Archive for the Security Category

Blocking Zombie Spam Netblocks

Posted by Filed Under Security with Comments Off

There are network subnets that have been taken over by Spammers and run by bots.  These networks are recorded and documented by Spamhaus and provide you a quick way to modify your firewall to eliminate these know blocks of Spam.  You will need to have an iptables firewall and add this section to the firewall which will use the information found in the list to drop the subnets thus taking the load off your Postfix mail server.

The DROP list is maintained by Spanhaus and is found here:

http://www.spamhaus.org/DROP/

Here is a quote from the site:

“DROP (Don’t Route Or Peer) is an advisory “drop all traffic” list, consisting of stolen ‘zombie’ netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space “owned” by any legitimate network and reassigned – even if reassigned to the “spammers from hell”. It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are “direct allocations” from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of “hijacked zombie” IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.”

In order to implement this, add this section close to the top or your firewall and create a text file in /etc/rc.d called banned.  Add one subnet to each line as you see in the actual code below.  Please use this information on your own risk…the subnets could change over time.
#####################################################
# BLOCK ZOMBIE NETBLOCKS                            #
#####################################################
BADIP=”/etc/rc.d/banned”
BANNED=$( grep -v -E “^#” $BADIP )
for ip in $BANNED
do
iptables -A FORWARD -p tcp -s $ip -j DROP
done

# This is what the banned file needs to look like.
116.199.128.0/19
116.50.8.0/21
128.199.0.0/16
129.47.0.0/16
132.232.0.0/16
132.240.0.0/16
134.175.0.0/16
134.33.0.0/16
138.252.0.0/16
138.43.0.0/16
139.167.0.0/16
141.193.0.0/16
143.49.0.0/16
147.203.0.0/16
148.51.0.0/16
148.7.0.0/16
149.47.0.0/16
152.147.0.0/16
167.97.0.0/16
170.26.0.0/16
170.67.0.0/16
192.115.68.0/22
192.160.44.0/24
192.43.153.0/24
192.43.154.0/23
192.43.156.0/22
192.43.160.0/24
192.67.16.0/24
192.86.85.0/24
193.110.136.0/24
193.142.244.0/24
193.16.100.0/24
193.19.120.0/23
193.200.29.0/24
193.200.50.0/23
193.238.36.0/22
193.93.236.0/22
194.1.152.0/24
194.110.160.0/22
194.116.146.0/23
194.126.193.0/24
194.145.235.0/24
194.146.204.0/22
194.189.44.0/22
195.114.8.0/23
195.225.176.0/22
195.234.159.0/24
195.238.242.0/24
195.74.88.0/23
195.95.161.0/24
196.32.216.0/21
198.151.152.0/22
198.186.16.0/20
198.186.25.0/24
198.204.0.0/21
199.120.163.0/24
199.166.200.0/22
199.245.138.0/24
199.60.102.0/24
200.108.160.0/20
200.124.64.0/20
201.158.96.0/21
201.71.0.0/20
203.19.101.0/24
203.202.236.0/22
203.31.88.0/23
203.33.120.0/24
203.34.205.0/24
203.34.70.0/23
203.34.71.0/24
204.13.32.0/21
204.14.24.0/21
204.153.248.0/21
204.18.0.0/16
204.236.0.0/19
204.52.255.0/24
204.79.220.0/22
204.89.224.0/24
205.210.137.0/24
205.235.64.0/20
205.236.189.0/24
206.197.175.0/24
206.197.176.0/24
206.197.176.0/24
206.197.177.0/24
206.197.28.0/24
206.197.29.0/24
208.38.192.0/18
208.64.44.0/22
208.66.192.0/22
208.72.168.0/21
208.76.160.0/21
208.76.48.0/21
208.77.224.0/21
208.81.136.0/21
208.82.136.0/21
208.84.28.0/22
208.87.152.0/21
208.93.152.0/22
209.145.192.0/18
209.165.224.0/20
209.205.192.0/19
209.205.224.0/20
209.213.48.0/20
216.188.128.0/19
216.243.240.0/20
216.255.176.0/20
216.37.96.0/20
58.65.232.0/21
58.83.12.0/22
58.83.8.0/22
62.176.16.0/22
64.255.128.0/19
64.28.176.0/20
66.206.32.0/22
66.231.64.0/20
66.54.91.0/24
66.55.160.0/19
67.210.0.0/20
67.213.128.0/20
69.42.160.0/20
69.50.160.0/19
69.8.176.0/20
69.80.0.0/17
72.2.176.0/20
78.108.176.0/20
78.157.128.0/19
79.110.160.0/20
79.135.160.0/19
81.29.240.0/20
81.95.144.0/20
85.255.112.0/20
86.105.230.0/24
89.35.0.0/23
91.196.232.0/22
91.200.144.0/22
91.203.92.0/22
91.208.0.0/24
91.208.162.0/24
91.208.228.0/24
91.209.14.0/24
92.53.104.0/22
93.188.160.0/21
94.154.0.0/18
94.154.128.0/18
94.176.96.0/20

