Linux Tomorrow

Easy essay with Standoutessay.com

2008-09-28T11:37:00.001-07:00

Sometimes converting your ideas to paper can be really hard, ideas is very important but you will never get excellent essay if you not doing any deep research on it and beside that you need good writing instinct to make your essay more interesting to read, what the point you have great essay if there is no one read. So the point is if you have more time or you are experience writer you can make good essay, but if you not have two things above, just try professional custom writing.

Why must use professional custom writing? Off course for better result, you don’t want to get bad grade on essay don’t you ? They have better experience on writing and would be doing research for essay or paper to get better result. Manny custom writing company this day but there is some company that has good reputation and one of them Is standoutessay.com, you can order essay online at this website. Why I like this company more than other is because they can make their essay writing similar like yours, not too over quality, but a bit better. They also give essay editing service, if you have writing essay and feel it need more improvement you can use their services.

Their custom writing also free essay plagiarism 100%, this mean you don’t need to worry there is any copy of your essay in the world, except you and off course standoutessay.com. Well what are you waiting for ? Just bring your ideas to standoutessay.com and get your excellent essay.

Custom-essay.org make your essay easier

2008-09-27T10:33:00.000-07:00

Writing essay always difficult task, even for professional, you need to doing some research before you can write good and excellent essay and that can wasting your time especially when your time is limited and there is another top priority task or activity you need to finish and also if your essay is term paper, its little difficult to finish, you need to know the topic very well and it’s also usually has short deadline. So you need some professional essay writing, yup you need hire a professional essay writer to make excellent essay. Well if you try to find the best one, I recommend you custom-essay.org

Custom-essay.org is one of many places where you can buy an essay online, but what make them different from another company? Because they begin their custom essay writing from school until universities, so they has many experience as custom essay writers, you don’t need to worry about the quality of their essay.

Their job is excellent you don’t need to worry that you would find another copy of your essay out there except you give them because they don’t resold your essay and your essay are original because they has zero tolerance policy for plagiarized paper and you can check by yourself. So if you want the best place to buy essays just visiting Custom-essay.org for the first step and find how excellent their work .

Zenni Optical Review

2008-07-25T02:09:00.000-07:00

If you’re looking for new stylish glasses not like common old glasses , maybe bit difficult. Because not many shop even online shop that sell that kind of glasses. If you search trough internet you will find the resuly but to find the best and suite to your taste, you must to surf their website one by one until you find one. Well, if you want the fastest way just visit zennioptical.com.

Zennioptical.com offers many and great design of glasses like Incredible Stylish New Frames From Zenni. The price at zennioptical also competitive like this one, Zenni Optical $ 8 Rx Eyeglasses, how do you think ? Zenni Optical was on FOX news! This prove that zenni optical is famous and well known among glasses shop around the world

Quick Payday Loans

2008-07-16T04:59:00.000-07:00

One day my brother Joe called to me and said that he needs some time to talk to me in private. So I tell him to come over and tell me what’s wrong. So after he arrived he said that he needs my help and asked me to lend him some money to pay his car fines from impound. He barely has any cash at all till the end of the month, and he needs his car for his daily job. He promised me that he would pay me back first thing after he received his paycheck next month. I soon see his problem, but not that don’t want to help my brother Joe, but right now I’m in some short of myself so I can’t help him by my own hand.

But however, I might be able to help him in other way. I tell him about cash advanced and payday loans. Cash advance or payday loans is a short terms loans backed by your paycheck. It’s so easy to get it. No faxes and no hassles. It usually only requires that you’re 18 years of age, have a regular source of income, receive at least $1000/month, and have direct deposit in your bank account. They money will be transferred right in your checking or saving bank accounts once you’re approved. It’s so easy to get a quick quick payday loans. So after he hears my explanation he rushed back to his house to apply his first payday loans.

Insurance Portal Online

2008-07-16T04:50:00.003-07:00

To find any insurance policies that can cover you is not so difficult to find. Today’s there are so many insurance offers comes right in our front doors or mails. You should never find any difficulties to find insurance policies, whether it’s life insurance, auto insurance, education insurance, even disability insurance. You can find it anywhere. And along came the internet era there goes also the insurance industry. Many of the insurance providers are aware by the power of this new media and take advantage on it. You can find so many insurance policies offers online almost everyday.

But perhaps finding any insurance policies is not an issue anymore, since you can easily finds it anywhere, but the essential issues right now maybe, among so many offers that comes to our mails everyday, how can we find the right insurance policies that suits us the best? With so many different offers and different terms that come to our mail, sometimes we find it difficult for us to decide which one that would suit us the best. But I would like to recommend you with a great insurance online portal that can help you decide which insurance policies that suit you the best, if you should ever need one. You get your free quote in any insurance types that you would like to know for free. With their help, I hope; that you shouldn’t find any difficulties in finding one.

Farsi Translation Online

2008-07-05T05:35:00.000-07:00

You want to Farsi translation ? Farsi language is pretty complex language, if you try to find people to translate that will be difficult, even if you try to find it trough internet, there is not many translation online for the language, the other reason is about the grammar and vocabulary, pronounce and letters, even if you studied this language it's will be difficult.

Now if you find direct to search engine you may found people who offers for this service, but how about their work, how good their translation ? There is one company you can trusted, my friend use to doing Hindi translation, and the result is amazing they give their best, the best India translation my friend ever get he said that, even Hindi is one of difficult language in the world, they can made it perfectly, and also they offers a Farsi translation the best one at translation business online in the world, just go to iaflindia.com beside that language above they also the best one in Arabic translation. So what you waiting for just go to their website and give them your article that want to translate to Farsi language. They will respond you very quick and also they give it without quote, this is may be the best offers you can get on the net.

Upgrade Your Desktop From Mandriva One 2008.0 To Mandriva One 2008.1 (Spring)

2008-05-02T00:55:00.001-07:00

Author : Author: Oliver Meyer

This document describes how to upgrade your desktop from Mandriva One 2008.0 to Mandriva One 2008.1 via online upgrade.

