Saturday, April 24, 2010

Debian Linux Server Security Checklist

SkyHi @ Saturday, April 24, 2010

File
system Security


There are certain files whose presence in the Linux
file system can
present a security risk and should be remedied as soon as possible.


When the SUID (set user ID) or SGID (set group ID) bits are set
on an executable, that program executes with the UID or GID of owner
of the file, as opposed to the user executing it. This means that
all
executables with SUID bit set and are owned by root are executed
with the UID of root. This situation is a security risk and should
be minimized
unless the program is designed for this risk.


To find all files on your file system that have the SUID or SGID
bit set, execute:


    # find / -path /proc –prune –o –type
    f –perm
    +6000 -ls

It is good practice to generate a list of SUID or SGID
files on your server as soon as possible, and re-run the above
command on
a regular
basis to ensure new
binaries with unsafe permissions are not being added to your server.


World-writable
files are a security risk as well. World-writable files and directories
are dangerous since it allows anyone to modify them. World-writable
directories
allow anyone to add or delete files.


To find all world-writable files and
directories, execute:


    # find / -path /proc –prune –o –perm
    -2 ! –type 1 –ls

Another file permission issue are files
not owned by any user or group. While this is not technically a
security vulnerability,
an audited system
should
not contain any unowned files. This is to prevent the situation where
a new user
is assigned a previous user’s UID, so now the previous owner’s
files, if any, are all owned by the new user.


To find all files that
are not owned by any user or group, execute:


    # find / -path /proc –prune –o –nouser –o –nogroup

Network
Security


To get a list of listening network ports, run the following:


    # netstat –tulp

Disable any ports that are not necessary. To
do so, kill the PID shown by netstat. The only port that your server
must be listening
on is
SSH (22/tcp).
Other
ports that will need to be listening depend upon the specific
purpose of your dedicated
server. Note that by killing the PID of the process you are
not preventing your server from starting the same service again on
bootup. To disable
services, see
below.


In order to see what programs your server is launching on startup,
execute the following:


    # chkconfig –list |grep on (Red hat systems)

    # ls –l /etc/rc2.d/S*
    | cut –d/ -f6 (Debian systems)

This command will show you which programs
are to be executed in which run levels. In Red hat, full multiuser mode
is 3. To disable a service permanently,
issue
the following:


    # chkconfig <service_name> off

To disable any service in Debian,
simply execute the following:


    # rm –f /etc/rc2.d/S*<service_name>

Please note that
the above commands do not actually disable the service, they simply
prevent the service from being executed
on startup.


User Security


The first thing you should take stock of are the users
with unlocked accounts. Users with unlocked accounts are allowed
to login if assigned
a valid shell,
and should be kept to a minimum.


To get a list of unlocked users,
execute the following:


    # egrep –v ‘.*:\*|:!' /etc/shadow|awk
    -F: '{print $1}'

If you do not recognize any user returned by the
above command, check to see if that user owns any files by executing:


    #
    find / -path /proc -prune -o -user <user_name> -ls

If the
user does not own any files, or files that will not hinder the
stability of your server, delete the user
by executing:


    # userdel –r <user_name>

TCP/IP Hardening


All of the following lines and values should be
added to the file /etc/sysctl.conf if you want to enable or
disable the
feature mentioned.
You will need
to restart your system for these changes to take
effect.



























TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
Disable IP Source Routing net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0
IP Spoofing Protection net.ipv4.conf.all.rp_filter = 1
Ignoring Broadcasts Request net.ipv4.icmp_echo_ignore_broadcasts=1
Bad Error Message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1

System Security


One of the most important
things you can do to protect your server is implementing very
basic
access control.
Access
control can
eliminate a majority of the
risk involved in running out of date services
on the Internet.


In order to implement an
effective access control policy on your dedicated server,
you will need
the following
pieces of
information:


- The IP address or addresses
of your Internet connection. For some, this may be one static
address, while for
others it is
a pool of
addresses. If you have
more than one Internet connection, please
be sure to get ALL the IP addresses you
could be assigned
at any
time.
You may
need to
contact your Internet
Service Provider for this information.


SSH


While we do not recommend anybody running
outdated software, especially something
as crucial as
SSH, a not insignificant
portion of the
risks involved in running
an outdated SSH server can be mitigated
by only allowing certain IP networks
to access
your SSH
server.


    # $IPTABLES –A INPUT –p
    tcp –dport 22 –s X.X.X.X/NN –j
    ACCEPT

The above line will allow TCP
packets destined for port 22 to be
accepted
if and only
if the source of the packets
are
within
the
network denoted
in X.X.X.X/NN.
If you have more than one Internet
connection, or
have multiple networks, simply add
another line, replacing
X.X.X.X/NN with
the proper values.


Control Panel Software


If your server is running a control
panel, you can also improve your
security by
implementing an access
control
policy on
the control panel administrative
port.















Plesk: $IPTABLES –A INPUT –p tcp –dport
8443 –s X.X.X.X/NN –j ACCEPT
Ensim: $IPTABLES –A INPUT –p tcp –dport
19638 –s X.X.X.X/NN –j ACCEPT
Cpanel: $IPTABLES –A INPUT –p tcp –dport
2082 –s X.X.X.X/NN –j ACCEPT

FTP Server


Another service you may want to implement
an access control policy on is
FTP. If you, or
a small handful
of people
are the only
allowed users
to
FTP into
your dedicated server, then you
will certainly benefit.


    $IPTABLES –A INPUT –p tcp –s
    X.X.X.X/NN –dport 20 –syn –j
    ACCEPT

    $IPTABLES –A INPUT –p
    tcp –s X.X.X.X/NN –dport
    21 –syn –j
    ACCEPT

Note that both of the above
lines must be executed for each
source
network.


