Archive for the ‘Linux/Hosting’ Category

14
Jun

   Posted by: RobPatton   in Linux/Hosting

In a recent trip down the rabbit hole, I started evaluating various site security products for some of the wordpress sites that I run or manage.  Moral to the story, if you ask questions, you’re going to sign up for more work when you hear the answers, but I guess thats ok….

I had recently switched everything to SSL served, after reading https://fourdots.com/blog/why-you-need-ssl-to-rank-better-in-2016-and-how-to-set-it-2169 , but failed to take note of the SSL settings on my server.

My default settings were “secure” but allowed several technologies that have proven exploits. Largest issues were TLS 1.0 and TLS 1.1, and RC4 Cipher.

This host is a Centos 7.x host, with apache vhosts. Try as I might to edit the SSL settings in the vhost, I still had less than stellar reports.

It seems that apache loads /etc/httpd/conf.d/ssl.conf before the *.vhosts, so whatever is set in that file, ends up being the global setting everyone sticks to.

Go test yours! https://www.ssllabs.com/ssltest/index.html

I’m currently using:

SSLProtocol TLSv1.2

SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4

as my settings in the file, and the security scans now seem to be A/95%, which was my goal, I guess

 

 

 

 

 

 

22
Apr

   Posted by: RobPatton   in Linux/Hosting

The Problem

In the past 30 days, I’ve seen over 140,000 entries from many unique ips, which looks like either DOS or password hacking bots, annoying, especially since all my passwords are at least 12 char, random.

 

Top 10 Values Count %
162.17.140.61 8,259 5.844%
212.237.47.114 4,583 3.243%
185.227.108.10 1,560 1.104%
192.154.213.123 1,434 1.015%
110.87.25.235 1,356 0.96%
120.35.102.81 1,356 0.96%
117.69.231.207 1,332 0.942%
183.164.244.109 1,327 0.939%
117.69.230.159 1,297 0.918%
117.69.230.216 1,288 0.911%

 

In /var/log/maillog

Apr 22 07:43:21 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:19 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:17 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:14 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:08 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:43:06 webhost postfix/smtpd[12521]: lost connection after AUTH from unknown[114.237.43.12]
Apr 22 07:04:24 webhost postfix/smtpd[29802]: lost connection after HELO from unknown[119.86.182.130]
Apr 22 06:35:16 webhost postfix/smtpd[18488]: lost connection after UNKNOWN from unknown[93.174.93.46]

The Fix

Add to /etc/fail2ban/jail.local:

[postfix-auth]
enabled = true
filter = postfix.auth
action = iptables-multiport[name=postfix, port=”http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve”, protocol=tcp]
# sendmail[name=Postfix, dest=you@mail.com]
logpath = /var/log/maillog
bantime = 21600
maxretry = 3

Create /etc/fail2ban/filter.d/postfix.auth.conf

[Definition]
failregex = lost connection after AUTH from (.*)\[\]
ignoreregex =

Problem Solved!

6
Jan

   Posted by: RobPatton   in Linux/Hosting

I have been getting daily errors from certwatch, and I’ve just been ignoring them.  Today I decided not to, any more.

 

################# SSL Certificate Warning ################

Certificate for hostname ‘webhost.robpatton.com’, in file (or by nickname):
/etc/pki/tls/certs/localhost.crt

The certificate needs to be renewed; this can be done
using the ‘genkey’ program.

Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.

##########################################################
Generated by certwatch(1)

 

 

So my fix was this:

cd /etc/pki/tls/certs/
rm localhost.crt
make localhost.crt
mv localhost.key ../private/localhost.key
cd ../private/
cp localhost.key localhost.key.orig
openssl rsa -in localhost.key.orig -out localhost.key

31
Aug

   Posted by: RobPatton   in Linux/Hosting

I switched my hosting servers to Centos 7 a couple years ago, my postfix instance has been a fun experiment for the past year or so.

Below see the instance of “Blocked using” in my maillog file.  The dips are when I was not using any, and the peaks are when I was using one, or many blacklist providers.   I’ve heard good things about the barracuda blacklist, so I’ll add that eventually, and watch for spikes.

 

Blocked Using 2017 Graph

Blocked Using 2017 Graph

 

Important parts of my main.cf

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit