I’ve been working throughout the whole week to solve the send mail problem by the new box. The thing is that I have created an online form and the completed form should be sent to an appointed email address. I have been using Sendmail as the MTA (Mail Transport Agent) but it fails to function properly. The log file shows that it failed to send the email to the appointed email hosts and whenever it spots a same domain name (local), it won’t send the email although I have continuously change the settings, rebooted the box and edited php.ini, etc. I tried to find the solutions in Ubuntu Forums and some of them suggests to replace the MTA from Sendmail to Exim. I have been a Sendmail user since my first cup of Ubuntu as it is used with the default PHP configuration and I never tried Exim, but since Sendmail is not working as it suppose to be, I’m giving Exim a try. A couple of my first trial with Exim still doesn’t solve the matter and I have to reinstall it a couple of times since I have mess with  the configuration file. Thankfully apt-get saves most of my time. (just run apt-get install exim4 <- current version)

The configuration of Exim is user friendly than Sendmail and it’s easier to understand the settings as the configuration’s user interface will take you step by step with details and explanation. To configure Exim by user interface, the following command should be issued;

dpkg-reconfigure exim4-config

Manual configuration can be done by editing /etc/exim4/update-exim4.conf file but then we have to run;

update-exim4.conf

and restart exim4 process for the configuration to take place. The process should be running and listening on port 25 (smtp)

Exim4 process running and listening on port 25

To check the installation, run mail command (install mailutils first) and try sending mail and refer the log file for the status. The mail may be arriving late to your inbox for the first time, sometimes delayed until 7 hours as it may be on queue for spam check by the recipient server but it should be OK after that.

Send mail and tail the log

There seems no error whatsoever on the log but I can’t receive the mail on my yahoo account. On the previous log, it says that yahoo gives a “421 message deferred” error. It seems that yahoo’s filtering the message and considering it as a spam, etc. No luck on Yahoo I guess..whatever..I won’t be using Yahoo for the apps. (and I don’t want to waste my time contacting them) . I tried to figure out why the message was not able to be received by Yahoo Mail and I think it must be something related to the mail header. So I open the received mail on my Gmail account and inspect the message header;

email header shows SPF: Neutral

The SPF (Sender Policy Framework), an extension of RFC2822, shows that the query was neutral. Maybe Yahoo Mail is being strict on this…maybe . As you can see on the above image, inspecting email headers is very interesting too as you can trace the sender’s IP, location, mail client, etc. These are some of the tricks used to bust spammers, anonymous mailers, etc. hehe~ . In the end, Exim works as my box’s new MTA.

References:
Ubuntu documentation to install Exim4
OpenSPF

Problems..they never stop!

(9-12/6)
I have set up a file server running on Dell PowerVault 725N using Win2k3 as the OS (Windows..makes life easier.. ). The box was set to join domain with PKK’s network so that every authorized user may access the box. Working with the access rules, domain configuration, etc. is something new to me . After spending about 2 hours trying to understand and experimenting with the configs, the box was successfully accessible throughout the network. I have also set a pointer record in the domain controller to resolve the box’s IP address. Everything went fine and I even run a few tests to make sure it is 100% ready for deployment. The only thing left that I have to do is to see the box’s user tomorrow morning and to teach her the steps to insert the data.

The next day when I am about to give step-by-step tutorial to the user, I tried to connect to the box from the user’s PC but it was inaccessible. It gives me error messages that the target path was not found and I have no authorization to log in to the target machine. Then I check the DNS settings on the domain controller-no problems found, checked the shared folder permission settings-no problems found. Strange. I go back to the server and reset the access permission, but it was still inaccessible. The ACL is intact, no changes whatsoever. Then I figured out it must be viruses messing with the box configuration. But after running a few manual check (still no AV installed), I couldn’t find any modification on the system/registry. Then I install Symantec AV, but the AV so suck that I have to remove it half an hour after installation. It uses too much memory and it couldn’t detect any problem (I am SURE there must be something hidden inside the system). Then I installed Kaspersky but it could not get the latest updates. It gives “Unable to resolve DNS” error. Something has override the DNS table and even flushdns won’t work. This is not some ordinary virus, it must be somekind of worm/rootkit. So, I installed GMER, a rootkit detector/remover. After running a scan, it detects that a “service” is hooking with the svchost process and has made a changes into the registry. A positive rootkit activity!..fuck!..I disabled the service and the Kaspersky updates were successful but the AV also failed to detect the rootkit source. Manual removal on the registry strings were unsuccessful. I could not delete/modify any of the modified settings. I deleted one of the hooked svchost and restarted the box, but Windows give a startup error and after running another rootkit scan, the “service” was restarted AGAIN! damn! It’s impossible to delete the “service” as it was hooked with a Windows file and even after I disable the service, the modified registry settings will override my changes!