For more information regarding the use of iptables on your
Linux based dedicated server, please look
over our iptables tutorial
.


REFERENCE
http://www.servepath.com/support/debian-security-checklist.php

Debian Linux apt-get package management cheat sheet

SkyHi @ Saturday, April 24, 2010

Both Debian and Ubuntu Linux provides a number of package management tools. This article summaries package management command along with it usage and examples for you.


(1) apt-get : APT is acronym for Advanced Package Tool. It supports installing packages over internet (ftp or http). You can also upgrade all packages in single operations, which makes it even more attractive.


(2) dpkg : Debian packaging tool which can be use to install, query, uninstall packages.


(3) Gui tools:

You can also try GUI based or high level interface to the Debian GNU/Linux package system. Following list summaries them:

(1) aptitude: It is a text-based interface to the Debian GNU/Linux package system.

(2) synaptic: GUI front end for APT


Red hat Linux package names generally end in .rpml similarly Debian package names end in .deb, for example:

apache_1.3.31-6_i386.deb


apache : Package name

1.3.31-6 : Version number

i386 : Hardware Platform on which this package will run (i386 == intel x86 based system)

.deb : Extension that suggest it is a Debian package


Remember whenever I refer .deb file it signifies complete file name, and whenever I refer package name it must be first part of .deb file. For example when I refer to package sudo it means sudo only and not the .deb file i.e. sudo_1.6.7p5-2_i386.deb. However do not worry you can find out complete debian package list with the following command:

apt-cache search {package-name}


apt-get add a new package


Add a new package called samba

Syntax: apt-get install {package-name}


# apt-get install samba

apt-get remove the package called samba but keep the configuration files


Syntax: apt-get remove {package-name}


# apt-get remove samba

apt-get remove (erase) package and configuration file


Syntax: apt-get --purge remove {package-name}


# apt-get --purge remove samba

apt-get Update (upgrade) package


Syntax: apt-get upgrade


To upgrade individual package called sudo, enter:

# apt-get install sudo


apt-get display available software updates


Following command will display the list of all available upgrades (updates) using -u option, if you decided to upgrade all of the shown packages just hit 'y'


# apt-get upgrade samba

However if you just wish to upgrade individual package then use apt-get command and it will take care of rest of your worries:

Syntax: apt-get install {package-name}


dpkg command to get package information such as description of package, version etc.


Syntax: dpkg --info {.deb-package-name}


# dpkg --info sudo_1.6.7p5-2_i386.deb | less

List all installed packages


Syntax: dpkg -l


# dpkg -l

To list individual package try such as apache


# dpkg -l apache

You can also use this command to see (verify) if package sudo is install or not (note that if package is installed then it displays package name along with small description):


# dpkg -l | grep -i 'sudo'

To list packages related to the apache:


# dpkg -l '*apache*'

List files provided (or owned) by the installed package (for example what files are provided by the installed samba package)

Syntax: dpkg -L {package-name}


# dpkg -L samba

(H) List files provided (or owned) by the package (for example what files are provided by the uninstalled sudo package)

Syntax: dpkg --contents {.deb-package-name}


# dpkg --contents sudo_1.6.7p5-2_i386.deb

Find, what package owns the file /bin/netstat?


Syntax: dpkg -S {/path/to/file}


# dpkg -S /bin/netstat

Search for package or package description


Some times you don’t know package name but aware of some keywords to search the package. Once you got package name you can install it using apt-get -i {package-name} command:

Syntax: apt-cache search "Text-to-search"


Find out all the Debian package which can be used for Intrusion Detection


# apt-cache search "Intrusion Detection"

Find out all sniffer packages


# apt-cache search sniffer

Find out if Debian package is installed or not (status)


Syntax: dpkg -s {package-name} | grep Status


# dpkg -s samba| grep Status

List ach dependency a package has...


Display a listing of each dependency a package has and all the possible other packages that can fulfill that dependency. You hardly use this command as apt-get does decent job fulfill all package dependencies.

Syntax: apt-cache depends package


Display dependencies for lsof and mysql-server packages:


# apt-cache depends lsof<br /># apt-cache depends mysql-server<br />

Further reading


REFERENCES
http://www.cyberciti.biz/tips/linux-debian-package-management-cheat-sheet.html

Ubuntu / Debian Linux: Services Configuration Tool to Start / Stop System Services

SkyHi @ Saturday, April 24, 2010

Your Debian / Ubuntu Linux box security depends upon access to system services (one of many aspects). For example, you may need to provide a web server (Apache service) to serve web pages. However, if you do not need use a service, you should always turn off all unused services to avoid exploits.


Traditionally, Debian provided various tools to manage services. There are various methods for managing access to system services:

a) /etc/init.d/service

b) rcconf

c) update-rc.d etc


Under Red hat and Centos Linux you can use chkconfig command (ntsysv command) to configure Sys V style init script links. There is also service command to stop / start / restart services.


So if you are addicted to the service command under RHEL / CentOS / Mandriva Linux and have wondered what to do in Debian / Ubuntu, Linux try sysvconfig package.


sysvconfig - Services Startup Configuration Tool


Debian and Ubuntu Linux also offers service command. It can be used to execute System V style init script stored at /etc/init.d/service-name { start|stop|restart|action }. This is good if you grown up with Red hat. This tool is equivalent to update-rc.d and invoke-rc.d (rcconf and others).


sysvconfig package


First, install sysvconfig package:

$ sudo apt-get install sysvconfig


To start / restart / stop service, use the following syntax:

$ sudo service {service-name} restart <-- Restart service

$ sudo service {service-name} stop <-- Stop service

$ sudo service {service-name} start <-- Start service


For example to stop apache service, enter:

$ sudo service apache stop


sysvconfig command


This is a text-based application that allows you to configure which services are started at boot time for each runlevel. It is simple interface for configuring runlevels. sysvconfig is just like ntsysv under Red hat Linux. It has dialog based interactive, menus to help automate setting up Sys V style init script links:


  • Enable or disable services.
  • Edit individual links.
  • Restore from backup file if you make a mistake.
  • Menu or command line interface.
  • View all services, each with its status and a brief description.