This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.

1 Preparation

Install the latest updates on the 2008.0 system to prevent problems related to the upgrade that we'll accomplish in a few moments. Please note, that the Mandriva One 2008.1 Spring install/live media has no upgrade mechanism - so we have to run an online upgrade which is not riskless. You should back up all important data before you proceed. Please close all running applications, open a terminal and switch to the root account.

su -
%root_password%

2 Old Repositories

First delete all existing repositories.

urpmi.removemedia -a

3 New Repositories

Now we add the repositories for the 2008.1 system.

urpmi.addmedia --distrib ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official/2008.1/i586
urpmi.addmedia --distrib ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/plf/mandriva/cfg/2008.1/i586

4 Upgrade

Next we start the upgrade process.

urpmi --auto-update -v

At the beginning there'll be only a few packages upgraded (urpmi, rpm...) - later, when the needed upgrades for the rest of the upgrade have been installed, the system will upgrade about 1220 packages. During the upgrade you'll be asked a few questions, for example which icon set you want to use for OpenOffice or which Java version you want to use - choose your preferred settings/packages and proceed. The upgrade will take a while - so be patient. Sometimes it can happen that the upgrade process stops (while downloading packages) - simply abort it via "CTRL+C" ("STRG+C" for german users) and start it again (urpmi --auto-update -v), it'll resume where it stopped before. When the upgrade is finished reboot into your new 2008.1 system.

Please note that the grub entry still says "2008.0" - edit it if you want.

5 Links

Mandriva: http://www.mandriva.com/

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 06

2008-05-01T12:37:00.000-07:00

Author : Rocky

10 Install and Configure SPF

The postfix-policyd-spf-perl package depends on the Mail::SPF and the NetAddr::IP Perl modules.

We need to download postfix-policyd-spf-perl from http://www.openspf.org/Software to the /usr/src/ directory and install it to the /usr/lib/postfix/ directory like this:

cd /usr/src
wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.005.tar.gz
tar xvfz postfix-policyd-spf-perl-2.005.tar.gz
cd postfix-policyd-spf-perl-2.005
cp postfix-policyd-spf-perl /usr/lib/postfix/policyd-spf-perl

Then we edit /etc/postfix/master.cf and add the following stanza at the end:

vi /etc/postfix/master.cf

policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

(The leading spaces before user=nobody are important so that Postfix knows that this line belongs to the previous one!)

Then open /etc/postfix/main.cf and search for the smtpd_recipient_restrictions directive. You should have reject_unauth_destination in that directive, and right after reject_unauth_destination you add check_policy_service unix:private/policy like this:

vi /etc/postfix/main.cf

[...]
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service unix:private/policy
[...]

or like this:

[...]
smtpd_recipient_restrictions =
[...]
reject_unauth_destination
check_policy_service unix:private/policy
[...]

It is important that you specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay!

Then restart Postfix:

/etc/init.d/postfix restart

That's it already.

11 Install and Configure FuzzyOcr

apt-get install netpbm gifsicle libungif-bin gocr ocrad libstring-approx-perl libmldbm-sync-perl imagemagick tesseract-ocr

Download and install the latest FuzzyOCR devel version from http://fuzzyocr.own-hero.net/wiki/Downloads:

cd /usr/src/
wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-3.5.1-devel.tar.gz

Unpack FuzzyOCR and move all FuzzyOcr* files and the FuzzyOcr directory (they are all in the FuzzyOcr-3.5.1/ directory) to /etc/mail/spamassassin:

tar xvfz fuzzyocr-3.5.1-devel.tar.gz
cd FuzzyOcr-3.5.1/
mv FuzzyOcr* /etc/mail/spamassassin/
wget http://www.gbnetwork.co.uk/mailscanner/FuzzyOcr.words -O /etc/mail/spamassassin/FuzzyOcr.words

We will be storing the image hashes in a mysql database to improve on performance such that images that we have already scanned do not get scanned again as OCR is a resource intense activity.

11.1 Create MySQL Database

The sql script creates the database and tables and adds a user fuzzyocr with the password fuzzyocr:

mysql -p < /etc/mail/spamassassin/FuzzyOcr.mysql

Change the password:

mysqladmin -u fuzzyocr -p fuzzyocr newpassword

11.2 MailWatch Fix

Do the following to prevent an error in MailWatch:

vi /etc/mail/spamassassin/FuzzyOcr.pm

Change 'use POSIX;' to 'use POSIX qw(SIGTERM);'

11.3 FuzzyOcr Configuration

FuzzyOCR's configuration file is /etc/mail/spamassassin/FuzzyOcr.cf. In that file almost everything is commented out. We open that file now and make some modifications:

vi /etc/mail/spamassassin/FuzzyOcr.cf

Put the following line into it to define the location of FuzzyOCR's spam words file:

focr_global_wordlist /etc/mail/spamassassin/FuzzyOcr.words

/etc/mail/spamassassin/FuzzyOcr.words is a predefined word list that comes with FuzzyOCR. You can adjust it to your needs.