What the rootkit does:

• modify registry settings and include itself as a legit system process
• block all DNS pointing to EVERY anti virus/anti rootkit sites (EVERY site like Nod32, AVG, Symantec, etc.)
• modify security policy settings, blocking all network connection

This is the cause to my problem. It overrides the security policy and remove EVERYONE access from the network and added 2 fake users with a random strings as the username.

So, how do I remove the rootkit?
- I formatted the box again. As simple as that since I cannot remove it manually.

After a fresh installation of Win2k3, the settings that took almost 2 hours in the first time, only takes about 10 minutes now.

The question that still bother me, where does the rootkit come from?
I left the box untouched not more than 20 hours after the OS installation, I didn’t access the internet, etc. Where is the source?

Last week was my battle with OS installation on Dell PowerEdge 4600 and after several failures of Fedora installation on the box, I finally manage to get Ubuntu 9.04 running as the system! A big relief for a n0ob like me. So, the OS problem was settled and it took me the whole day (last Tuesday) to finish the installation on a couple of servers. Application installation and updates went smoothly. Among the installed components were OpenSSL for additional cryptography on the box for web apps deployment, Apache2 as the web server, MySQL as the database engine and PHPMyAdmin as the database management and VSFTPD for FTP server deployment. Another box (intended for application server) was left untouched after the OS installation as we were running out of DMZ port on the router

The server will be used for PKK’s new web server and the next day, the web development begin. The old site is using Joomla 1.0 with about 14000+ users profile that  have to be transferred to Joomla 1.5 database. The migration was  a bit difficult and confusing not only because of the massive data that I have to handle, but also because of the differences between both versions’ database structures. However, the migration was successful and all of the user profiles remain intact.

I’ve installed Fedora Core 6 on Dell PowerEdge 4600 before and this whole week I’ve been trying to upgrade the previous installation to Fedora 10. However, I can’t get it running on the box. The installation went smoothly without any error but whenever I have to reboot the system to complete the installation, it cannot load the newly installed OS. I kept getting many types of errors, SCSI…PS/2…boot…dev/sda…fail…bla..bla..and bla…I have no idea how to eliminate all of those stupid warnings. I’ve tried fixing the bios, boot, RAID config, etc. but it seems that everything that I’ve done were not working. The errors are still there! damn!…I’m getting tired with those stupid servers! I’ve got 3 boxes to be set up by next week, one for web server, another one for application server and the last one for proxy server. Previously all of them were running Windows Server 2k/2k3 and my job is to eliminate those Wins from the boxes.

I will be trying Ubuntu 9.04 on those boxes by next week. I want to test Fedora 11 on those boxes but the launching date  of Fedora 11 Leonidas has been extended from 2nd to 9th June 2009.

I was doing a bit maintenance on my server when I discovered a brute force attempt on port 22 (SSH). The brute force activities comes from several IP addresses and it seems that the crackers were targetting the root account and in some cases, they were using dictionary attacks on the username.

The IP addresses involved in the cracking activities were 61.132.120.221 / 190.2.37.65 / 85.25.144.136 / 85.14.221.75 / 69.80.235.135 / 202.129.29.133 (brute forcing root account) and 61.136.145.5 / 85.14.221.75 / 202.129.29.133 / 190.65.162.154 / 74.63.192.11 (brute forcing user accounts). The most fucking culprit in the cracking activities is 85.25.144.136 where it still continues attacking since 3 days ago. Geez! What a fucking auto-bot. The IP’s were traced back to some boxes, probably zombies, and some were coming from various locations throughout China, USA, etc.

