Bird's Nest Kotori's Tech Blog

8Jun/120

Securing Plesk with Fail2Ban

As Plesk by default has quite a few services running, it is a natural target for bruteforce attacks. I've put together the following guide to assist you in securing your Plesk server with Fail2Ban rules.

Courier IMAP

Step 1.) Create the filter
Edit the following Fail2Ban filter...

/etc/fail2ban/filter.d/courierlogin.conf

Change:
LOGIN FAILED, .*, ip=\[< HOST >\]$
 
To:
LOGIN FAILED, ip=\[<HOST>\]$

Step 2.) Create the action rule
Insert the following into your /etc/fail2ban/jail.local

[courierimap-iptables]
 
enabled = true # yes, enable this jail
filter = courierlogin # name of filter we use
action = iptables-multiport[name=IMAP, port="110,995,143,993"] # this is a multiport jail as it handles; 110, 143, 993, 995
         sendmail-whois[name=IMAP, dest=you@your-server.domain.net, sender=fail2ban@your-server.domain.net] # where to send the alert email
logpath = /usr/local/psa/var/log/maillog # Plesk maillog standard location
maxretry = 5 # Only allow 5 attempts

Dovecot

Step 1.) Create the filter
Create the following Fail2Ban filter...

/etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Step 2.) Create the action rule
Insert the following into your /etc/fail2ban/jail.local

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
         sendmail-whois[name=dovecot-pop3imap, dest=you@your-server.domain.net, sender=fail2ban@your-server.domain.net] # where to send the alert email
logpath = /usr/local/psa/var/log/maillog # Plesk maillog standard location
maxretry = 5
findtime = 1200
bantime = 1200

Testing

Now you can restart Fail2Ban and test it with the following script. Replace the line "REPLACE.YOUR.SERVERS.IP" with your server's IP that is protected by Fail2Ban. Run the script several times, and on the 6th attempt, you should not be able to make additional connections. Run 'iptables -L -v -n' to ensure Fail2Ban properly blocked the IP.

echo -e "01 login test test\n02 logout\n" | telnet REPLACE.YOUR.SERVERS.IP 143

Have Fun!

7Apr/120

Report Qmail Queue Size

I recently had a unique request from a customer. "How do I have my Plesk system email me when my remote queue starts to fill up?". This is actually quite simple to script.

QmailQueueChecker.sh

#!/bin/bash
# QmailQueueChecker.sh
# Checks the size of the Qmail queue and sends an email if its too large
 
QUEUE_LIMIT="250"
NOTIFY_EMAIL="root@localhost"
 
QUEUE_COUNT=`/usr/sbin/qmHandle -s | grep "remote recipients" | awk -F ":" '{print $2}' | sed 's/ //g'`
 
if [ "$QUEUE_COUNT" -gt "$QUEUE_LIMIT" ]; then
    echo "The Qmail queue is currently over $QUEUE_LIMIT. Mail queue contains $QUEUE_COUNT messages." | mail -s "Mailqueue is Full" $NOTIFY_EMAIL
fi
 
exit 0

See quite easy! Simply alter QUEUE_LIMIT and NOTIFY_EMAIL to suit your needs. I would recommend adding this to a cronjob for automated notifications:
0 * * * * /root/bin/QmailQueueChecker.sh

20Mar/120

Compile latest XBMC with GIT

I've been running XBMC-Live for some time now, and I've found it great, however its quite a pain waiting for new features for the base XBMC install.. I love to run the latest versions of software. If your like this as well, or you simply want to compile XBMC yourself feel free to copy/paste this tutorial. For your own reference, most of this guide was pulled from
http://forum.xbmc.org/showthread.php?tid=89817

My Build is as follows:
Ubuntu 10.04.2 LTS lucid - XBMCLive Dharma

INITIAL SETUP

Step 1. (Stop XBMC, and install the stable PPA)

stop xbmc-live
 
apt-get install python-software-properties pkg-config -y
add-apt-repository ppa:team-iquik/xbmc-stable
apt-get update