Next change:

# Include additional scanner/preprocessor commands here:
#
focr_bin_helper pnmnorm, pnminvert, pamthreshold, ppmtopgm, pamtopnm
focr_bin_helper tesseract

# Include additional scanner/preprocessor commands here:
#
focr_bin_helper pnmnorm, pnminvert, convert, ppmtopgm, tesseract

Finally add/enable the following lines:

# Search path for locating helper applications
focr_path_bin /usr/local/netpbm/bin:/usr/local/bin:/usr/bin

focr_preprocessor_file /etc/mail/spamassassin/FuzzyOcr.preps
focr_scanset_file /etc/mail/spamassassin/FuzzyOcr.scansets

focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb
focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db
focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db
focr_minimal_scanset 1
focr_autosort_scanset 1
focr_enable_image_hashing 3
focr_logfile /var/log/FuzzyOcr.log

#Mysql Connection#
focr_mysql_db FuzzyOcr
focr_mysql_hash Hash
focr_mysql_safe Safe
focr_mysql_user fuzzyocr
focr_mysql_pass password
focr_mysql_host localhost
focr_mysql_port 3306
focr_mysql_socket /var/run/mysqld/mysqld.sock

This is what the FuzzyOCR developers say about image hashing:

"The Image hashing database feature allows the plugin to store a vector of image features to a database, so it knows this image when it arrives a second time (and therefore does not need to scan it again). The special thing about this function is that it also recognizes the image again if it was changed slightly (which is done by spammers). "

11.4 Test FuzzyOCR

cd /usr/src/FuzzyOcr-3.5.1/samples
spamassassin --debug FuzzyOcr <> /dev/null

You see the following:

[14808] info: FuzzyOcr: Found Score <9.000> for Exact Image Hash
[14808] info: FuzzyOcr: Matched [1] time(s). Prev match: 16 sec. ago
[14808] info: FuzzyOcr: Message is SPAM. Words found:
[14808] info: FuzzyOcr: "price" in 1 lines
[14808] info: FuzzyOcr: "company" in 1 lines
[14808] info: FuzzyOcr: "alert" in 1 lines
[14808] info: FuzzyOcr: "news" in 1 lines
[14808] info: FuzzyOcr: (6 word occurrences found)
[14808] dbg: FuzzyOcr: Remove DIR: /tmp/.spamassassin14808JZSvHBtmp
[14808] dbg: FuzzyOcr: Processed in 0.104555 sec.

12 Apply Relay Recipients

The following directions are meant for people using Microsoft Exchange 2000 or Microsoft Exchange 2003.

This page describes how to configure your mail gateway to periodically get a list of valid recipient email addresses from your Exchange system. By doing this, you can configure your server to automatically reject any email addressed to invalid addresses. This will reduce the load on your exchange server, since it no longer has to process non-delivery reports, and it will reduce the load on your postfix server since it won't have to perform spam and virus scanning on the message.

12.1 Install Dependencies

Install the perl module Net::LDAP:

perl -MCPAN -e shell
install Net::LDAP

12.2 Create the Get Email Address Script

Create and edit the script:

vi /usr/bin/getadsmtp.pl

Copy and paste the code below into this new file.

#!/usr/bin/perl -T -w

# This script will pull all users' SMTP addresses from your Active Directory
# (including primary and secondary email addresses) and list them in the
# format "user@example.com OK" which Postfix uses with relay_recipient_maps.
# Be sure to double-check the path to perl above.

# This requires Net::LDAP to be installed.  To install Net::LDAP, at a shell
# type "perl -MCPAN -e shell" and then "install Net::LDAP"

use Net::LDAP;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant ( "LDAP_CONTROL_PAGED" );

# Enter the path/file for the output
$VALID = "/etc/postfix/relay_recipients";
open VALID, ">$VALID" or die "CANNOT OPEN $VALID $!";

# Enter the FQDN of your Active Directory domain controllers below
$dc1="domaincontroller1.example.com";
$dc2="domaincontroller2.example.com";

# Enter the LDAP container for your userbase.
# The syntax is CN=Users,dc=example,dc=com
# This can be found by installing the Windows 2000 Support Tools
# then running ADSI Edit.
# In ADSI Edit, expand the "Domain NC [domaincontroller1.example.com]" &
# you will see, for example, DC=example,DC=com (this is your base).
# The Users Container will be specified in the right pane as
# CN=Users depending on your schema (this is your container).
# You can double-check this by clicking "Properties" of your user
# folder in ADSI Edit and examining the "Path" value, such as:
# LDAP://domaincontroller1.example.com/CN=Users,DC=example,DC=com
# which would be $hqbase="cn=Users,dc=example,dc=com"
# Note:  You can also use just $hqbase="dc=example,dc=com"
$hqbase="cn=Users,dc=example,dc=com";

# Enter the username & password for a valid user in your Active Directory
# with username in the form cn=username,cn=Users,dc=example,dc=com
# Make sure the user's password does not expire.  Note that this user
# does not require any special privileges.
# You can double-check this by clicking "Properties" of your user in
# ADSI Edit and examining the "Path" value, such as:
# LDAP://domaincontroller1.example.com/CN=user,CN=Users,DC=example,DC=com
# which would be $user="cn=user,cn=Users,dc=example,dc=com"
# Note: You can also use the UPN login: "user\@example.com"
$user="cn=user,cn=Users,dc=example,dc=com";
$passwd="password";

# Connecting to Active Directory domain controllers
$noldapserver=0;
$ldap = Net::LDAP->new($dc1) or
$noldapserver=1;
if ($noldapserver == 1)  {
$ldap = Net::LDAP->new($dc2) or
   die "Error connecting to specified domain controllers $@ \n";
}

$mesg = $ldap->bind ( dn => $user,
                   password =>$passwd);
if ( $mesg->code()) {
 die ("error:", $mesg->error_text((),"\n"));
}

# How many LDAP query results to grab for each paged round
# Set to under 1000 for Active Directory
$page = Net::LDAP::Control::Paged->new( size => 990 );

@args = ( base     => $hqbase,
# Play around with this to grab objects such as Contacts, Public Folders, etc.
# A minimal filter for just users with email would be:
# filter => "(&(sAMAccountName=*)(mail=*))"
      filter => "(& (mailnickname=*) (| (&(objectCategory=person)
                 (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
                 (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
                 (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
                 (objectCategory=group)(objectCategory=publicFolder) ))",
       control  => [ $page ],
       attrs  => "proxyAddresses",
);

my $cookie;
while(1) {
# Perform search
my $mesg = $ldap->search( @args );

