Exim Spamming

ansaranzLeave a comment

1.Check the number of emails present in the queue:
# exim -bpc

2. Check the emails present in the queue with the mail id and sender ID:
# exim -bp

3. View the header of a particular email using mail ID:
# exim -Mvh mail_id

4. View the body of a particular email using mail ID:
# exim -Mvb mail_id

5. View a message’s logs:
# exim -Mvl mail_id

6. To trace path:
# exim -d -bt user@domain.com

7. To get sorted list of email sender in exim queue:
# exim -bpr | grep “<” | awk {‘print $4’} |cut -d “<” -f 2 | cut -d “>” -f 1 | sort -n | uniq -c| sort -n

8. To check the script that will originate spam mails:
# grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort| uniq -c|grep cwd|sort -n

9. If we need to find out exact spamming script. To do this, run following command:
# ps auxwwwe | grep user | grep –color=always “/home/user/public_html/templates/” | head

10. To delete the emails of a specific user:
# grep -lr ‘user@domain.com’ /var/spool/exim/input/ | sed -e ‘s/^.*\/\([a-zA-Z0-9-]*\)-[DH]$/\1/g’ | xargs exim -Mrm
# exim -bp | grep “user_email-account” | awk ‘{print $3}’ | xargs exim -Mrm

11. To delete Frozen emails from the email queue:
# grep -R -l ‘*** Frozen’ /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm
# exim -bp| grep frozen | awk ‘{print $3}’| xargs exim -Mrm
# exiqgrep -z -i | xargs exim -Mrm

12. To delete Spam emails from the email queue:
#  grep -R -l [SPAM] /var/spool/exim/msglog/*|cut -b26-|xargs exim -Mrm

13. To check the no. of frozen mails:
# exiqgrep -z -c
# exiqgrep -z | wc -l

14. To check exim logs:
# tail -f /var/log/exim_mainlog

15. Force delivery of one message:
# exim -M mail_id

16. Force another queue run:
# exim -qf

17. Force another queue run and attempt to flush frozen messages:
# exim -qff

18. To check if there are frozen emails:
# exiqgrep -z

19. To clear just one email:
# exim -Mrm mail_id

20. Check the subjects of the emails:
# exiqgrep -i |awk ‘{ print “exim -Mvh “$1 }’ |sh |grep -i Subject

21. It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

22. The following script will give the summary of mails in the mail queue.
# exim -bpr | exiqsumm -c | head

Hardening a Cpanel server

ansaranzLeave a comment

Please go through the below steps to harden a cPanel server for better security

==========================

Hardening of a cPanel server

Assume CSF has been  installed on the server, If it’s not installed. Please install it.

Go to WHM >> Plugins >> ConfigServer Security & Firewall >> Check Server Security

Do the following Tweaks on the server end as per the CSF security checks:

RESTRICT_SYSLOG option check

vi /etc/csf/csf.conf

Change RESTRICT_SYSLOG = “0” to RESTRICT_SYSLOG = “3”

LF_SCRIPT_ALERT option check

vi /etc/csf/csf.conf

Change LF_SCRIPT_ALERT = “0” to LF_SCRIPT_ALERT= “1”

SYSLOG_CHECK option check

Change SYSLOG_CHECK = “0” to SYSLOG_CHECK = “300”

PT_ALL_USERS option check

Change PT_ALL_USERS = “0” to PT_ALL_USERS = “1”

Check SSH on non-standard port

vi /etc/ssh/sshd_config

uncomment the line ‘Port’

Give a custom port

example:

Port 666

Restart ssh service

/etc/init.d/sshd restart

edit csf config file

vi /etc/csf/csf.conf

Add the port number on the following parameters

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,666”

TCP_OUT = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,666”

Check SSH UseDNS

vi /etc/ssh/sshd_config

Uncomment the line ‘UseDNS’ and change to the following

UseDNS no

Restart ssh service

/etc/init.d/sshd restart

Check Background Process Killer

Go to Home »System Health »Background Process Killer

Tick all the processes and click save button

Check root forwarder

vi /root/.forward

Add an email address to this file for getting all alerts about cPanel server to your email address

Eg: sd1@ideaminetech.com

Check apache for TraceEnable

Go to WHM > Apache Configuration > Global Configuration > TraceEnable  and change the value to  ‘Off’.

Check apache for ServerTokens

Go to WHM > Apache Configuration > Global Configuration > ServerTokens and change the value to  ‘ProductOnly’.

Check apache for FileETag

Go to WHM > Apache Configuration > Global Configuration > FileETag  and change the value to  ‘None’.

Check mod_userdir protection

Go to WHM > Security Center > mod_userdir Tweak , Tick the ‘Enable mod_userdir Protection’ box.

Click Restart apache button after saving the above configurations

Check php for disable_functions

Add the below functions to ‘php.ini’ file

vi /usr/local/lib/php.ini

show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

Check php open_basedir protection

Go to WHM > Security Center > php open_basedir Tweak

Tick ‘Enable php open_basedir protection’ and click save

Check cPanel login is SSL only

Go to  WHM > Tweak Settings   / Select  ‘Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.’ option and click ‘Save’

Check boxtrapper is disabled

WHM > Tweak Settings > BoxTrapper Spam Trap  /Select ‘off’ option and click ‘Save’

Check max emails per hour is set

Go to  WHM > Tweak Settings > The maximum each domain can send out per hour  / Limit mail sending limit to your desired value and click ‘Save’

Example: 150

Check compilers

Go to WHM > Security Center > Compilers Tweak, Click Disable compilers

Check FTP Logins with Root Password

Go to  WHM > FTP Server Configuration > Allow Logins with Root Password and select ‘No’

Click save

Check proxy subdomains

Go to WHM > Tweak Settings > Proxy subdomains and select ‘No’

Select ‘Save’

Check Cookie IP Validation

Go to  WHM > Tweak Settings > Cookie IP validation and select ‘Stirct’ and click ‘save’

Check Referrer Blank Security

Go to WHM > Tweak Settings > Blank referrer safety check and click ‘On’ and click  ‘save’

Go to WHM > Tweak Settings > Referrer safety check and click ‘On’ and select ‘save’

Go to  WHM > Tweak Settings > Hide login password from cgi scripts and select ‘On’ and click ‘save’

Check SMTP Restrictions

Go to  WHM > Security Center > SMTP Restrictions  and select ‘Disable’ button

Disable shell access for all accounts(except root)

You can disable shell access for all accounts via Home >> Account Functions >> Manage Shell Access

Select the radio button on “Disable shell’ and click ‘Apply to all’

Restart csf once all the above steps has been completed.

Restart csf via the command ‘csf -r’
============================