Step 2. (Install dependencies)

apt-get install libplist-dev python-support python-dev ccache libyajl-dev libvdpau-dev debhelper \
zip git-core make g++ gcc gawk pmount libtool yasm nasm automake cmake gperf gettext unzip \
bison libsdl-dev libsdl-image1.2-dev libsdl-gfx1.2-dev libsdl-mixer1.2-dev libfribidi-dev \
liblzo2-dev libfreetype6-dev libsqlite3-dev libogg-dev libasound-dev python-sqlite libglew-dev \
libcurl3 libcurl4-openssl-dev x11proto-xinerama-dev libxinerama-dev libxrandr-dev \
libxrender-dev libmad0-dev libogg-dev libvorbisenc2 libsmbclient-dev libmysqlclient-dev \
libpcre3-dev libdbus-1-dev libhal-dev libhal-storage-dev libjasper-dev libfontconfig-dev \
libbz2-dev libboost-dev libfaac-dev libenca-dev libxt-dev libxtst-dev libxmu-dev libpng-dev \
libjpeg-dev libpulse-dev mesa-utils libcdio-dev libsamplerate-dev libmms-dev libmpeg3-dev \
libfaad-dev libflac-dev libiso9660-dev libass-dev libssl-dev fp-compiler gdc \
libwavpack-dev libmpeg2-4-dev libmicrohttpd-dev libmodplug-dev libboost-thread-dev -y -q
 
apt-get build-dep xbmc -y

Step 3. (Clone XBMC from its GIT repo)

mkdir ~/setup
cd $HOME/setup
git clone git://github.com/xbmc/xbmc.git

Step 4. (Compile XBMC)

# Compile BluRay support
cd $HOME/setup/xbmc/lib/libbluray
make
make install
 
# Compile Airplay support
cd $HOME/setup/xbmc/lib/libshairport
make
make install
 
cd $HOME/setup/xbmc
make -C lib/libnfs && sudo make -C lib/libnfs install
./bootstrap ; ./configure --prefix=/usr --enable-vdpau --disable-pulse --disable-crystalhd --enable-libbluray --enable-libshairport ; make -j4
make -C lib/addons/script.module.pil

Step 5. (Install our newly compiled XBMC)

make install prefix=/usr

Step 6. (Start XBMC back up)

start xbmc-live

Once we have our initial repo setup, its quite easy to update from now on. Simply follow the steps below:

UPDATE STEPS

Step 1. (Stop XBMC)

stop xbmc-live

Step 2. (Cleanup existing XBMC code, and update it)

cd $HOME/setup/xbmc
make distclean
git reset --hard
git clean -xfd
git pull --rebase

Step 3. (Compile XBMC)

# Compile BluRay support
cd $HOME/setup/xbmc/lib/libbluray
make
make install
 
# Compile Airplay support
cd $HOME/setup/xbmc/lib/libshairport
make
make install
 
make -C lib/libnfs && sudo make -C lib/libnfs install
./bootstrap ; ./configure --prefix=/usr --enable-vdpau --disable-pulse --disable-crystalhd --enable-libbluray --enable-libshairport ; make -j4
make -C $HOME/setup/xbmc/lib/addons/script.module.pil

Step 4. (Install our newly compiled XBMC)

make install prefix=/usr

Step 5. (Start XBMC back up)

start xbmc-live
19Mar/128

Fail2Ban on RHEL 5/6

I've decided to put together this little howto on installing and configuring Fail2Ban on RedHat Enterprise Linux v5.x and v6.x.

The first step is to make to decide whether you want to install via repository or by source. I recommend installing by repository as you will receive packages that are guaranteed to work with the OS, and will receive updates along with your regular packages.