Monitoring Postfix with Nagios 3

Posted by Filed Under Security with Comments Off

When you set up Postfix it is a critical service for your organization.  It is important that you set up a way to verify that the mail server is up and running.  Nagios 3 provides an easy set up to allow you to monitor your mail server.  This tutorial  will help you understand how to add mail service checks for your Postfix Mail Server.  If you need help in setting up Nagios 3 please check THIS ARTICLE.

Step #1: Add a Host
An easy way to start setting up hosts is to choose a web server to monitor.
You will need to edit /etc/nagios3/Define your host, give it a host name and an alias, be sure to have the correct IP Address.  Use the check_http command which will monitor your web server on port 80 tcp.  This is a much easier way to monitor a web server using icmp because you have to modify so many firewalls to allow icmp.

define host{
use                             generic-host
host_name                       mail
alias                           mail
address                         192.168.5.12
check_command                   check_smtp
max_check_attempts              10
notification_interval           120
notification_period             24×7
notification_options            d,u,r
contact_groups                  admins
}

Step #2: Add Host to a Service

Edit the /etc/nagios3/conf.d/generic-service_nagios2.cfg.  If you are using the same service you can just add the second host to the host_name line.  This will make it very easy to add a number of hosts to modify.  Note two host names listed.

define service{
use     generic-service
host_name       mail
service_description     SMTP
check_command   check_smtp
}

Step #3: Check Configuration and Restart
You will want to run this command to check your pre-flight check to verify you do not have typos or other errors.

nagios -v /etc/nagios3/nagios.cfg

This should result in no errors and no warnings before you proceed.

Now restart nagios and the web server for nagios.

/etc/init.d/nagios3 restart
/etc/init.d/apache2 restart

Now access the web interface of Nagios at:

http://your_ip_address/nagios3

You should see that the service is being monitored.

Blocking Country Attacks

Posted by Filed Under Security with 2 Comments

I recently checked mail stats on a server and discovered that 71% of the mail that the server handled was rejected. That means the server lost 71% of it’s total resources to connections that were either malicious in nature or intended to solicit resources from individuals.  As a result I have gone into a campaign to begin dropping all subnets that I really do not need to allow connections from.

Selecting Countries to Drop
The criteria that I developed may not work for you so keep that in mind.  However, I am giving you some idea on my reasoning to help in your decision making.

1. Countries that are frequent attackers
One of the things I have done is watch logs so that I can drop those who are constantly stealing my resources.

2. Countries I cannot read the mail
I have limited language skills.  If I cannot speak Chinese why allow Chinese mail to arrive at my mail server?

3. Countries I do not do business with
There are a lot of countries that I do not do business with.  Some countries like Indonesia have been constant sources of fraud, I have never had a legitimate order from Indonesia.

It is important to recognize that many of these subnets overlap and are used by other countries so you will need to be careful and do your own research.

USE THIS ONLY AS AN EXAMPLE…VERIFY YOUR CHOICES.

#####################################################
# BLOCK COUNTRY ATTACKS
#####################################################
# Asia
iptables -A INPUT -s 220.0.0.0/8 -j DROP
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 61.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 124.0.0.0/8 -j DROP
iptables -A INPUT -s 126.0.0.0/8 -j DROP
iptables -A INPUT -s 168.208.0/16 -j DROP
iptables -A INPUT -s 196.192.0/16 -j DROP
iptables -A INPUT -s 202.0.0.0/8 -j DROP
iptables -A INPUT -s 210.0.0.0/8 -j DROP
iptables -A INPUT -s 218.0.0.0/8 -j DROP
iptables -A INPUT -s 222.0.0.0/8 -j DROP
# Africa
iptables -A INPUT -s 41.0.0.0/8 -j DROP
# Brazil and Argentina
iptables -A INPUT -s 189.0.0.0/8 -j DROP
iptables -A INPUT -s 190.0.0.0/8 -j DROP
iptables -A INPUT -s 200.0.0.0/8 -j DROP
iptables -A INPUT -s 201.0.0.0/8 -j DROP
# China
iptables -A INPUT -s 62.0.0.0/8 -j DROP
iptables -A INPUT -s 77.0.0.0/8 -j DROP
iptables -A INPUT -s 78.0.0.0/8 -j DROP
iptables -A INPUT -s 79.0.0.0/8 -j DROP
iptables -A INPUT -s 130.0.0.0/8 -j DROP
iptables -A INPUT -s 131.0.0.0/8 -j DROP

