Fail2ban for Qmail Server

Fail2ban for Qmail Server

Installation:

#rpm –Uvh fail2ban-0.8.7.1-1.el6.rf.noarch.rpm

Setup:

To work with Qmail/vpopmail, a filter and jail should be defined.

Configure Filter:

Create a filter on folder /etc/fail2ban/filter.d/ or edit existing filename. The filename is the filter name

• password-fail filter:

     # vi /etc/fail2ban/filter.d/password-fail.conf

     [Definition]

     #Looks for failed password logins to SMTP

     failregex = vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>

     ignoreregex =

• username-notfound filter:

     # vi /etc/fail2ban/filter.d/username-notfound.conf

     [Definition]

     # Option: failregex

     # Notes.: regex to match the password failures messages in the logfile.

     # The host must be matched by a group named "host". The tag "<HOST>" can

     # be used for standard IP/hostname matching and is only an alias for

     # (?:::f{4,6}:)?(?P<host>\S+)

     # Values: TEXT

     failregex = vchkpw-smtp: vpopmail user not found .*:<HOST>

    

     # Option: ignoreregex

     # Notes.: regex to ignore. If this regex matches, the line is ignored.

     # Values: TEXT

     ignoreregex =

• dos-hosts filter:

     # vi /etc/fail2ban/filter.d/dos-hosts.conf

     [Definition]

     failregex = rblsmtpd: <HOST> .*: 451 Blocked

          CHKUSER rejected relaying: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : client not allowed to relay

          CHKUSER rejected rcpt: from <.*:> remote <.*:.*:<HOST>> rcpt <.*> : not existing recipient

      .* rblsmtpd: <HOST>

• vpopmail filter:

     # vi /etc/fail2ban/filter.d/vpopmail.conf:

     # Fail2Ban configuration file

     # Author: Christoph Haas

     # Modified by: Ole Johansen - CDS

     # $Revision: 510 $

    

     [Definition]

     # Option: failregex

     # Notes.: regex to match the password failures messages in the logfile.

     # The host must be matched by a group named "host". The tag "<HOST>" can

     # be used for standard IP/hostname matching and is only an alias for

     # (?:::f{4,6}:)?(?P<host>\S+)

     # Values: TEXT

    

     failregex = vchkpw-pop3: vpopmail user not found .*@.*:<HOST>

    

     # Option: ignoreregex

     # Notes.: regex to ignore. If this regex matches, the line is ignored.

     # Values: TEXT

    

     ignoreregex =

• squirrelmail filter:

     # vi /etc/fail2ban/filter.d/squirrelmail.conf

     # squirrelmail's Fail2Ban configuration file

     # you must install the squirrel_logger plugin into Squirrelmail

     # to use this filter/jail

    

     [Definition]

     # the failregex value must match the line written in squirrelmail.log

     # the example below is using Italian

     failregex = \[LOGIN_ERROR\].*from <HOST>: Utente sconosciuto o password errata

     ignoreregex =

Configure Jail:

Create a jail (add/edit these lines) on /etc/fail2ban/jail.conf file

     # vi /etc/fail2ban/jail.conf 

    

     # password-fail

     [password-fail]

     enabled  = true

     filter   = password-fail

     action   = iptables[name=SMTP, port=smtp, protocol=tcp]

     logpath  = /var/log/maillog

     maxretry = 3

     bantime  = 86400

     findtime = 3600

    

     # username-notfound

     [username-notfound]

     enabled = true

     filter = username-notfound

     action = iptables[name=SMTP, port=smtp, protocol=tcp]

     logpath = /var/log/maillog

     maxretry = 3

     bantime  = 86400

     findtime = 3600

    

     # dos-hosts - Hosts insisting on delivering spam

     [dos-hosts]

     enabled = true

     filter = dos-hosts

     action = iptables[name=SMTP, port=smtp, protocol=tcp]

     logpath = /var/log/qmail/smtp/current

     maxretry = 5

     bantime  = 86400

     findtime = 3600

      

     # vpopmail

     [vpopmail]

     enabled = true

     port = pop3

     filter = vpopmail

     action = iptables[name=pop3, port=pop3, protocol=tcp]

            sendmailwhois[name=pop3,dest=y...@email.domain, sender=em...@adr]

     logpath = /var/log/maillog

     maxretry = 3

     bantime = -1

    