# Filtering results for proxyAddresses attributes
foreach my $entry ( $mesg->entries ) {
 my $name = $entry->get_value( "cn" );
 # LDAP Attributes are multi-valued, so we have to print each one.
 foreach my $mail ( $entry->get_value( "proxyAddresses" ) ) {
  # Test if the Line starts with one of the following lines:
  # proxyAddresses: [smtp|SMTP]:
  # and also discard this starting string, so that $mail is only the
  # address without any other characters...
  if ( $mail =~ s/^(smtp|SMTP)://gs ) {
    print VALID $mail." OK\n";
  }
 }
}

# Only continue on LDAP_SUCCESS
$mesg->code and last;

# Get cookie from paged control
my($resp)  = $mesg->control( LDAP_CONTROL_PAGED ) or last;
$cookie    = $resp->cookie or last;

# Set cookie in paged control
$page->cookie($cookie);
}

if ($cookie) {
# We had an abnormal exit, so let the server know we do not want any more
$page->cookie($cookie);
$page->size(0);
$ldap->search( @args );
# Also would be a good idea to die unhappily and inform OP at this point
  die("LDAP query unsuccessful");
}
# Add additional restrictions, users, etc. to the output file below.
#print VALID "user\@domain1.com OK\n";
#print VALID "user\@domain2.com 550 User unknown.\n";
#print VALID "domain3.com 550 User does not exist.\n";

close VALID;

Next set the permissions on the file to allow it to be executed:

chmod 500 /usr/bin/getadsmtp.pl

Edit the file to customize it for your specific domain. Since the file is read only, you will need to use :w! to save the file in vi.

1. Set $dc1 and $dc2 to the fully qualified domain names or IP addresses of 2 of your domain controllers.

2. Set $hqbase equal to the LDAP path to the container or organizational unit which holds the email accounts for which you wish to get the email addresses.

3. Set $user and $passwd to indicate which user account should be used to access this information. This account only needs to be a member of the domain, so it would be a good idea to setup an account specifically for this.

12.3 Run the Script

Try running the script. If it works correctly, it will create /etc/postfix/relay_recipients Note that if your postfix server is separated from your active directory controllers by a firewall, you will need to open TCP port 389 from the postfix server to the ADCs. At this point, you can update your /etc/postfix/main.cf to relay_recipient_maps. You will also have to postmap the file to create the database.

getadsmtp.pl

At this point, you may want to edit /etc/postfix/relay_recipients and edit out any unwanted email addresses as this script imports everything.

12.4 Create the Table

postmap /etc/postfix/relay_recipients

Finally, you may want to set up a cron job to periodically update and build the /etc/postfix/relay_recipients.db file. You can set up a script called /usr/bin/update-relay-recipients.sh: (Optional)

vi /usr/bin/update-relay-recipients.sh

#!/bin/sh

/usr/bin/getadsmtp.pl
cd /etc/postfix
postmap relay_recipients

Don't forget to make sure the following is in your /etc/postfix/main.cf file:

relay_recipient_maps = hash:/etc/postfix/relay_recipients

Run crontab to add this script to the scheduled jobs:

crontab -e

Now add the following lines to the bottom of the file. Note that this cron job will run every day at 2:30 AM to update the database file. You may want to run yours more frequently or not depending on how often you add new email users to your system.

# syncronize relay_recipients with Active Directory addresses
30 2 * * * /usr/bin/update-relay-recipients.sh

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 01
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 03
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 04

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 05

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 07

2008-05-01T00:48:00.002-07:00

13 Filtering PDF, XLS and Phishing Spam with ClamAV (Sanesecurity Signatures)

There is currently a lot of spam where the spam "information" is attached as .pdf or .xls files, sometimes also hidden inside a .zip file. While these spam mails are not easy to catch with e.g. SpamAssassin or a Bayes filter, the ClamAV virus scanner can catch them easily when it is fed with the correct signatures as ClamAV is built to scan mail attachments.

13.1 Create a Folder and Download the Script

Create a folder for sanesecurity and download and give the script the proper permission.

apt-get install curl

mkdir /usr/src/sanesecurity
cd /usr/src/sanesecurity
wget http://www.sanesecurity.co.uk/clamav/ss-msrbl.txt
mv ss-msrbl.txt /usr/bin/ss_update.sh
chmod +x /usr/bin/ss_update.sh

Edit ss_update.sh and change the following variables to match your installation:

clam_sigs="/var/lib/clamav"

The variable clamav_sigs contains the path to the directory where your ClamAV signatures are stored.

clam_user="clamav"

Now we run the update script to check if the download works:

./ss_update.sh

The result should look similar to this:

=================================
SaneSecurity SCAM Database Update
=================================
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 116k 100 116k 0 0 65448 0 0:00:01 0:00:01 --:--:-- 139k

==================================
SaneSecurity PHISH Database Update
==================================
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 179k 100 179k 0 0 216k 0 --:--:-- --:--:-- --:--:-- 216k

==========================
MSRBL SPAM Database Update
==========================
Number of files: 1
Number of files transferred: 1
Total file size: 228436 bytes
Total transferred file size: 228436 bytes
Literal data: 228436 bytes
Matched data: 0 bytes
File list size: 33
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 101
Total bytes received: 228579
sent 101 bytes received 228579 bytes 26903.53 bytes/sec
total size is 228436 speedup is 1.00

===========================
MSRBL IMAGE Database Update
===========================
Number of files: 1
Number of files transferred: 1
Total file size: 550503 bytes
Total transferred file size: 550503 bytes
Literal data: 550503 bytes
Matched data: 0 bytes
File list size: 35
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 103
Total bytes received: 550688
sent 103 bytes received 550688 bytes 157368.86 bytes/sec
total size is 550503 speedup is 1.00

Now we a add the script to the root crontab to be run once a day:

crontab -e

Add the following line at the end of the root crontab:

00 04 * * * /usr/bin/ss_update.sh &> /dev/null

14 GreyListing with Postfix-gld

14.1 Installing Postfix-gld

apt-get install postfix-gld

cd /usr/src
wget http://www.gasmi.net/down/gld-1.7.tgz
tar xvfx gld-1.7.tgz
cd gld-1.7

Create MySQL Database:

mysql –u root –p

mysql> create database gld_db
mysql> GRANT ALL ON gld_db.* TO gld_user@localhost IDENTIFIED BY ‘gld_password’;
mysql> flush privileges;

Import tables.mysql:

mysql –u gld_user –p gld_db < /path/to/tables.mysql

Import table-whitelist.sql:

mysql –u gld_user –p gld_db < /path/to/table-whitelist.sql

You will have to enable it by configuring that in the /etc/default/gld:

vi /etc/default/gld

#/etc/default/gld
ENABLED=1

14.2 Configuration

Edit /etc/gld.conf according to your needs. I'm using the following settings:

vi /etc/gld.conf

# Config file for gld
# TCP Port gld should listen to (default is 2525)
#
PORT=2525
# Shall we bind only to loopback ? (0=No,1=Yes) (default is 1)
LOOPBACKONLY=1
# The list of networks allowed to connect to us (default is everybody)
CLIENTS=127.0.0.1/32
# The user used to run gld (default value is no user change)
USER=postfix-gld
# The group used to run gld (default value is no group change)
GROUP=postfix-gld
# Maximum simultaneous connexions (default is 100)
MAXCON=100
# How many seconds we should wait before accepting a mail that is in greylist (default is 60)
MINTIME=60
# Shall we use lightgrey option ? (0=No,1=Yes) (default is 0)
# The lightgrey option, mask the last octet of IP addresses
# and thus we greylist only C classes (/24) instead of individual IPs.
LIGHTGREY=0
# Shall we use the mxgrey algorithm ? (0=No,>0=Yes) (default is 0)
# the mxgrey algorithm is a variation of the greylist algorithm.
# When this is enabled, we allow all incoming mails from an IP address
# whatever source/destination email as long as this IP has been greylisted
# at least X time and succeded the mail resend .
#
# Example:
# The IP 1.2.3.4 sends an email from src@domain.com to user@yourdomain.com
# We greylist this mail as this IP is not yet in database and send a 450 SMTP code
# After some time, the IP re-send the mail from src@domain.com to user@yourdomain.com
# We update the db.
# Some time after the ip 1.2.3.4 sends an email from john@domain.com to fred@yourdomain.com
# We will accept this mail without any greylisting, as this ip already succeded a greylist test
# and thus seems to be a valid smtp server and not a spammer .
#
# The advantage of this method, is that it reduce the re-send time due to greylisting to
# x mail per server instead of one mail per destination .
#
# The value you provide in MXGREY is the minimum number of succesful greylists
# before accepting all mails from this MX. higher the number is, harder is to get in.
#
# This algortihm replace the old LIGHTGREYDOMAIN which was available prior version 1.6
#
MXGREY=1
# Shall we use the whitelist table ?  (0=No,1=Yes) (default is 1)
# If set to yes, then the table 'whitelist' is looked up
# each time postfix request the server
# if the email/domain/ip is in the whitelist, then the response
# will be 'dunno' .
# In the whitelist table, you can set the following values:
# an email: ie john@foo.tld
# a domain: ie @bar.tld
# an IP   : ie 1.2.3.4
# a subnet: ie 1.2.3
#
WHITELIST=1
# Shall we use a DNS based whitelist ? (default is no)
# To activate it, the line must be uncommented
# and the value set to the domain of the DNS whitelist.
# for example, if DNSWL is set to toto.com and we get a mail from ip a.b.c.d
# then gld will DNS lookup d.c.b.a.toto.com
# and if found allow the ip without greylisting it.
#DNSWL=toto.com
# Shall we send a 'dunno' in case of error (mysql down,....) (0=No,1=Yes) (default is 1)
# Normaly, if an error occur, the server is supposed to close the connection
# and thus postfix will return a 450 Server configuration error
# if this parameter is set to 1, then the server will return 'dunno'
# and thus let postfix decide the fate of the mail.
ERRACCEPT=1
# Shall we log to the syslog (0=No,1=Yes) (default is 1)
SYSLOG=1
# If we use syslog, which facility shall we use (default is mail)
# it can only be one of the following facilities:
# daemon mail local0 local1 local2 local3 local4 local5 local6 local7
FACILITY=mail
# The Message that we display in case of reject (default is "Greylisted")
# If you want another SMTP return code than the default 450, just put it at
# the beginning of the message, ie: 451 You have been greylisted by gld ...
# If you don't provide any SMTP code, the default 450 will be used by postfix
# WARNING: if you set a custom smtp code make sure it's a 4XX code.
# if you don't provide a 4XX code, gld will ignore it and send the default 450.
# Be also warned that if you set a custom code, gld will not use defer_if_permit anymore
# but direct supplied code to postfix .
MESSAGE=Service temporarily unavailable, please try later
# Training mode activated ? (0=No,1=Yes) (default is 0)
# If activated, gld will do all the work but will always reply dunno to postfix
# and thus, will never greylist any mail.
# This feature is useful for testing gld performances without greylisting any mail
TRAINING=0
# SQL INFOS (defaults are localhost,myuser,mypasswd,mydb)
#
SQLHOST=localhost
SQLUSER=gld_user
SQLPASSWD=gld_password
SQLDB-gld_db

Edit /etc/postfix/main.cf and add the following to smtpd_recipient_restrictions:

vi /etc/postfix/main.cf

check_policy_service inet:127.0.0.1:2525

Do a

tail –f /var/log/mail.log

and check your log for the following:

Apr 28 09:07:03 server1 gld: Greylist activated for recipient= sender= ip=

You can set up a cron job to keep your database clean. Below is the gld command usage.