To start Sys V editor, enter:

$ sudo sysvconfig &



(Fig 01: sysvconfig in action - startup screen with menus)


You can enable or disable any system services:



(Fig 02: sysvconfig in action - Enable or Disable system services)


Please note that when you configure a new service using these tools, you may need to reconfigure firewall as well to open required ports.


REFERENCES

http://www.cyberciti.biz/tips/how-to-controlling-access-to-linux-services.html


Q. Under Red Hat or Cent OS chkconfig command provides a simple command-line tool for maintaining the /etc/rc[0-6].d directory hierarchy by relieving system administrators of the task of directly manipulating the numerous symbolic links in those directories. How do I control (or maintain Ubuntu runlevel) startup service under Debian or Ubuntu Linux with command line tool?


A. chkconfig is Redhat and friends only command. Debian or Ubuntu Linux offers different tools or command for same task.


Task: Command line tool to manage services / Ubuntu runlevel


update-rc.d automatically updates the System V style init script links /etc/rcrunlevel.d/NNname to scripts /etc/init.d/name. These are run by init when changing runlevels and are generally used to start and stop. For example turn on ssh service type the command:

# update-rc.d ssh defaultsOR$ sudo update-rc.d ssh defaults


Task: Remove service


Again use update-rc.d command:

# update-rc.d SERVICE-NAME removeOR$ sudo update-rc.d SERVICE-NAME remove


Task: Use Text based GUI Runlevel configuration tool to add or remove services


rcconf is Debian runlevel configuration tool. Rcconf allows you to control which services are started when the system boots up or reboots. It displays a menu of all the services which could be started at boot. The ones that are configured to do so are marked and you can toggle individual services on and off. If rcconf is not installed use apt-get command:

# apt-get install rcconfOR$ sudo apt-get install rcconf Now run rcconf and just follow on screen instructions:

# rcconf


REFERENCES

http://www.cyberciti.biz/faq/howto-runlevel-configuration-tool-to-start-service/

Debian Removing Unwanted Startup Files or Services

SkyHi @ Saturday, April 24, 2010
Under Debian Linux ( and most other distros) startup files are stored in /etc/init.d/ directory and symbolic linked between /etc/rcX.d/ directory exists. Debian Linux (Red Hat/ Fedora) uses System V initialization scripts to start services at boot time from /etc/rcX.d/ directory. Debian Linux comes with different utilities to remove unwanted startup file:

(A) rcconf

It is a console based interactive utility that allows you to control which services are started when the system boots up or reboots. It displays a menu of all the services which could be started at boot. The ones that are configured to do so are marked and you can toggle individual services on and off. To start rconf, login as root user and type rcconf

# rcconf  or sysvconfig





Debian rcconf - a console based utility to control startup services


Select the service you would like to enable or disable.

(B) sysv-rc-conf is yet another tool for for SysV like init script links under Debian Linux. To start sysv-rc-conf, login as root user and type sysv-rc-conf:

# sysv-rc-conf





Debian sysv-rc-conf - a console based advanced utility to control startup services


Select the service you would like to enable or disable.

Both sysv-rc-conf and rcconf are best tools to use on Remote Debian Linux or when GUI is not available, they are just like ntsysv command under Red Hat Linux.

(C) You can also use update-rc.d script as follows (update-rc.d removes any links in the /etc/rcX.d directories to the script /etc/init.d/service):

# update-rc.d -f {SERVICE-NAME} remove

For example to stop xinetd service at boot time, type the command as follows:

# update-rc.d -f xinetd remove


REFERENCES
http://theos.in/desktop-linux/removing-unwanted-startup-debian-files-or-services/

Friday, April 23, 2010

Email troubleshoot howto

SkyHi @ Friday, April 23, 2010


Using Email
Table of Contents: Introduction to Email (gs) Grid-Service (dv) Dedicated-Virtual Server Third-Party Applications Introduction to Email Your (mt) Media Temple service is always ready to accept messages using an email client such as Microsoft Outlook or Apple Mail. POP and IMAP are the two mo ...
Applies To: All Service Types





Introduction to uControl

The uControl panel is a tool for individual email accounts. It provides email users with a central place to edit various settings for their specific email names. This feature allows the Administrator or Owner of the account to give their users more privacy by enabling them to manage their own p ...
Applies To: (gs)





Can I have a static IP Address on the (gs) Grid-Service?
To better answer this question we must first explain how IP Addresses work on the (gs) Grid-Service. Due to the architecture of the (gs) Grid-Service incoming and outgoing connections will function differently. Let's first discuss IP Addresses for incoming connections. By default your (gs) Grid ...
Applies To: (gs)





(gs) Sending Mail using Ruby On Rails
WARNING: (mt) Media Temple only supports the basic operation and up-time of our (gs) Application Container Technology. Please consult our Scope of Support for further details. Ruby on Rails resources Initial Setup HOWTO Ruby on Rails Troubleshooting Summary: While it is definitely poss ...
Applies To: (gs)






Enabling / Disabling local mail for (dv) & (dpv) Dedicated-Virtual Servers.
When a domain is added within Plesk and your AccountCenter a mail service is automatically created. At that point any messages sent between (mt) Media Temple hosted services will attempt to deliver locally if a mail service is active for the receiving domain. If the domain is not actually usin ...
Applies To: (dpv) Nitro, All (dv)