     # squirrelmail

     [squirrelmail-iptables]

     enabled  = true

     filter   = squirrelmail

     action   = iptables[name=SquirrelMail, port=http, protocol=tcp]

      sendmail-whois[name=SquirrelMail,dest=root, sender=fail2ban@example.it]

     # adjust logpath with Squirrelmail's squirrel_logger plugin log

     logpath  = /var/log/squirrelmail.log

     maxretry = 5

Test Filter

Test the filter file (Returns something like this, with n matches for the regex or 0 if no matches):

     # fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/password-fail.conf

    

Failregex

     |- Regular expressions:

     |  [1] vchkpw-smtp: password fail ([^)]*) [^@]*@[^:]*:<HOST>

     |

     `- Number of matches:

       [1] 123 match(es)

Reload Config

     # fail2ban-client stop

     # fail2ban-client start

Check Jail Status

     # fail2ban-client status password-fail

     Status for the jail: password-fail

     |- filter

     |  |- File list:        /var/log/maillog

     |  |- Currently failed: 7

     |  `- Total failed:     225

     `- action

       |- Currently banned: 109

       | `- IP list: 200.207.49.13 84.79.73.123 187.35.209.243 (...) 187.6.106.201 187.63.80.134 187.52.195.234 187.4.200.17

        `- Total banned:     109

Note

Once its starts running and the logs have matching strings, it will create iptables rules dropping that IP. But when fail2ban reload and/or iptables restart and/or rebooting and/or the weekly logrotate, those rules are gone. bye bye! So what to do?

• Before changes, write existing iptables rules to file

     # service iptables save

• And after any change load the saved set of rules

     # service iptables restart

• Tune fail2ban to write IPs to /etc/fail2ban/ip.deny

Basic admin stuff

• Check banned IPs:
• from fail2ban:

        # fail2ban-client status vpopmail-fail

• from current iptables rules:

        # iptables -L -nv

• To see IPs that fail2ban is saving for the next reload:

        # cat /etc/fail2ban/ip.deny

• How to unblock an IP:
• Delete it from the current iptables rules:

        # iptables -D fail2ban-SMTP -s 11.22.33.44 -j DROP

• Remove it from /etc/fail2ban/ip.deny (maybe listed several times).

• Remove it from /etc/sysconfig/iptables (maybe listed several times).

Difference between Swapping and Paging in linux

Difference between Swapping and Paging in linux

Swapping:       

Whole process is moved from the swap device to the main memory for execution. Process size must be less than or equal to the available main memory. It is easier to implementation and overhead to the system. Swapping systems does not handle the memory more flexibly as compared to the paging systems.

Let's say you start ten heavyweight processes (for example, five xterms, a couple netscapes, a sendmail, and a couple pines) on an old 486 box running Linux with 16MB of RAM. Basically, you *do not have* enough physical RAM to accommodate the text, data, and stack segments of all these processes at once. Since the kernel cannot find enough RAM to fit things in, it makes use of the available virtual memory by a process known as swapping. It selects the least busy process and moves it in its entirety (meaning the program's in-RAM text, stack, and data segments) to disk. As more RAM becomes available, it swaps the process back in from disk into RAM. While this use of the virtual memory system makes it possible for you to continue to use the machine, it comes at a very heavy price. Remember, disks are (by the factor of a million) than CPUs and you can feel this disparity rather severely when the machine is swapping. Swapping is not considered a normal system activity. It is basically a sign that you need to buy more RAM. 
In Unix SVR4, the process handling swapping is called sched (in other Unix variants, it is sometimes called swapper). It always runs as process 0. When the free memory falls so far below minfree thatpageout is not able to recover memory by page stealing, sched invokes the syscall sched(). Syscallswapout is then called to free all the memory pages associated with the process chosen for being swapping out. On a later invocation of sched(), the process may be swapped back in from disk if there is enough memory.

Paging:          

Only the required memory pages are moved to main memory from the swap device for execution. Process size does not matter. Gives the concept of the virtual memory.