Usage: gld [-c n|-C n|-k n|-K n|-h|-v]
gld -c n : clean the database for ALL entries not updated since n days
gld -C n : show what the -c option would do, without doing it
gld -k n : clean the database for entries not updated since n days with only one hit
gld -K n : show what the -k option would do, without doing it
gld -i : show some database informations
gld -d : enable debug mode
gld -v : display version
gld -h : display Usage

15 Logwatch Statistical Reporting (Optional)

Logwatch is a customizable log analysis system. Logwatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require.

We will be using Logwatch to give us daily reports for mailscanner. This is a way for us to see how effective mailscanner really is.

Install Logwatch:

apt-get install logwatch

Edit the /usr/share/logwatch/default.conf/logwatch.conf and set the options:

vi /usr/share/logwatch/default.conf/logwatch

Mail To = youremailaddress
Service = mailscanner

Test Logwatch:

logwatch

It should generate a log file and email it to the email you specified.

16 Automatically Add A Disclaimer To Outgoing Emails With alterMIME (Optional)

This tutorial shows how to install and use alterMIME. alterMIME is a tool that can automatically add a disclaimer to emails. In this article I will explain how to install it as a Postfix filter on Ubuntu.

16.1 Installing alterMIME

alterMIME can be installed as follows:

apt-get install altermime

Next we create the user filter with the home directory /var/spool/filter filter - alterMIME will be run as that user:

useradd -r -c "Postfix Filters" -d /var/spool/filter filter
mkdir /var/spool/filter
chown filter:filter /var/spool/filter
chmod 750 /var/spool/filter

Afterwards we create the script /etc/postfix/disclaimer which executes alterMIME. Ubuntu's alterMIME package comes with a sample script that we can simply copy to /etc/postfix/disclaimer:

cp /usr/share/doc/altermime/examples/postfix_filter.sh /etc/postfix/disclaimer
chgrp filter /etc/postfix/disclaimer
chmod 750 /etc/postfix/disclaimer

Now the problem with this script is that it doesn't distinguish between incoming and outgoing emails - it simply adds a disclaimer to all mails. Typically you want disclaimers only for outgoing emails, and even then not for all sender addresses. Therefore I've modified the /etc/postfix/disclaimer script a little bit - we'll come to that in a minute.

Right now, we create the file /etc/postfix/disclaimer_addresses which holds all sender email addresses (one per line) for which alterMIME should add a disclaimer:

vi /etc/postfix/disclaimer_addresses

user1@example.com
user2@example.org
user3@example.net

Now we open /etc/postfix/disclaimer and modify it as follows (I have marked the parts that I've changed):

vi /etc/postfix/disclaimer

#!/bin/sh
# Localize these.
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail

####### Changed From Original Script #######
DISCLAIMER_ADDRESSES=/etc/postfix/disclaimer_addresses
####### Changed From Original Script END #######

# Exit codes from 
EX_TEMPFAIL=75
EX_UNAVAILABLE=69

# Clean up when done or when aborting.
trap "rm -f in.$$" 0 1 2 3 15

# Start processing.
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit
$EX_TEMPFAIL; }

cat >in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }

####### Changed From Original Script #######
# obtain From address
from_address=`grep -m 1 "From:" in.$$ | cut -d "<" -f 2 | cut -d ">" -f 1`

if [ `grep -wi ^${from_address}$ ${DISCLAIMER_ADDRESSES}` ]; then
/usr/bin/altermime --input=in.$$ \
               --disclaimer=/etc/postfix/disclaimer.txt \
               --disclaimer-html=/etc/postfix/disclaimer.txt \
               --xheader="X-Copyrighted-Material: Please visit http://www.company.com/privacy.htm" || \
                { echo Message content rejected; exit $EX_UNAVAILABLE; }
fi
####### Changed From Original Script END #######

$SENDMAIL "$@"

Next we need the text file /etc/postfix/disclaimer.txt which holds our disclaimer text. Ubuntu's alterMIME package comes with a sample text that we can use for now (of course, you can modify it if you like):

cp /usr/share/doc/altermime/examples/disclaimer.txt /etc/postfix/disclaimer.txt

Finally we have to tell Postfix that it should use the /etc/postfix/disclaimer script to add disclaimers to outgoing emails. Open /etc/postfix/master.cf and add -o content_filter=dfilt: to the smtp line:

vi /etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
-o content_filter=dfilt:
[...]

At the end of the same file, add the following two lines:

[...]
dfilt     unix    -       n       n       -       -       pipe
flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} -- ${recipient}

Restart Postfix afterwards:

/etc/init.d/postfix restart

That's it! Now a disclaimer should be added to outgoing emails sent from the addresses listed in /etc/postfix/disclaimer_addresses.

Congratulations!

You should now have a complete working SpamSnake.

Here are some Mailwatch screenshots:

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 01
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 03
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 04

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 05

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 06

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 05

2008-05-01T00:28:00.001-07:00

9 MailWatch Installation Instructions

This setup assumes you are using Apache v2.x and not Apache v1.x.

9.1 Before Starting

Make sure that MailScanner is working before you continue with the MailWatch install!

Notes for Ubuntu:

You must have a working MailScanner set-up and running copies of MySQL, Apache, and PHP. You must also have the Perl DBD-MySQL package installed for the Perl portions of MailScanner to utilize the MySQL database.
The default php.ini set should have the following set correctly, you may want to check this:

short_open_tag = On
safe_mode = Off
register_globals = Off
magic_quotes_gpc = On
magic_quotes_runtime = Off
session.auto_start = 0

These will be commented out you must remove the "#" to activate them:

extension=mysql.so
extension=gd.so

9.2 Installation

All commands below should be run as root.