Installing Via Repo

If you have not already done so you will want to install the epel repository, choose a repository according to your OS. I prefer to use the EPEL repository: http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/fail2ban.html

RHEL 5

32 BIT SYSTEMS:
sudo rpm -Uvh "http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-5-4.noarch.rpm"
64 BIT SYSTEMS:
sudo rpm -Uvh "http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-5-4.noarch.rpm"

RHEL 6

32 BIT SYSTEMS:
sudo rpm -Uvh "http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm"
64 BIT SYSTEMS:
sudo rpm -Uvh "http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm"

Now that we have the repository installed, we can install Fail2Ban.

sudo yum install fail2ban

First copy your jail.conf to jail.local. This protects your changes from getting wiped during package upgrades. Fail2Ban is setup to read jail.local after jail.conf automatically. From here on, when I say configuration file, I am referring to the jail.local file.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Next you can add any administrative IP addresses to Fail2Ban's white-list, space separated.

sudo vi /etc/fail2ban/jail.local
[DEFAULT]
 
ignoreip = 127.0.0.1 192.168.1.0/24 192.168.2.5 192.168.5.3

Now you will want to configure Fail2Ban to your liking, mainly white-lists and active jails.
I like to ban my attackers for a good long time, you can alter the default ban time of 10 minutes. This is done by modifying the bantime variable, this can also be overridden on a per-jail basis.

bantime  = 86400 # this is a much longer ban, 24 hours

SSH jail is active by default, so only small tweaks are needed. Simply make sure enabled is true, and logpath is pointing to /var/log/secure.

[ssh-iptables]
 
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root@localhost, sender=fail2ban@localhost]
logpath  = /var/log/secure
maxretry = 3

I find enabling an email jail is also a good idea as SMTP services are a common target.

[postfix]
 
enabled  = true
filter   = postfix
action   = iptables[name=Postfix, port=smtp, protocol=tcp]
           sendmail-whois[name=Postfix, dest=root@localhost, sender=fail2ban@localhost]
logpath  = /var/log/maillog
maxretry = 5

Now we can make sure Fail2Ban starts when our server reboots, do this by using chkconfig to enable.

chkconfig fail2ban on
sudo /etc/init.d/fail2ban start

Installing Via GitHub

This is my preferred method of installing Fail2Ban, as it gets the absolute latest copy, there are a couple of additional packages that you will need to install first.

Ensure Python is upto date. >=python-2.3

python -V
Python 2.6.5

Now if we don't already have the git package, go ahead and install that now

sudo yum -y install git

Now create a dev directory that will house the Fail2Ban git repo.

cd ~
mkdir fail2ban-dev
cd fail2ban-dev
git clone https://github.com/fail2ban/fail2ban.git

Now we can install Fail2Ban using root privileges.

cd fail2ban
sudo python setup.py install

Now we should have our Fail2Ban installation in /usr/share/fail2ban, the configuration in /etc/fail2ban/, and the binaries in /usr/bin.

We should now install the startup script for RHEL:

sudo cp ~/fail2ban-dev/fail2ban/files/redhat-initd /etc/init.d/fail2ban
sudo chmod 755 /etc/init.d/fail2ban

First copy your jail.conf to jail.local. This protects your changes from getting wiped during package upgrades. Fail2Ban is setup to read jail.local after jail.conf automatically.

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The configuration is going to be quite similar to above, simply ensure your logpath is correct and enabled is true.

To update our github installation, run git pull from the repo directory, keep in mind that the setup.py script will overwrite /etc/fail2ban/jail.conf , so if you didn't create a jail.local, as I previously showed, I would now.

cd ~/fail2ban-dev/fail2ban
git pull -u
sudo python setup.py install
17Dec/110

Plesk and Dr. Web

I'm going to cover two issues here with Dr. Web and Plesk. They are both "fixes" of sorts, the first fixes an annoyance the second fixes a bug in a recent update to Dr. Web.

How do I configure Dr. Web on Plesk not to send notifications about infected messages?
This is quite easy. Simply create/edit the following file:

/etc/drweb/drweb_qmail.conf

Insert into the drweb_qmail.conf file:

[VirusNotifications]
    SenderNotify = no
    AdminNotify = no
    RcptsNotify = no

Restart Dr. Web, and the annoying emails should cease.

