BANNED
do
iptables -A FORWARD -p tcp -s $ip -j DROP
done
# This is what the banned file needs to look like.
116.199.128.0/19
116.50.8.0/21
128.199.0.0/16
129.47.0.0/16
132.232.0.0/16
132.240.0.0/16
134.175.0.0/16
134.33.0.0/16
138.252.0.0/16
138.43.0.0/16
139.167.0.0/16
141.193.0.0/16
143.49.0.0/16
147.203.0.0/16
148.51.0.0/16
148.7.0.0/16
149.47.0.0/16
152.147.0.0/16
167.97.0.0/16
170.26.0.0/16
170.67.0.0/16
192.115.68.0/22
192.160.44.0/24
192.43.153.0/24
192.43.154.0/23
192.43.156.0/22
192.43.160.0/24
192.67.16.0/24
192.86.85.0/24
193.110.136.0/24
193.142.244.0/24
193.16.100.0/24
193.19.120.0/23
193.200.29.0/24
193.200.50.0/23
193.238.36.0/22
193.93.236.0/22
194.1.152.0/24
194.110.160.0/22
194.116.146.0/23
194.126.193.0/24
194.145.235.0/24
194.146.204.0/22
194.189.44.0/22
195.114.8.0/23
195.225.176.0/22
195.234.159.0/24
195.238.242.0/24
195.74.88.0/23
195.95.161.0/24
196.32.216.0/21
198.151.152.0/22
198.186.16.0/20
198.186.25.0/24
198.204.0.0/21
199.120.163.0/24
199.166.200.0/22
199.245.138.0/24
199.60.102.0/24
200.108.160.0/20
200.124.64.0/20
201.158.96.0/21
201.71.0.0/20
203.19.101.0/24
203.202.236.0/22
203.31.88.0/23
203.33.120.0/24
203.34.205.0/24
203.34.70.0/23
203.34.71.0/24
204.13.32.0/21
204.14.24.0/21
204.153.248.0/21
204.18.0.0/16
204.236.0.0/19
204.52.255.0/24
204.79.220.0/22
204.89.224.0/24
205.210.137.0/24
205.235.64.0/20
205.236.189.0/24
206.197.175.0/24
206.197.176.0/24
206.197.176.0/24
206.197.177.0/24
206.197.28.0/24
206.197.29.0/24
208.38.192.0/18
208.64.44.0/22
208.66.192.0/22
208.72.168.0/21
208.76.160.0/21
208.76.48.0/21
208.77.224.0/21
208.81.136.0/21
208.82.136.0/21
208.84.28.0/22
208.87.152.0/21
208.93.152.0/22
209.145.192.0/18
209.165.224.0/20
209.205.192.0/19
209.205.224.0/20
209.213.48.0/20
216.188.128.0/19
216.243.240.0/20
216.255.176.0/20
216.37.96.0/20
58.65.232.0/21
58.83.12.0/22
58.83.8.0/22
62.176.16.0/22
64.255.128.0/19
64.28.176.0/20
66.206.32.0/22
66.231.64.0/20
66.54.91.0/24
66.55.160.0/19
67.210.0.0/20
67.213.128.0/20
69.42.160.0/20
69.50.160.0/19
69.8.176.0/20
69.80.0.0/17
72.2.176.0/20
78.108.176.0/20
78.157.128.0/19
79.110.160.0/20
79.135.160.0/19
81.29.240.0/20
81.95.144.0/20
85.255.112.0/20
86.105.230.0/24
89.35.0.0/23
91.196.232.0/22
91.200.144.0/22
91.203.92.0/22
91.208.0.0/24
91.208.162.0/24
91.208.228.0/24
91.209.14.0/24
92.53.104.0/22
93.188.160.0/21
94.154.0.0/18
94.154.128.0/18
94.176.96.0/20
Posted by mike Filed Under Security with Comments Off
When you set up Postfix it is a critical service for your organization. It is important that you set up a way to verify that the mail server is up and running. Nagios 3 provides an easy set up to allow you to monitor your mail server. This tutorial will help you understand how to add mail service checks for your Postfix Mail Server. If you need help in setting up Nagios 3 please check THIS ARTICLE.