iptables -A INPUT -s 137.0.0.0/8 -j DROP
iptables -A INPUT -s 146.0.0.0/8 -j DROP
iptables -A INPUT -s 147.0.0.0/8 -j DROP
iptables -A INPUT -s 150.0.0.0/8 -j DROP
# Indonesia
iptables -A INPUT -s 58.0.0.0/8 -j DROP
iptables -A INPUT -s 60.0.0.0/8 -j DROP
iptables -A INPUT -s 113.0.0.0/8 -j DROP
iptables -A INPUT -s 114.0.0.0/8 -j DROP
iptables -A INPUT -s 116.0.0.0/8 -j DROP
iptables -A INPUT -s 117.0.0.0/8 -j DROP
iptables -A INPUT -s 118.0.0.0/8 -j DROP
iptables -A INPUT -s 119.0.0.0/8 -j DROP
iptables -A INPUT -s 120.0.0.0/8 -j DROP
iptables -A INPUT -s 121.0.0.0/8 -j DROP
iptables -A INPUT -s 122.0.0.0/8 -j DROP
iptables -A INPUT -s 123.0.0.0/8 -j DROP

AppArmor Templates for Postfix

Posted by Filed Under Security with Comments Off

Using Pre-Built Templates
Add the pre-built templates for Postfix.

sudo apt-get install apparmor-profiles

This will load many pre-built templates that you can use.

cd /usr/share/doc/apparmor-profiles/extras

Now copy all of the Postfix related profiles into /etc/apparmor.d/.

sudo cp usr.sbin.post* /etc/apparmor.d/
sudo cp usr.lib.post* /etc/apparmor.d/

Restart your the AppArmor daemon.

sudo /etc/init.d/apparmor restart

Now check the number of active profiles.

sudo aa-status

32 profiles are in enforce mode.
/usr/lib/postfix/spawn
/usr/lib/postfix/tlsmgr
/usr/sbin/saslauthd
/usr/lib/postfix/pipe
/usr/lib/postfix/proxymap
/usr/lib/postfix/bounce
/usr/sbin/postalias
/usr/lib/postfix/pickup
/usr/lib/postfix/qmqpd
/usr/lib/postfix/showq
/usr/sbin/avahi-daemon
/usr/lib/postfix/local
/usr/lib/postfix/nqmgr
/usr/sbin/postdrop
/usr/lib/postfix/scache
/usr/lib/postfix/virtual
/usr/lib/postfix/lmtp
/usr/lib/postfix/discard
/usr/lib/postfix/error
/usr/lib/postfix/smtpd
/usr/lib/postfix/smtp
/usr/lib/postfix/cleanup
/usr/sbin/postfix
/usr/sbin/postmap
/usr/sbin/postqueue
/usr/lib/postfix/anvil
/usr/lib/postfix/qmgr
/usr/lib/postfix/master
/usr/lib/postfix/verify
/usr/lib/postfix/flush
/usr/lib/postfix/trivial-rewrite
/usr/lib/postfix/oqmgr

You may not need all of these profiles depending upon what you are running, so remove those you do not need.  You can change these to complain mode so you can test.  Whatever you do, you should update the settings by running Postfix and then making any adjustments necessary by using the aa-logprof command.  This will make sure that your system is running effectively.

aa-logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:    /usr/sbin/postfix
Capability: sys_tty_config
Severity:   8

(A)llow / [(D)eny] / Abo(r)t / (F)inish
Adding capability sys_tty_config to profile.

Profile:  /usr/sbin/postfix
Path:     /etc/postfix/main.cf
Mode:     r
Severity: 3

[1 - /etc/postfix/main.cf]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/postfix/main.cf r to profile.

Profile:  /usr/sbin/saslauthd
Path:     /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock
Mode:     w
Severity: unknown

[1 - /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock w to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

[1 - /usr/sbin/postfix]
2 – /usr/sbin/saslauthd

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/postfix.
Writing updated profile for /usr/sbin/saslauthd.

Protecting Postfix with AppArmor

Posted by Filed Under Security with Comments Off

If you are using Postfix on a server that supports AppArmor like Suse, Debian, Ubuntu, etc., you can use AppArmor to protect Postfix.   AppArmor attempts to protect processes on the server or desktop from security threats.  AppArmor enforces limits on what processes can access on the system.  It attempts to restrict processes to those resources that the process requires to function only.  AppArmor will not only define the system resources a program can access , it will also determine the privileges with which it can access those resources. To protect applications you will need to set up a security profile for each application that you want to protect.