Increasing qmail sending limits

WARNING: (mt) Media Temple only supports the basic operation and up-time of our (dv) & (dpv) Dedicated-Virtual Servers. Please consult our Scope of Support for further details. Customers should proceed with caution as this article is UNSUPPORTED by (mt) Media Temple and Plesk. The defa ...
Applies To: All (dv)





Enabling queuelifetime for Qmail
This guide will show you how to enable the queuelifetime option in Plesk. This file defines how long your server will attempt to process or deliver an email before bouncing it to the originating sender defined in the header of the email message. Login to your (dv) (dpv) Dedicated-Virtual Serv ...
Applies To: All (dv)





Disabling RBL spam protection
TIP: If you choose to use RBL's on your server please limit the number of lists you query. This will impact the performance of your mail server. To disable the RBL spam protection feature on your (dv) Dedicated-Virtual Server please do the following: Log into your Plesk Control Panel. Cho ...
Applies To: All (dv)



Launch



Changing Spamassassin to check emails larger than 250KB
Spamassassin by default will not check emails larger than 250 KB. This is limited to prevent spamassassin from generating a large load on the server. This article has been mirrored from the Parallels Knowledge Base as a courtesy to our (dv) Dedicated-Virtual Server customers. As they are the a ...
Applies To: All (dv)


How do I change the welcome message in Horde Webmail?
This article will explain how to change the name of Horde in the "welcome to Horde" message when logging into the webmail interface. This article has been mirrored from the Parallels Knowledge Base as a courtesy to our (dv) Dedicated-Virtual Server customers. As they are the authoritative sour ...
Applies To: All (dv)





When does Spamassassin begin to use the Spam filter database for filtering mails?
According to the Spamassassin documentation the Bayes system is not activated until a certain number of ham (non-spam) and spam has been learned. The default is 200 of each ham and spam messages. It means that Spamassassin begins to filter mails (according to your trainings) after 200 spam mail ...
Applies To: All Service Types






Managing Mail Groups in Plesk
This article will show you how to setup and manage mail groups using the Plesk Control Panel. A mail group simply allows you to create one email address, which can then be used to forward mail to multiple email users on the same domain. NOTE: We are using mt-example.com as an example. Please ...
Applies To: All (dv)





Horde webmail error: 'There was an error deleting messages from the folder "Inbox". [TRYCREATE] Mailbox does not exist.'

This article has been mirrored from the Parallels Knowledge Base as a courtesy to our (dv) Dedicated-Virtual Server customers. As they are the authoritative source of the information covered in this topic we encourage you to check their original article since this content is subject to change. ...
Applies To: All (dv)





How do I create email accounts on my (dv) Dedicated-Virtual Server?
This article will teach you how to create new email users on your (dv) Dedicated-Virtual server. Webmail access is also address at the bottom of this article. Setting up email is very simple. It consists of two basic steps: Adding one or more users on your hosting service. Configuring your c ...
Applies To: (dpv) Nitro, All (dv)


(dv) Add an Alternate SMTP Mail Port
Often Media Temple customers find themselves unable to send mail using the default SMTP port 25. Usually this happens because the customer's internet connection is being limited by the following: Restrictive firewalls are usually put in place where the public is provided access to the Interne ...
Applies To: All (dv)






HOWTO: SPF - All Purpose
NOTE: The authoritative source for this information can be found here: http://www.openspf.org/SPF_Record_Syntax . SUMMARY: Sender Policy Framework (SPF) is a relatively new method of fighting spam. As more time passes, this protocol will be used as one of the standard methods of fighting s ...
Applies To: All Service Types





How to View Email Headers
This is a simple resource on how to read the full email headers, also known as long headers or internet headers, from an email message in various email clients. Headers include such details as sender, recipient, subject, sending time stamp, receiving time stamps, and much more. They are very ...
Applies To: All Service Types





ISP Outgoing SMTP Server Listing.
Today many ISPs (Internet Service Providers) block the use of third-party SMTP servers, such as those for your (mt) Media Temple service. This is to prevent spamming on their networks, and many make this change without warning their customers. Please use the guide Checking your Outgoing Mail S ...
Applies To: All Service Types



Sending Email via an SMTP Server
SUMMARY: This is a general overview of guidelines for sending and troubleshooting outgoing / SMTP email on your domain. It is important to remember that (mt) Media Temple has secured your outbound mail server to only allow valid email users to send email through your server. This prevents Spamm ...
Applies To: All Service Types





Troubleshooting SMTP problems
SMTP or sending mail problems are common and usually easy to troubleshoot. This document will help customers troubleshoot SMTP problems on all (mt) Media Temple hosting platforms. The first step in any troubleshooting procedure is to try to identify and recreate the problem. Use your mail progr ...
Applies To: All Service Types





How do I move my emails from one address to another?
Email can be easily transferred from one IMAP email account to another using any modern email program. The information below is a simple guideline. These steps can vary depending on the email program used. NOTE: If your domain has not propagated to the new account, then you can set up your ...
Applies To: All Service Types






Understanding an Email Header.
The following guide is provided to learn how to read and understand an email header. To understand an email header we need to analyze the life of the email. Most of the time it appears that email is passed directly from the sender directly to the recipient. This isn't true: a typical email pas ...
Applies To: All Service Types


Sending or viewing emails using telnet
When troubleshooting email issues it may be useful to read or send emails from your server directly using the telnet application. This guide shows some basic steps to send an email from your server, and how to check your email using telnet. TIP: This article assumes that you know how to get ...
Applies To: All Service Types