Step #1: Add a Host
An easy way to start setting up hosts is to choose a web server to monitor.
You will need to edit /etc/nagios3/Define your host, give it a host name and an alias, be sure to have the correct IP Address. Use the check_http command which will monitor your web server on port 80 tcp. This is a much easier way to monitor a web server using icmp because you have to modify so many firewalls to allow icmp.
define host{
use generic-host
host_name mail
alias mail
address 192.168.5.12
check_command check_smtp
max_check_attempts 10
notification_interval 120
notification_period 24×7
notification_options d,u,r
contact_groups admins
}
Step #2: Add Host to a Service
Edit the /etc/nagios3/conf.d/generic-service_nagios2.cfg. If you are using the same service you can just add the second host to the host_name line. This will make it very easy to add a number of hosts to modify. Note two host names listed.
define service{
use generic-service
host_name mail
service_description SMTP
check_command check_smtp
}
Step #3: Check Configuration and Restart
You will want to run this command to check your pre-flight check to verify you do not have typos or other errors.
nagios -v /etc/nagios3/nagios.cfg
This should result in no errors and no warnings before you proceed.
Now restart nagios and the web server for nagios.
/etc/init.d/nagios3 restart
/etc/init.d/apache2 restart
Now access the web interface of Nagios at:
http://your_ip_address/nagios3
You should see that the service is being monitored.
Posted by mike Filed Under Security with 3 Comments
I recently checked mail stats on a server and discovered that 71% of the mail that the server handled was rejected. That means the server lost 71% of it’s total resources to connections that were either malicious in nature or intended to solicit resources from individuals. As a result I have gone into a campaign to begin dropping all subnets that I really do not need to allow connections from.
Selecting Countries to Drop
The criteria that I developed may not work for you so keep that in mind. However, I am giving you some idea on my reasoning to help in your decision making.
1. Countries that are frequent attackers
One of the things I have done is watch logs so that I can drop those who are constantly stealing my resources.
2. Countries I cannot read the mail
I have limited language skills. If I cannot speak Chinese why allow Chinese mail to arrive at my mail server?
3. Countries I do not do business with
There are a lot of countries that I do not do business with. Some countries like Indonesia have been constant sources of fraud, I have never had a legitimate order from Indonesia.
It is important to recognize that many of these subnets overlap and are used by other countries so you will need to be careful and do your own research.
USE THIS ONLY AS AN EXAMPLE…VERIFY YOUR CHOICES.
#####################################################
# BLOCK COUNTRY ATTACKS
#####################################################
# Asia
iptables -A INPUT -s 220.0.0.0/8 -j DROP
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 61.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 124.0.0.0/8 -j DROP
iptables -A INPUT -s 126.0.0.0/8 -j DROP
iptables -A INPUT -s 168.208.0/16 -j DROP
iptables -A INPUT -s 196.192.0/16 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 222.0.0.0/8 -j DROP
# Africa
iptables -A INPUT -s 41.0.0.0/8 -j DROP
# Brazil and Argentina
iptables -A INPUT -s 189.0.0.0/8 -j DROP
iptables -A INPUT -s 190.0.0.0/8 -j DROP
iptables -A INPUT -s 200.0.0.0/8 -j DROP
iptables -A INPUT -s 201.0.0.0/8 -j DROP
# China
iptables -A INPUT -s 62.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/8 -j DROP
iptables -A INPUT -s 79.0.0.0/8 -j DROP
iptables -A INPUT -s 130.0.0.0/8 -j DROP
iptables -A INPUT -s 131.0.0.0/8 -j DROP
iptables -A INPUT -s 137.0.0.0/8 -j DROP
iptables -A INPUT -s 146.0.0.0/8 -j DROP
iptables -A INPUT -s 147.0.0.0/8 -j DROP
iptables -A INPUT -s 150.0.0.0/8 -j DROP
# Indonesia
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 60.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP
iptables -A INPUT -s 114.0.0.0/8 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 119.0.0.0/8 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/8 -j DROP
iptables -A INPUT -s 123.0.0.0/8 -j DROP
Posted by mike Filed Under Security with Comments Off
Using Pre-Built Templates
Add the pre-built templates for Postfix.