To prevent the fuckers / future fuckers from flooding my log files with shitz, I could easily change the SSH port (/etc/ssh/sshd_config) to other than the default (port 22) but I afraid this might affect some configs on the HyperVM control panel and if they’re doing some port scanning on my box, they still can find the SSH port and continue their attack. Instead, I’ll use IPTables as a firewall to block any unauthorized attempt to the SSH console.

Since my box is not equipped with iptables, I need to install the package first. A simple installation using apt-get;

root@vps:~# apt-get install iptables

Then I reconfigure my box to drop any ICMP request so that my box will not respond to any ping request. This is useful to prevent host discovery and target scanning.

root@vps:~# iptables -A INPUT -p icmp -j DROP

And then to prevent attacks on the ssh port, I install SSHGuard;

root@vps:~# apt-get install sshguard

From the documentation page, I reconfigure the SSHGuard to suite my system using syslog and iptables.

Create a new blocking chain for sshguard;
root@vps:~# iptables -N sshguard

protect port 22 using sshguard;
root@vps:~# iptables -A INPUT -p tcp --dport 22 -j sshguard

**to install killall command (as in the instruction), run;

apt-get install psmisc

The new iptables list is as below;

root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination

Finally, I reboot my box for the new configuration to take place. Now, die Noobs!

**Update:

After a few hours setting the firewall, I got my first victim! Kill sKiddies! Die Noobs!

The victim’s IP is now blocked from accessing my server for a certain time;

root@vps:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
sshguard   tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       icmp --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain sshguard (1 references)
target     prot opt source               destination
DROP       all  –  89-97-241-4.ip19.fastwebnet.it  anywhere

All requests from every protocol (tcp,udp,etc.) on every port from the attacker’s hostname is dropped. The auth.log file showed the process that sshguard performed on the attacker’s IP;

root@vps:~# cat /var/log/auth.log
Jan 20 17:27:58 vps sshguard[3511]: Releasing 89.97.241.4 after 521 seconds.
Jan 20 17:27:58 vps sshguard[3511]: Setting environment: SSHG_ADDR=89.97.241.4;SSHG_ADDRKIND=4;SSHG_SERVICE=10.
Jan 20 17:27:58 vps sshguard[3511]: Run command “case $SSHG_ADDRKIND in 4) exec /sbin/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /sbin/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac”: exited 0.

The IP is blocked for 521 seconds (about 9 minutes) and after that the IP is automatically removed from the iptables. Although the ban is not permanent, this can stop automatic bots from continuing to waste my bandwidth and flooding my log file with crapz.

I’ve bought a new box a few weeks ago but haven’t used it until today. I have just set up a simple HTTP server with PHP support using Lighttpd with PHPCGI. A step-by-step installation procedure is as below, starting from adding the repositories until getting the web server running. Btw, I’m using Ubuntu Linux as my distro (I like it very much!).

The first and basic thing to do is to install a text editor since a new box will only have server core without any softwares installed. I choose nano as it’s the most basic and easiest text editor to use .

root@vps:~# apt-get install nano

Then, proceed with adding extra repositories.

root@vps:~# nano /etc/apt/sources.list

and add the Universe and Multiverse repositories.

deb http://us.archive.ubuntu.com/ubuntu/ hardy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy universe
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates universe

deb http://us.archive.ubuntu.com/ubuntu/ hardy multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy multiverse
deb http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ hardy-updates multiverse

Then run an update to get the latest release.

root@vps:~# apt-get update


Install new application in the box. In my case, I’ll install zip, unzip, rar, unrar and wget since this will be handy should I downloaded something to my box and need to extract the contents.

root@vps:~# apt-get install {zip,unzip,rar,unrar,wget}


I’m using the { } (curly brackets) to install multiple files at once.

The next step is to install Lighttpd with all of the required components.

root@vps:~# apt-get install lighttpd
#this will install lighttpd web server

root@vps:~# apt-get install php5-cgi
#this will install php5-cgi (compatible with lighttpd)

root@vps:~# lighty-enable-mod fastcgi
#this will enable fastCGI support in lighttpd

root@vps:~# apt-get install php5-curl
#this will install curl for php

After that, reload the web server.

/etc/init.d/lighttpd force-reload

You can also edit the lighttpd server settings on /etc/lighttpd/lighttpd.conf and reload the server once more after making changes.

A new web server is now running and ready to serve!