Troubleshooting common issues with email
The following information will help assist you in troubleshooting email-related issues. If further help is needed please open a Support Request in the AccountCenter with your exact details. Understanding Email Limits (ss) / (gs) Outgoing Email Limitations The (ss) and (gs) services allow y ...
Applies To: All Service Types






Outgoing Email Limitations
There are 2 limits you need to be aware of regarding our (ss) and (gs) server outgoing mail limits: 50 emails per minute 500 emails an hour Sending at a rate higher than this may result in account suspension. In addition to any emails you would send from your email accounts in your day-to-da ...
Applies To: (gs), (ss)





"Disk Quota Exceeded" errors in emails

This error occurs when you have a disk quota for an account exceeded, or an email user no longer has enough space for the message being sent to them. Symptoms: You can no longer recieve emails. Emails bounce with a Disk Quota Exceeded error. Webmail stops working. Can not upload using FTP, e ...
Applies To: (ss)





Maximum email message size
The mail server may impose limitations on the maximum size of a email message that can be sent through the server which may cause errors. DETAILS: The maximum message size of an email that can be sent and received through the server is 10MB (the total size of the message itself and any attachmen ...
Applies To: (gs), (ss)





Getting Started with SquirrelMail Webmail
SquirrelMail is a standards-based webmail package written in PHP. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation. Login Enter your username in the name field (if in doubt: <username>@< ...
Applies To: (gs), (ss)





Why do I get duplicate emails?
Once in a while customers may receive a single email message more than one time. The messages are identical, with matching content and "Sent" dates. This article explains one common reason for receiving duplicate messages. How Email Servers Deliver Mail Assume that we're talking about a messag ...
Applies To: All Service Types






How can I change email passwords?
This guide will show a Server Adminstrator how to change the password for their Email Users. NOTE: Email users can change their own password via uControl. Please remember to use strong passwords. You can find a strong password generator at https://www.grc.com/passwords.htm. Login to the ...
Applies To: (gs)





(gs) HOWTO: Import your Address Book to WebMail
Did you know you can import your address book in CSV format to your @mail webmail application. DETAILS: First thing you will need to do is export your address book in CSV format. Consult your email program's help files on how to do this. Login to your webmail Click on 'Tools' > 'Address ...
Applies To: (gs)


(gs) HOWTO: Override Default Webmail Application.
SUMMARY: The (gs) Grid-Service utilizes a webmail application called "@mail" that we have set up. By default, this can be reached by simply navigating to http://webmail.mt-example.com/ . Although this software is very flexible and easy to use, we understand that there are many other options a ...
Applies To: (gs)






How do I create email accounts on my (gs) Grid-service?
This article will teach you how to create new email users on your (gs) Grid-service. Webmail access is also address at the bottom of this article. Setting up email is very simple. It consists of two basic steps: Adding one or more users on your hosting service. Configuring your computer's em ...
Applies To: (gs)





How to Enable or Disable local mail for your (gs) Grid-Service?
Symptoms If you are unable to create an email alias because your domain is not available in the drop-down list of your domains. If you have recently added a domain to your service that did not have MX records resolving to (mt) Media Temple your email for that domain is disabled by default. If ...
Applies To: (gs)





I attempted to send an email and it was rejected. The message was "Possible email abuse detected".
Your message may have had characteristics matching those of a typical spam message. As per our Acceptable Usage Policy, our systems were not able to allow your message to be sent because it was determined to be a possible spamming attempt. Spam is a large problem on the Internet and can lead to ...
Applies To: (gs)





Setting up and troubleshooting formmail
Overview Official documentation for formmail.pl can be found at http://www.scriptarchive.com/formmail.html. "FormMail is a generic HTML form to e-mail gateway that parses the results of any form and sends them to the specified users. This script has many formatting and operational options, mos ...
Applies To: (gs), (ss)






(gs) Mail Protect setup and usage
The following guide will show you how to mange the spam filter settings for your (gs) Grid-Service. MailProtect (Global Settings) Login to your (ac) AccountCenter Click on your Primary Domain Click on MailProtect (Anti-Spam) Configure your settings: Delivery: Move spam into IMAP sub ...
Applies To: (gs)





(dv) 30 second email delay with Plesk
Things you will need: Root access and SSH access to your (dv) A basic understanding of the vim editor DETAILS: The SMTP mail service provided by the Plesk Control Panel system is configured by default to do a number of remote verification checks when clients connect to send mail. These ve ...
Applies To: All (dv)





(gs) Creating an email alias/forwarder
DETAILS: Email aliases are a powerful feature of your hosting service that allow you to have an unlimited number of email addresses that forward to multiple destinations. Email aliases are commonly used to receive email at a particular address that map to multiple email addresses. Often custome ...
Applies To: (gs)






Using Gmail to view your (mt) Media Temple email
NOTE: mt-example.com is used as an example. Please be sure to replace this text with the proper information for your site or server. The following tutorial is provided as a courtesy to our customers to help you configure your mail software to work with (mt) Media Temple's hosting solutions. T ...
Applies To: All Service Types





(dv) HOWTO: Raise Courier-IMAP Connections
By default, Plesk and the Courier-IMAP email server drastically limit the number of inbound connections to prevent users from opening up too many concurrent sessions. Unfortunately, this restriction can impact legitimate users who have multiple computers connecting to the Courier-IMAP server fr ...
Applies To: (dv) 3.0, (dv) 3.5





Why do emails disappear from my trash and spam folders?
Many of us have once deleted an email message to then later decide we actually need it. For this reason it is important to know how long messages will stay in your trash folder before they are permanently deleted. The fact is that these settings can change depending on what email clients you u ...
Applies To: (gs)