sudo apt-get install apparmor-profiles
This will load many pre-built templates that you can use.
cd /usr/share/doc/apparmor-profiles/extras
Now copy all of the Postfix related profiles into /etc/apparmor.d/.
sudo cp usr.sbin.post* /etc/apparmor.d/
sudo cp usr.lib.post* /etc/apparmor.d/
Restart your the AppArmor daemon.
sudo /etc/init.d/apparmor restart
Now check the number of active profiles.
sudo aa-status
32 profiles are in enforce mode.
/usr/lib/postfix/spawn
/usr/lib/postfix/tlsmgr
/usr/sbin/saslauthd
/usr/lib/postfix/pipe
/usr/lib/postfix/proxymap
/usr/lib/postfix/bounce
/usr/sbin/postalias
/usr/lib/postfix/pickup
/usr/lib/postfix/qmqpd
/usr/lib/postfix/showq
/usr/sbin/avahi-daemon
/usr/lib/postfix/local
/usr/lib/postfix/nqmgr
/usr/sbin/postdrop
/usr/lib/postfix/scache
/usr/lib/postfix/virtual
/usr/lib/postfix/lmtp
/usr/lib/postfix/discard
/usr/lib/postfix/error
/usr/lib/postfix/smtpd
/usr/lib/postfix/smtp
/usr/lib/postfix/cleanup
/usr/sbin/postfix
/usr/sbin/postmap
/usr/sbin/postqueue
/usr/lib/postfix/anvil
/usr/lib/postfix/qmgr
/usr/lib/postfix/master
/usr/lib/postfix/verify
/usr/lib/postfix/flush
/usr/lib/postfix/trivial-rewrite
/usr/lib/postfix/oqmgr
You may not need all of these profiles depending upon what you are running, so remove those you do not need. You can change these to complain mode so you can test. Whatever you do, you should update the settings by running Postfix and then making any adjustments necessary by using the aa-logprof command. This will make sure that your system is running effectively.
aa-logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:
Profile: /usr/sbin/postfix
Capability: sys_tty_config
Severity: 8
(A)llow / [(D)eny] / Abo(r)t / (F)inish
Adding capability sys_tty_config to profile.
Profile: /usr/sbin/postfix
Path: /etc/postfix/main.cf
Mode: r
Severity: 3
[1 - /etc/postfix/main.cf]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/postfix/main.cf r to profile.
Profile: /usr/sbin/saslauthd
Path: /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock
Mode: w
Severity: unknown
[1 - /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock w to profile.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /usr/sbin/postfix]
2 – /usr/sbin/saslauthd
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/postfix.
Writing updated profile for /usr/sbin/saslauthd.
Posted by mike Filed Under Security with Comments Off
If you are using Postfix on a server that supports AppArmor like Suse, Debian, Ubuntu, etc., you can use AppArmor to protect Postfix. AppArmor attempts to protect processes on the server or desktop from security threats. AppArmor enforces limits on what processes can access on the system. It attempts to restrict processes to those resources that the process requires to function only. AppArmor will not only define the system resources a program can access , it will also determine the privileges with which it can access those resources. To protect applications you will need to set up a security profile for each application that you want to protect.
When you have many software applications on a system you have the risk of hosting software flaws that you are not aware of. These software flaws provide avenues of access for attackers to compromise your system. Exploits that are discovered and on the same day that they are used to crack a system by an attacker are called zero-day exploits. AppArmor provides protection against these kinds of attacks by protecting against known and unknown vulnerabilities.