/etc/init.d/drwebd restart

NOTE: If this solution does not work for you, try creating the following file with the above contents instead:

/etc/drweb/drweb_handler.conf

Email messages addressed to the mailboxes protected by Dr. Web on Plesk are bouncing back
If you are experiencing bouncebacks with the following error messages:

Antivirus filter report:
--- Antivirus report ---
Detailed report:
127.0.0.1 [1636] drweb.tmp.0Ugml7 - archive MAIL
127.0.0.1 [1636] drweb.tmp.0Ugml7/[text:plain] - Ok
127.0.0.1 [1636] drweb.tmp.0Ugml7/test.zip - archive ZIP
127.0.0.1 [1636] >drweb.tmp.0Ugml7/test.zip/test.txt - Ok
127.0.0.1 [1636] >drweb.tmp.0Ugml7/test.zip/ - read error!

This could be due to a recent (15 Dec 2011) upgrade for Dr. Web which broke some outgoing mail.
To resolve this issue, Plesk has released a patch PLESK 9, PLESK 10

If the Plesk patch does not resolve your issue, try the following:

cd /var/drweb/bases
sudo wget http://update.drweb.com/unix/500/update.drl
sudo –u drweb /opt/drweb/update.pl
 
vi /etc/drweb/drweb_handler.conf

In this file, find and replace the current values for ScanningErrors, and ProcessingErrors to say pass.

ScanningErrors = pass
ProcessingErrors = pass

Restart Dr. Web, and emails should start to flow again.

/etc/init.d/drwebd restart
21Nov/110

Remove OpenBaseDir Restrictions From Sub-Domains in Plesk

Its quite common to have subdomains setup in Plesk, its also more common to want to use scripts in the subdomain contained in the primary site's httpdocs directory. Below is a guide on howto perform this.

Create /var/www/vhosts/domain.com/subdomains/sub.domain/conf/vhost.conf
with the following content: (of course replace domain.com and sub.domain with your domain name and subdomain name)

1
2
3
4
5
6
7
8
9
10
11
12
<Directory /var/www/vhosts/domain.com/subdomains/sub.domain/httpdocs>
  <IfModule sapi_apache2.c>
    php_admin_flag engine on
    php_admin_flag safe_mode off
    php_admin_value open_basedir "/var/www/vhosts/domain.com/httpdocs:/var/www/vhosts/domain.com/subdomains/sub.domain/httpdocs:/tmp"
  </IfModule>
  <IfModule mod_php5.c>
    php_admin_flag engine on
    php_admin_flag safe_mode off
    php_admin_value open_basedir "/var/www/vhosts/domain.com/httpdocs:/var/www/vhosts/domain.com/subdomains/sub.domain/httpdocs:/tmp"
  </IfModule>
</Directory>

After you've created your vhost.conf file, you will want to force Plesk to re-read its configuration files, so run: (replace domain.tld with your chosen domain name)

/usr/local/psa/admin/sbin/websrvmng -u --vhost-name=domain.tld

Now you can restart Apache to have the changes take effect

/etc/init.d/httpd restart
17Nov/110

Disabling email service for a specific domain in Plesk

I have encountered several scenarios in which you want a site hosted via Plesk however without email services on the Plesk box. You can use the following to disable email for a specific domain in Plesk.

1. Correct the DNS entry for MX records in the DNS manager
Go to 'Websites & Domain' then click on 'DNS'

2. SSH login to the server and disable the mail service associated with that domain, replacing domain.tld with the domain in question.

/usr/local/psa/bin/domain -u domain.tld -mail_service false

You should see the following output:
SUCCESS: Update of domain ‘domain.tld’ complete.

That is the jist of it, you can verify that mail is being routed correctly by sending a test email via the commandline

echo "Test" | mail -s "route test" user@domain.tld

You should see it routed properly in Plesk's maillog (/usr/local/psa/var/log/maillog)

17Nov/110

Access horde webmail via IP instead of by domain

This is an interesting workaround that I recently discovered. Normally when you access horde webmail its done via domain name ex: https://domain.tld/webmail, however you may desire to access this via IP address instead, ex: https://192.168.1.101/horde (obviously you wouldn't use a 192 address as its private, but you get the idea).