(dv) hotmail and yahoo mail spam flagging issue
An increase in emails from (dv) servers being flagged as spam by hotmail, yahoo and other major mail service providers. It seems that they are starting to perform PTR record checks on the server name. NOTE: We strongly recommend using SPF records or DomainKeys to fix this issue. The following ...
Applies To: All (dv)





Getting Started with Roundcube Webmail
(mt) Media Temple offers Roundcube as one of our Webmail choices on the (gs) Grid-Service. RoundCube is a web interface that can access your email through a web browser. It has all the functionality you would expect from a modern email client, including MIME support, address book, folder manip ...
Applies To: (gs)


Exporting your Address Book (contacts) from @Mail
The following guide will show you how to export your contacts from the @Mail webmail client. WARNING: In order to export your contacts you must login to the Advanced Mozilla or Advanced IE6+ versions of @Mail. Login to @mail (Advanced Versions Only). Click on Tools > Address Book. Clic ...
Applies To: All Service Types




Importing your Address Book (contacts) into Roundcube
Roundcube offers the ability to import your Address Book contacts. First you will need to export your contacts as a vCard from your current address book application. TIP: Here are some useful guides to exporting your contacts from other mail clients: Apple Mail Microsoft Outlook @Mail ...
Applies To: (gs)






Rejecting all emails for nonexistent users
This article will show you how to reject all emails from nonexistent users. This configuration is recommended as it will reduce the amount of junk mail you receive. Login to Plesk Click on Domains Click on your domain Click on Mail Click on Preferences Set Mail to nonexistent user to R ...
Applies To: (dpv) Nitro, (dv) 3.0, (dv) 3.5





Creating Email Accounts
The following links will show you how to add an email account to all of our current hosting platforms. After creating an email account you can use your newly created address in your email program of choice, or use our webmail service. How do I create email accounts on my (gs) Grid-Service? Ho ...
Applies To: All Service Types





(dv) 3.x: Proper usage of email login credentials in an external Email application.
If you are having problems connecting an external email program (such as Outlook, Apple Mail, or Mozilla Thunderbird) to your email account on your (dv) Dedicated-Virtual v3.x Server, please make sure that you are using the full email address as the user name. This applies to both sending and r ...
Applies To: (dpv) Nitro, (dv) 3.0, (dv) 3.5






Clear email queues using qmHandle
Details When the mail queue on a (dv) Dedicated-Virtual Server has messages stacked up you can use the tool qmHandle. Download qmHandle from SourceForge. You actually only need the script 'qmHandle' so use that if you have it handy. Upload it to the server and untar it if necessary. You may d ...
Applies To: All (dv)





(gs) Create a Email Catch
The following guide will show you how to create a catch-all on the (gs) Grid-Service. Warning: It is important to note that adding a catch-all has been known to produce more spam. It is also advisable that you do not forward a catch-all to a external email address. Create a Catch-All ...
Applies To: (gs)

REFERENCE
http://kb.mediatemple.net/categories/Browse+by+Category/Email/

Email Applications

SkyHi @ Friday, April 23, 2010


Setting up email in Windows Mail or Windows Live Mail

Things you will Need: Name of your Incoming/Outgoing Mail Server: Your incoming and outgoing mail server name can be found within your Sever Guide located in the (mt) AccountCenter. It will look similar to the following: s#####.gridserver.com (Be sure to replace ##### with your site number). T ...
Applies To: (gs), (ss)





How can I setup email in Outlook 2003?
Info you will need: Your domain name, e.g. mt-example.com Your email address (Creating Email Accounts - All purpose). Your email password. NOTE: Text in this color is used as an example. Please be sure to replace this text with the proper information for your server or domain. The following ...
Applies To: All Service Types




How can I setup email in Outlook Express and Outlook 2002?
undefinedundefinedInfo you will need: Your domain name, e.g. mt-example.com Your email address (Creating Email Accounts - All purpose). Your email password. NOTE: Text in this color is used as an example. Please be sure to replace this text with the proper information for your server or dom ...
Applies To: All Service Types






HOWTO: Set up email on the iPhone or the iPod Touch
Setting Up an Email Account on the iPhone or the iPod Touch You can configure any (mt) Media Temple email account directly on the iPhone or the iPod Touch. You will simply need the standard email account information: username, password, and the incoming and outgoing mail server host informati ...
Applies To: All Service Types


How can I setup email in Outlook 2007?
Things you will need: Your domain name. Your Email address (Creating Email Accounts - All purpose). Your email password. NOTE: Text in this color is used as an example. Please be sure to replace this text with the proper information for your site or server. Be sure to replace mt-example.com w ...
Applies To: All Service Types


Setting up email in Postbox
This article is designed to help you setup an IMAP email connection to your (mt) Media Temple service using the email application Postbox. Postbox, built on top of Thunderbird, is an email application which runs on Mac, Linux, and Windows. Download and install the latest version of Postbox. W ...
Applies To: All Service Types



HOWTO: Setup email in Entourage
Things you will need: Your domain name I.E. mt-example.com. Your Email address (You need to create one if you haven't already. Follow this link if you still need to create an email address: Creating Email Accounts - All purpose ) Your email password. NOTE: Text in this color is used as an e ...
Applies To: All Service Types


HOWTO: Set the default email account on the iPhone
NOTE: The following tutorial is provided as a courtesy to our customers to help you configure your iPhone software to work with (mt) Media Temple's hosting solutions. 3rd-party software can not be supported directly by (mt) Media Temple. If you have further questions about your iPhone please ...
Applies To: All Service Types


Creating an email account in Pegasus
Link to Pegasus's Help and Documentation. Revisions: 07-20-2009: Minor Fixes
Applies To: All Service Types



Setting up Email for Blackberry
Things you will need: Your
Applies To: All Service Types