When you have many software applications on a system you have the risk of hosting software flaws that you are not aware of.  These software flaws provide avenues of access for attackers to compromise your system.  Exploits that are discovered and on the same day that they are used to crack a system by an attacker are called zero-day exploits.  AppArmor provides protection against these kinds of attacks by protecting against known and unknown vulnerabilities.

Install AppArmor
There is no need to install AppArmor on a distro like Ubuntu  as it is installed by default. The real issue is that the install has so little protection that it is not very helpful, so you will need to change that.  Even in the new Ibex version cups, bind, mysql and slapd are the only processes protected by AppArmor.  The Ibex desktop includes the Xsession for gdm.

Check the status of AppArmor
When you check the status as root  you will see active profiles.   There are several modes that you may notice.  Complain mode will help you learn what will happen if there were violations without hindering activity. It is like a warning only mode. Enforce mode means that the kernel will enforce the AppArmor protection for that process.

sudo apparmor_status

# apparmor_status
apparmor module is loaded.
5 profiles are loaded.
0 profiles are in enforce mode.
5 profiles are in complain mode.
/usr/sbin/mysqld
/usr/sbin/slapd
/usr/sbin/cupsd
/usr/sbin/named
/usr/lib/cups/backend/cups-pdf
3 processes have profiles defined.
0 processes are in enforce mode :
3 processes are in complain mode.
/usr/sbin/cupsd (4613)
/usr/sbin/named (4398)
/usr/sbin/mysqld (4518)
0 processes are unconfined but have a profile defined.

Create a New Profile
In order to provide the protection that you need you will be required to create a profile for each application you want to protect.  So for Postfix this will require creating profiles for each application that is needed by Postfix to function correctly.

The aa-genprof command is used to create a new profile. From a terminal, as root, use the command aa-genprof:

sudo aa-genprof executable

The first question you will be asked when you begin the creation of a profile is if you want to connect to the repository.  This repository which was hosted by Suse, saves profiles created by many different users and distros, which means it probably is not a good idea to enable this, create your own profile.

The second question will look like this:

[(S)can system log for SubDomain events] / (F)inish

At this point you need to have a working Postfix, including your Spam protection and anti-virus protection.  AppArmor will scan the whole server to see what processes use Postfix so you can create the profile.  Run Postfix by sending mail through it so AppArmor can detect all of the programs needed for the profile.  The select “S” to scan for changes.  Do this several times and note that you may be asked to accept additions to the profile as it is created.  Once you have answered all of the questions then choose finish to complete the profile.

sudo aa-genprof /usr/sbin/postfix

Repository: http://apparmor.test.opensuse.org/backend/api

Would you like to enable access to the
profile repository?

(E)nable Repository / (D)isable Repository / Ask Me (L)ater
Writing updated profile for /usr/sbin/postfix.
Setting /usr/sbin/postfix to complain mode.

Please start the application to be profiled in
another window and exercise its functionality now.

Once completed, select the “Scan” button below in
order to scan the system logs for AppArmor events.

For each AppArmor event, you will be given the
opportunity to choose whether the access should be
allowed or denied.

Profiling: /usr/sbin/postfix

[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.

Profiling: /usr/sbin/postfix

[(S)can system log for SubDomain events] / (F)inish
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.

Profiling: /usr/sbin/postfix

[(S)can system log for SubDomain events] / (F)inish

Here is an example of the basic Postfix profile (found in /etc/apparmor.d), note this is just the start.

# Last Modified: Wed Oct  8 17:42:02 2008
#include <tunables/global>
/usr/sbin/postfix {
#include <abstractions/base>

/usr/sbin/postfix mr,
}

Create the profile in complain mode so that you can test.  It can be changed once you are sure it works correctly.

sudo aa-complain /usr/sbin/postfix

You can change the mode to enforce with this command:

sudo aa-enforce /usr/sbin/postfix

Basic Commands
Each of these commands must be run as root.

aa-autodep          create a minimal profile
aa-enforce           enforce the profile created
aa-complain        violations logged but not enforced
aa-audit               check the profile
aa-logprof            look for error messages, provide a severity level and then give you the option to accept    a   correction or not.
aa-unconfined      list all the network applications that are not protected

Profiles are saved in  /etc/apparmor.d.

This is only a start and is an incomplete process until you protect each application that is related to Postfix.  Be sure to check out the poston user per-built profiles.