cd /etc/httpd/conf.d
vi zz012_horde.conf

Paste the following into the zz012_horde.conf file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<Directory /usr/share/psa-horde>
  <IfModule sapi_apache2.c>
    php_admin_flag engine on
    php_admin_flag safe_mode off
    php_admin_value open_basedir “/etc/psa:/usr/share/psa-horde:/usr/share/psa-horde/config:/tmp”
    php_admin_value include_path “/usr/share/psa-horde/lib:/usr/share/psa-horde/pear:.”
  </IfModule>
  <IfModule mod_php5.c>
    php_admin_flag engine on
    php_admin_flag safe_mode off
    php_admin_value open_basedir “/etc/psa:/usr/share/psa-horde:/usr/share/psa-horde/config:/tmp”
    php_admin_value include_path “/usr/share/psa-horde/lib:/usr/share/psa-horde/pear:.”
  </IfModule>
</Directory>
Alias /horde /usr/share/psa-horde

Then restart Apache to re-read the vhost configuration you just created.

/etc/init.d/httpd restart
17Nov/110

Handy Plesk One-liners

In my everyday work, I commonly log into as many as 20 Plesk boxes a day. Here are some of my more commonly used Plesk commands.

Retrieve FTP Passwords From PLESK's Database:

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e 'select sys_users.home,sys_users.login,accounts.password
FROM sys_users,accounts
WHERE sys_users.account_id=accounts.id
ORDER BY home;'


Retrieve Email Passwords From PLESK's Database:

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e 'select CONCAT(mail_name,"@",name)
AS email_address,accounts.password
FROM mail left
JOIN domains on domains.id=mail.dom_id left
JOIN accounts on accounts.id=mail.account_id;'

Retrieve Email Passwords that are made up of only letters:

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e 'SELECT CONCAT_WS('@',mail.mail_name,domains.name),accounts.password
FROM domains,mail,accounts
WHERE domains.id=mail.dom_id AND accounts.id=mail.account_id
AND accounts.password RLIKE BINARY '^[a-z]+$'
ORDER BY domains.name ASC,mail.mail_name ASC;'

Retrieve Email Passwords that are made up of only letters

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e 'SELECT CONCAT_WS('@',mail.mail_name,domains.name),accounts.password
FROM domains,mail,accounts
WHERE domains.id=mail.dom_id AND accounts.id=mail.account_id
AND accounts.password RLIKE '^[0-9]+$'
ORDER BY domains.name ASC,mail.mail_name ASC;'

Retrieve domains that are using catch-all accounts:

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e 'SELECT d.name
AS domains, p.value
AS catchall_address
FROM Parameters p, DomainServices ds, domains d
WHERE d.id = ds.dom_id AND ds.parameters_id = p.id
AND p.parameter = 'catch_addr'
ORDER BY d.name;'


Retrieve Database Passwords From PLESK's Database:

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e 'SELECT domains.name
AS domain_name, data_bases.name
AS database_name, db_users.login, accounts.password
FROM data_bases, db_users, domains, accounts
WHERE data_bases.dom_id = domains.id
AND db_users.db_id = data_bases.id
AND db_users.account_id = accounts.id
ORDER BY domain_name;'

Retrieve PLESK Admin Password (Plesk 9 and below)

cat /etc/psa/.psa.shadow

Retrieve PLESK Admin Password (Plesk 10)

/usr/local/psa/bin/admin --show-password

Retrieve Domain's exceeding Plesk's quotas

mysql psa -uadmin -p`cat /etc/psa/.psa.shadow` -e
"SELECT domains.name, domains.real_size, Limits.value
FROM domains, Limits
WHERE domains.limits_id = Limits.id
AND domains.real_size &gt; Limits.value
AND limit_name = 'disk_space'
AND Limits.value != -1
ORDER BY domains.name ASC;"
4Nov/110

SkyNet

I've been working, not very long, on a small c++ project I've titled SkyNet. The purpose of this application is to provide a turn based multiplayer game management server. It handles unit placement, scores, turn order, TCP connections. I've written a small SQLite3 wrapper that the application makes us of, and it relies on the boost ASIO library for network operations. You can check it out here: https://github.com/kotori/SkyNet

Tagged as: , , No Comments