9.3 Download the latest MailWatch release

wget http://downloads.sourceforge.net/mailwatch/mailwatch-1.0.4.tar.gz?modtime=1178902008&big_mirror=0
tar xzvf mailwatch-1.0.4.tar.gz
cd mailwatch-1.0.4

9.4 Create the database

mysql -p <>

NOTE: you will need to modify the above as necessary for your system if you have a root password for your MySQL database (recommended!) - Debian will ask for one.

9.5 Create a MySQL user and password & Set-up MailScanner for SQL logging

mysql -p
mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY 'password';

Remember the password! You need the single quotes ' to surround your password.

9.6 Edit and copy MailWatch.pm

Edit MailWatch.pm and change the $db_user and $db_pass values accordingly and move MailWatch.pm.

mv MailWatch.pm /etc/MailScanner/CustomFunctions/

9.7 Create a MailWatch Web User

mysql mailscanner -u mailwatch -p

Enter password: ******

mysql> INSERT INTO users VALUES ('username',md5('password'),'mailscanner','A','0','0','0','0','0');

9.8 Install & Configure MailWatch

From within the unpacked mailwatch directory move the directory called 'mailscanner' to the web server's root.

mv mailscanner/ /var/www/
cd /var/www/mailscanner

Make a temp directory:

mkdir temp
chgrp www-data temp
chmod g+w temp

Check the permissions of /var/www/mailscanner/images and /var/www/images/cache - they should be ug+rwx and owned by root and in the same group as the web server user.

chown root:www-data images
chmod ug+rwx images
chown root:www-data images/cache
chmod ug+rwx images/cache

Create conf.php by copying conf.php.example and edit the values to suit, you will need to set DB_USER and DB_PASS to the MySQL user and password that you created earlier.

Change these values as shown below:

# define(DB_USER, 'mailwatch');
# define(DB_PASS, 'password');
# define(MAILWATCH_HOME, '/var/www/mailscanner');
# define(MS_LIB_DIR, '/usr/share/MailScanner/');
# define(QUARANTINE_USE_FLAG, true);

9.9 Set-up MailScanner

Next edit /etc/MailScanner/MailScanner.conf.

vi /etc/MailScanner/MailScanner.conf

You need to make sure that the following options are set:

Quarantine User = root
Quarantine Group = www-data
Quarantine Permissions = 0660
Quarantine Whole Message = yes
Always Looked Up Last = &MailWatchLogging

And check these as well:

Quarantine Whole Message As Queue Files = no
Detailed Spam Report = yes
Include Scores In SpamAssassin Report = yes

Spam Actions, High Scoring Spam Actions and No Spam Actions should also have 'store' as one of the keywords if you want to quarantine those items for bayes learning or viewing from within MailWatch.

9.10 Integrate SQL Blacklist/Whitelist (optional)

If you would like to manage the MailScanner whitelist and blacklist from within the MailWatch web interface perform the following steps.

1. Edit the MySQL connection values within the CreateList subroutine of SQLBlackWhiteList.pm to match the values you entered previous into MailWatch.pm. Both files should contain the same values. (Look for the following lines in SQLBlackWhiteList.pm and enter your own data.)

my($db_user) = 'mailwatch';
my($db_pass) = 'password';

2. Copy SQLBlackWhiteList.pm to /etc/MailScanner/CustomFunctions/.

3. Edit MailScanner.conf and set:

Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist

9.11 Fix to allow MailWatch to work with Postfix Inbound/Outbound Queue

Download the patch from http://www.gbnetwork.co.uk/mailscanner/postfixmail.tar.gz

cd /usr/src
wget http://www.gbnetwork.co.uk/mailscanner/files/postfixmail.tar.gz
tar xvfz postfixmail.tar.gz
cd postfixmail
cp postfix* /var/www/mailscanner
patch /var/www/mailscanner/functions.php functions.php.diff

9.12 SpamAssassin

First we need to disable the default SpamAssassin configuration file:

mv /etc/spamassassin/local.cf /etc/spamassassin/local.cf.disabled

Now let's backup the SpamAssassin configuration file in MailScanner then edit:

cp /etc/MailScanner/spam.assassin.prefs.conf /etc/MailScanner/spam.assassin.prefs.conf.back

Add pyzor and razor paths:

vi /etc/MailScanner/spam.assassin.prefs.conf

Add these lines to the top of spam.assassin.prefs.conf:

pyzor_options --homedir /var/lib/MailScanner/
razor_config /var/lib/MailScanner/.razor/razor-agent.conf

9.13 Move the Bayesian Databases and set-up permissions (skip this if you don't use bayes)

Edit /etc/MailScanner/spam.assassin.prefs.conf and set:

vi /etc/MailScanner/spam.assassin.prefs.conf

bayes_path /etc/MailScanner/bayes/bayes
bayes_file_mode 0660

Look for these lines and change them accordingly:

bayes_ignore_header X-YOURDOMAIN-COM-MailScanner
bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamCheck
bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-SpamScore
bayes_ignore_header X-YOURDOMAIN-COM-MailScanner-Information

"YOURDOMAIN-COM" should be replaced with whatever you used for "%org-name%" in the MailScanner.conf file. Leave the "X-" in place.
This is the same orgname used in the MailScanner.conf above.

Create the 'new' bayes directory, make the directory owned by the same group as the web server user and make the directory setgid:

mkdir /etc/MailScanner/bayes
chown -R root:www-data /etc/MailScanner/bayes
chmod -R ug+rw /etc/MailScanner/bayes
chmod g+s /etc/MailScanner/bayes

Copy the existing bayes databases and set the permissions:

cp /var/lib/MailScanner/bayes_* /etc/MailScanner/bayes
chown root:www-data /etc/MailScanner/bayes/bayes_*
chmod g+rw /etc/MailScanner/bayes/bayes_*

Make sure that "bayes_auto_expire 0" is not commented out in spam.assassin.prefs.conf:

bayes_auto_expire 0

Edit the SpamAssassin v310.pre to enable Razor and DCC:

vi /etc/spamassassin/v310.pre

Uncomment the following lines:

loadplugin Mail::SpamAssassin::Plugin::DCC
loadplugin Mail::SpamAssassin::Plugin::Razor2

If you want then you can test SpamAssassin to make sure that it is using the new databases correctly:

spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint

and you should see something like:

debug: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file
debug: bayes: 28821 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks
debug: bayes: 28821 tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen
debug: bayes: found bayes db version 2
debug: Score set 3 chosen.