When a process starts in Unix, not all its memory pages are read in from the disk at once. Instead, the kernel loads into RAM only a few pages at a time. After the CPU digests these, the next page is requested. If it is not found in RAM, a page fault occurs, signaling the kernel to load the next few pages from disk into RAM. This is called demand paging and is a perfectly normal system activity in Unix. (Just so you know, it is possible for you, as a programmer, to read in entire processes if there is enough memory available to do so.)
The Unix SVR4 daemon which performs the paging out operation is called pageout. It is a long running daemon and is created at boot time. The pageout process cannot be killed. There are three kernel variables which control the paging operation (Unix SVR4):

• minfree - the absolute minimum of free RAM needed. If free memory falls below this limit, the memory management system does its best to get back above it. It does so by page stealingfrom other, running processes, if practical.
• desfree - the amount of RAM the kernel wants to have free at all times. If free memory is less than desfree, the pageout syscall is called every clock cycle.
• lotsfree - the amount of memory necessary before the kernel stops calling pageout. Betweendesfree and lotsfree, pageout is called 4 times a second.

How to change mysql password?

How to change mysql password?

If you have never set a root password for MySQL, the server does not require a password at all for connecting as root. To set up a root password for the first time, use the mysqladmin command at the shell prompt as follows:

$ mysqladmin -u root password ‘newpassword’

If you want to change a root password, then you need to use the following command:

$ mysqladmin -u root -p ‘oldpassword’ password ‘newpassword’

MySQL stores usernames and passwords in the user table inside the MySQL database. You can directly update a password using the following method to update or change passwords:

1) Login to the MySQL server, type the following command at the shell prompt:

$ mysql -u root -p

2) Use the mysql database (type commands at the mysql> prompt):

mysql> use mysql;

3) Change password for a user:

mysql> update user set password=PASSWORD(“newpassword”) where User=’root’;

mysql> flush privileges;
mysql> quit

Recover MySQL root password

Recover MySQL root password

You can recover a MySQL database server password with the following five easy steps:

Step # 1 : Stop the MySQL service:

# /etc/init.d/mysqld stop

Step # 2: Start the MySQL server w/o password:

# mysqld_safe –skip-grant-tables &

Step # 3: Connect to the MySQL server using the MySQL client:

# mysql -u root

Output:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.15-Debian_1-log

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql>

Step # 4: Set a new MySQL root user password:

mysql> use mysql;
mysql> update user set password=PASSWORD(“NEW-ROOT-PASSWORD”) where User=’root’;
mysql> flush privileges;
mysql> quit

Step # 5: Stop the MySQL server:

# /etc/init.d/mysql stop

Start the MySQL server and test it:

# /etc/init.d/mysqld start
# mysql -u root -p

Adding Swap File under Linux

Adding Swap File under Linux

 If you are adding more memory on your dedicated server, you will need to add more swap space. You have two choices: add or upgrade a swap partition or create a swap file. Because changing the size or create a new swap partition is not easy, the best solution is to create a new swap file. Since the 2.6 Linux kernel, the swap files are just as fast as swap partitions.

RECOMMENDED SIZE OF LINUX SWAP.

The Recommended Swap file on Linux system should as per below instructions.

·  1 GB RAM —> 2 GB of Swap file

·  2 GB RAM —> 4 GB of Swap file

·  4 GB RAM —> 8 GB of Swap file

·  8 GB RAM —> 12 GB of Swap file

·  16 GB RAM —> 24 GB of Swap file

·  32 GB RAM —> 32 GB of Swap file

Create a swap file

To create a swap file, use the “dd” command to create an empty file. Next you need to use mkswap command to set up a Linux swap area on a device or in a file

1) Login as the root user in system.

2) Create and determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. You can do this with the linux command “dd”. For example, the block size of a 1GB swap file is (1024 * 1024MB = 1048576 block size). Type following command to create 1GB swap file

# touch /swapfile

# dd if=/dev/zero of=/swapfile  bs=1024 count=1048576

Note: “swapfile” is the name of your swapfile. You need to create /swapfile file using touch command. File name could be as per your comfort.

3) Setup the swap file with the command: mkswap. Type following command to setup your swap file:

# mkswap /swapfile

4) To enable the swap file immediately but not automatically at boot time. Type:

# swapon /swapfile

5) To enable the new swap file automatically at the boot, you need to edit the file /etc/fstab and add the following line.

/swapfile swap swap defaults 0 0

The swap file will be enabled at each time the system boots.

6) You can verify the swap file is working fine with these commands:

# cat /proc/swaps
or
# free