Setup Thunderbird using IMAP for the (gs) Grid-Service
The following article will show you how to setup the email application Thunderbird with your (gs) Grid-Service email accounts using the preferred IMAP protocol. Things you will Need: Name of your Incoming/Outgoing Mail Server: Your incoming and outgoing mail server name can be found within y ...
Applies To: (gs)


Settings for Checking Email on the iPhone
NOTE: The following tutorial is provided as a courtesy to our customers to help you configure your iPhone software to work with (mt) Media Temple's hosting solutions. Third-party software can not be supported directly by (mt) Media Temple. If you have further questions about your iPhone plea ...
Applies To: All Service Types



Syncing Email Accounts to iPhone
NOTE: The following tutorial is provided as a courtesy to our customers to help you configure your iPhone software to work with (mt) Media Temple's hosting solutions. Third-party software can not be supported directly by (mt) Media Temple. If you have further questions about your iPhone ple ...
Applies To: All Service Types


Apple Mail (Mail.app) not saving to Sent folder
Symptoms Items in Apple/Mac Mail do not save sent messages to the right folder when connecting via IMAP. The email will deliver normally but a copy is not kept on the server. Solution The Mac or Apple Mail client requires that you specify that an IMAP folder be used for Sent mail. This can be s ...
Applies To: (gs)

HOWTO: Set up email on the iPhone or the iPod Touch

SkyHi @ Friday, April 23, 2010

1. If this is the first account you're setting up on the iPhone or the iPod Touch, tap Mail. Otherwise, from the Home screen choose Settings > Mail, Contacts, Calendars > Accounts and choose Add Account....

OR IMG_0025 IMG_0026

2. Choose your email account type. For setting up email to work with your (mt) Media Temple service choose Other.

IMG_0027

3. Select Add Mail Account under the Mail section and enter account information.

IMG_0028

Fill in your name and email address. Then click Save.

IMG_0029

On the next screen enter your (gs) Grid-Service account details, including the following. We strongly suggest using your access domain which will work properly with SSL enabled. This is the default setting on the iPhone.

  • Incoming Mail Server

    Host Name: s#####.gridserver.com (Be sure to replace ##### with your site number)
    User Name: username@mt-example.com
    Password:
    If you do not know your password, you can reset it from the AccountCenter.

Tap Save to save the entered information. Your iPhone will then verify your account information.

5. Upon successful completion you will be taken back to the Mail Settings screen. You will still need to configure your folders since you are using IMAPThe Internet Message Access Protocol or IMAP is one of two of the most prevalent Internet standard protocols for e-mail retrieval, the other being POP3. Virtually all modern e-mail clients and servers support both protocols as a means of transferring e-mail messages from a server, (mt) Media Temple services are no exception.'); return false;">IMAP. Select your newly created account and enter the Advanced section:

IMG_0032

Change your IMAP Path Prefix from / to INBOX:

IMG_0033


6. Now you will be able to choose the Drafts, Sent, and Deleted folders on the server. This way your folders will be in sync no matter where or how you access your email. Just choose each Mailbox on the same Advanced screen and select the matching folder on the server:


IMG_0034 IMG_0035 IMG_0036



You should now have a fully configured account on your Apple iPhone. FAQs
How can I change the outging mail (SMTP) password?

In the iPhone mail client, there are two locations for passwords. The incoming mail password is on the main configuration screen, but the outgoing mail password may be considered somewhat hidden. Please follow these steps:

1. From the home screen, tap the "Settings" icon
2. Tap "Mail, Contacts, Calendars"
3. Select the account you wish to modify
4. Tap "SMTP" under "Outgoing Mail Server"
5. Tap the primary server
6. Enter your new password in the "Password" field.

fail2ban block failed login attempts

SkyHi @ Friday, April 23, 2010

Category:Configuration



From Fail2ban



Jump to: navigation, search

The subcategories below contain information about external software and their relation to Fail2ban. In particular, logging outputs and corresponding regular expressions are proposed and discussed in these pages. Feel free to contribute.

To add an application edit the URL to contain http://www.fail2ban.org/wiki/index.php/MyProgramName. Create a new page with the format:


MyProgramName is a program that does....

{{Logging_Outputs}}

MyProgramNamve version X.XX.XX.Y
<div style="padding: 1em;border: 1px dashed #2f6fab;color: black;background-color: #f9f9f9;line-height: 1.1em;">
* LogEntry
</div>

{{Failregex}}

<pre>
failregex =
< /pre>

[[Category:MyProgramCategory]]

MyProgramCategory can be a new category or an existing listed below. If you create a new category edit and add
[[Category:Configuration]]
to the bottom of it so it gets liked here.





Subcategories


This category has the following 7 subcategories, out of 7 total.




F



H




K



M




S



V



REFERENCE
http://www.fail2ban.org/wiki/index.php/Category:Configuration

Thursday, April 22, 2010

wget: Download entire websites easy

SkyHi @ Thursday, April 22, 2010


wget is a nice tool for downloading resources from the internet. The basic usage is
wget url:



wget http://linuxreviews.org/



Therefore,
wget (manual page) +
less (manual page)
is all you need to surf the internet. The power of wget is
that you may download sites recursive, meaning you also get all pages (and images and other data) linked on the front page:



wget -r http://linuxreviews.org/



But many sites do not want you to download their entire site. To prevent this, they check how browsers identify. Many sites refuses you to connect or sends a blank page if they detect you are not using a web-browser. You might get a message like:



Sorry, but the download manager you are using to view this site is not supported. We do not support use of such download managers as flashget, go!zilla, or getright



Wget has a very handy -U option for sites like this. Use -U My-browser to tell the site you are using some commonly accepted browser:


  wget  -r -p -U Mozilla http://www.stupidsite.com/restricedplace.html



The most important command line options are --limit-rate= and --wait=. You should add --wait=20 to pause 20 seconds between retrievals, this makes sure you are not manually added to a blacklist. --limit-rate defaults to bytes, add K to set KB/s. Example:



wget --wait=20 --limit-rate=20K -r -p -U Mozilla http://www.stupidsite.com/restricedplace.html



A web-site owner will probably get upset if you attempt to download his entire site using a simple wget http://foo.bar command. However, the web-site owner will not even notice you if you limit the download transfer rate and pause between fetching files.