Install AppArmor
There is no need to install AppArmor on a distro like Ubuntu as it is installed by default. The real issue is that the install has so little protection that it is not very helpful, so you will need to change that. Even in the new Ibex version cups, bind, mysql and slapd are the only processes protected by AppArmor. The Ibex desktop includes the Xsession for gdm.
Check the status of AppArmor
When you check the status as root you will see active profiles. There are several modes that you may notice. Complain mode will help you learn what will happen if there were violations without hindering activity. It is like a warning only mode. Enforce mode means that the kernel will enforce the AppArmor protection for that process.
sudo apparmor_status
# apparmor_status
apparmor module is loaded.
5 profiles are loaded.
0 profiles are in enforce mode.
5 profiles are in complain mode.
/usr/sbin/mysqld
/usr/sbin/slapd
/usr/sbin/cupsd
/usr/sbin/named
/usr/lib/cups/backend/cups-pdf
3 processes have profiles defined.
0 processes are in enforce mode :
3 processes are in complain mode.
/usr/sbin/cupsd (4613)
/usr/sbin/named (4398)
/usr/sbin/mysqld (4518)
0 processes are unconfined but have a profile defined.
Create a New Profile
In order to provide the protection that you need you will be required to create a profile for each application you want to protect. So for Postfix this will require creating profiles for each application that is needed by Postfix to function correctly.
The aa-genprof command is used to create a new profile. From a terminal, as root, use the command aa-genprof:
sudo aa-genprof executable
The first question you will be asked when you begin the creation of a profile is if you want to connect to the repository. This repository which was hosted by Suse, saves profiles created by many different users and distros, which means it probably is not a good idea to enable this, create your own profile.
The second question will look like this:
[(S)can system log for SubDomain events] / (F)inish
At this point you need to have a working Postfix, including your Spam protection and anti-virus protection. AppArmor will scan the whole server to see what processes use Postfix so you can create the profile. Run Postfix by sending mail through it so AppArmor can detect all of the programs needed for the profile. The select “S” to scan for changes. Do this several times and note that you may be asked to accept additions to the profile as it is created. Once you have answered all of the questions then choose finish to complete the profile.
sudo aa-genprof /usr/sbin/postfix
Repository: http://apparmor.test.opensuse.org/backend/api
Would you like to enable access to the
profile repository?
(E)nable Repository / (D)isable Repository / Ask Me (L)ater
Writing updated profile for /usr/sbin/postfix.
Setting /usr/sbin/postfix to complain mode.
Please start the application to be profiled in
another window and exercise its functionality now.
Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.
For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.
Profiling: /usr/sbin/postfix
[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Profiling: /usr/sbin/postfix
[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Profiling: /usr/sbin/postfix
[(S)can system log for SubDomain events] / (F)inish
Here is an example of the basic Postfix profile (found in /etc/apparmor.d), note this is just the start.
# Last Modified: Wed Oct 8 17:42:02 2008
#include <tunables/global>
/usr/sbin/postfix {
#include <abstractions/base>
/usr/sbin/postfix mr,
}
Create the profile in complain mode so that you can test. It can be changed once you are sure it works correctly.
sudo aa-complain /usr/sbin/postfix
You can change the mode to enforce with this command:
sudo aa-enforce /usr/sbin/postfix
Basic Commands
Each of these commands must be run as root.
aa-autodep create a minimal profile
aa-enforce enforce the profile created
aa-complain violations logged but not enforced
aa-audit check the profile
aa-logprof look for error messages, provide a severity level and then give you the option to accept a correction or not.
aa-unconfined list all the network applications that are not protected
Profiles are saved in /etc/apparmor.d.
This is only a start and is an incomplete process until you protect each application that is related to Postfix. Be sure to check out the poston user per-built profiles.