Use --no-parent



--no-parent is a very handy option that guarantees wget will not download anything from the folders beneath the folder you want to acquire. Use this to make sure wget does not fetch more than it needs to if just just want to download the files in a folder.


REFERENCE
http://linuxreviews.org/quicktips/wget/

Wednesday, April 21, 2010

Gratuitous ARP

SkyHi @ Wednesday, April 21, 2010

Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.

Gratuitous ARPs are useful for four reasons:

  • They can help detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.
  • They assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC.

  • They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.
  • Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces.


Examples


  • The networking stack in many operating systems will issue a gratuitous ARP if the IP or MAC address of a network interface changes, to inform other machines on the network of the change so they can report IP address conflicts, to let other machines update their ARP tables, and to inform switches of the MAC address of the machine. The networking stack in many operating systems will also issue a gratuitous ARP on an interface every time the link to that interface has been brought to the up state. The gratuitous ARP then is used to preload the ARP table on all local hosts of the possibly new mapping between MAC and IP address (for failover clusters that do not take over the MAC address) or to let the switch relearn behind which port a certain MAC address resides (for failover clusters where you do pull the MAC address over as well or when you simply just move the network cable from one port to another on a normal nonclustered host)
  • The High-Availability Linux Project utilizes a command-line tool called send_arp to perform the gratuitous ARP needed in their failover process. A typical clustering scenario might play out like the following:

    • Two nodes in a cluster are configured to share a common IP address 192.168.1.1. Node A has a hardware address of 01:01:01:01:01:01 and node B has a hardware address of 02:02:02:02:02:02.

    • Assume that node A currently has IP address 192.168.1.1 already configured on its NIC. At this point, neighboring devices know to contact 192.168.1.1 using the MAC 01:01:01:01:01:01.

    • Using the heartbeat protocol, node B determines that node A has died.
    • Node B configures a secondary IP on an interface with ifconfig eth0:1 192.168.1.1.

    • Node B issues a gratuitous ARP with send_arp eth0 192.168.1.1 02:02:02:02:02:02 192.168.1.255. All devices receiving this ARP update their table to point to 02:02:02:02:02:02 for the IP address 192.168.1.1.


Example Traffic


Ethernet II, Src: 02:02:02:02:02:02, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff (Broadcast)
Source: 02:02:02:02:02:02 (02:02:02:02:02:02)
Type: ARP (0x0806)
Trailer: 000000000000000000000000000000000000
Address Resolution Protocol (request/gratuitous ARP)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 02:02:02:02:02:02 (02:02:02:02:02:02)
Sender IP address: 192.168.1.1 (192.168.1.1)
Target MAC address: ff:ff:ff:ff:ff:ff (Broadcast)
Target IP address: 192.168.1.1 (192.168.1.1)
0000 ff ff ff ff ff ff 02 02 02 02 02 02 08 06 00 01 ................
0010 08 00 06 04 00 01 02 02 02 02 02 02 c0 a8 01 01 ................
0020 ff ff ff ff ff ff c0 a8 01 01 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............


Discussion


What's a good choice for example MACs? I picked 02:02:02:02:02:02. Is there a better one? -- RandyMcEoin

-The '02' byte at the start of the MAC indicates that this is a 'locally administered address' which has been set by the local user or system. Most normal ethernet devices are allocated a MAC with 00 as the most significant byte.

I updated the article to differentiate between gratuitous ARP request and reply.

Note that some devices will respond to the gratuitous request and some will respond to the gratuitous reply. If one is trying to write software for moving IP addresses around that works with all routers, switches and IP stacks, it is best to send both the request and the reply. These are documented by RFC 2002 and RFC 826. Software implementing the gratuitious ARP function can be found in the Linux-HA source tree. A request may be preceded by a probe to avoid polluting the address space. For an ARP Probe the Sender IP address field is 0.0.0.0. ARP probes were not considered by the original ARP RFC.

-Does the target MAC address ever matter in requests? I gather Solaris uses ff:ff:ff:ff:ff:ff in its standard ARP requests and most other OSes use 00:00:00:00:00:00 instead. Is the use of the ff:ff:ff:ff:ff:ff MAC in the target address above significant in any way? Obviously having a destination address of ff:ff:ff:ff:ff:ff is critical.yes

RFC 3927, which is based on Gratuitous ARP, specifies 00:00:00:00:00:00 for the target MAC. However many simple TCP/IP stacks have an API which permits the specification of only one MAC value, and when the Ethernet Destination field is set to 'broadcast', the ARP target is also set 'broadcast'. Note: Normal ARP requests have the same value in the ARP Packet Target MAC address as in the Ethernet Destination field.

- How can we explain if the source Ethernet MAC address is different from sender's MAC address in a GARP packet? The ARP packet value is for the ARP machine, the Ethernet value is for the Ethernet machine. Originally, they were intended to be redundant information, targeted at different layers. It is possible to consider a hypothetical network appliance that routes ARP packets, where the source Ethernet MAC address changes as the packet is routed, but normally ARP packets are not routed.

REFERENCE
http://wiki.wireshark.org/Gratuitous_ARP