9.13.1 SpamAssassin Bayes Database to SQL Conversion

Pre-requisities

a. You'll need the perl-DBI and perl-DBD-MySQL modules installed.

Assumptions and Variables:

SpamAssassin Bayes Database Name: sa_bayes
SpamAssassin Bayes Database UserName: sa_user
SpamAssassin Bayes Database Password: sa_password

Create the MySQL database:

First of all, create a database on the server where you intend on storing the bayesian information.

mysql -u root -p

mysql> create database sa_bayes;
mysql> GRANT ALL ON sa_bayes.* TO sa_user@localhost IDENTIFIED BY 'sa_password';
mysql> flush privileges;

Locate the bayes_mysql.sql file:

find / -name bayes_mysql.sql
mysql -u sa_user -p sa_bayes < /path/to/bayes_mysql.sql

Backup your current bayes database:

sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --backup > sa_bayes_backup.txt

Warning: The next command can completely wipe out your bayes database!

sa-learn -p /path/to/spam.assassin.prefs.conf --clear #(entirely optional, incase you want to rollback)

Make some changes to your spam.assassin.prefs.conf:

bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:sa_bayes:localhost
bayes_sql_username sa_user
bayes_sql_password sa_password
bayes_sql_override_username root

and comment out the following lines:

#bayes_path /etc/MailScanner/bayes/bayes
#bayes_file_mode 0660

Populate the Bayes SQL database.

Now for recovering the bayes_dbm to bayes_sql.

sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --restore sa_bayes_backup.txt

This process may take some time depending on the size of your bayes database.

Also add this to your crontab:

crontab -e

30 01 * * * /path/to/sa-learn --force-expire --sync -p /etc/MailScanner/spam.assassin.prefs.conf

9.14 Bring it all Together

Now that we have everything in there, set the correct permissions:

chown -R postfix:www-data /var/spool/MailScanner
chown -R postfix:www-data /var/lib/MailScanner
chown -R postfix:www-data /var/run/MailScanner
chown -R postfix:www-data /var/lock/subsys/MailScanner
chown -R postfix:www-data /var/spool/postfix/hold
chmod -R ug+rwx /var/spool/postfix/hold

Finally make sure you restart MailScanner.

/etc/init.d/mailscanner restart

Test out the setup:

spamassassin -x -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint

Check for lines like:

debug: bayes: Database connection established
debug: bayes: found bayes db version 3
debug: bayes: Using userid: 2

and some more like

debug: bayes: tok_get_all: Token Count: 20
debug: bayes token 'somewhat' ? 0.978
debug: bayes: score = 0.845189622547555

You should see lines come up with DCC, Pyzor and Razor that say loading plugin and hopefully no errors.

Finishing up this part we need to add cron jobs that will clean/update, you probably saw the message about this after the MailScanner install script finished.

First edit conf.php and set 'QUARANTINE_DAYS_TO_KEEP' in conf.php and change the following line in db_clean.

#!/usr/bin/php -qn

#!/usr/bin/php -q

Install quarantine clean up script:

cp /usr/src/mailwatch-1.0.4/tools/quarantine_maint.php /usr/bin/quarantine_maint.php
cp /usr/src/mailwatch-1.0.4/tools/db_clean.php /usr/bin/db_clean.php
chmod +x /usr/bin/quarantine_maint.php
chmod +x /usr/bin/db_clean.php

Run

crontab -e

and add the following:

15 10 * * 2 /usr/bin/quarantine_maint.php -clean &> /dev/null
58 23 * * * /usr/bin/db_clean.php &> /dev/null

Disable the mailscanner installed cron script /etc/cron.daily/clean.quarantine.

$disabled = 1;

9.15 Reboot

reboot

Check your mail.log again:

tail -f /var/log/mail.log

At this point you should have a functional spamfilter and should see something like:

Jun 13 12:18:23 hoshi MailScanner[26388]: MailScanner E-Mail Virus Scanner version 4.20-3 starting...
Jun 13 12:18:24 hoshi MailScanner[26388]: Config: calling custom init function MailWatchLogging
Jun 13 12:18:24 hoshi MailScanner[26388]: Initialising database connection
Jun 13 12:18:24 hoshi MailScanner[26388]: Finished initialising database connection

Congratulations - you now have MailScanner logging to MySQL.

9.16 Test the MailWatch interface

Point your browser to http:///mailscanner/ - you should be prompted for a username and password - enter the details of the MailWatch web user that you created earlier, and you should see a list of the last 50 messages processed by MailScanner.

If you're not able to see the mails, then you may have to set the following persmissions:

chgrp -R www-data /var/spool/MailScanner

You may have to create the following to prevent an error in a lint test:

mkdir /var/www/.spamassassin

9.17 Fix for Ubuntu 8.04 (kept removing directories upon reboot)

Edit /etc/rc.local and add the following before the exit line:

mkdir /var/run/MailScanner
mkdir /var/lock/subsys
mkdir /var/lock/subsys/MailScanner
chown -R postfix:www-data /var/run/MailScanner
chown -R postfix:www-data /var/lock/subsys/MailScanner
/etc/init.d/postfix restart
/etc/init.d/mailscanner restart

9.18 Update the SpamAssassin Rules table

MailWatch keeps a list of all the SpamAssassin rules and descriptions which are displayed on the 'Message Detail' page - to show the descriptions, you need to run the updater every time you add new rules or upgrade SpamAssassin. Click on the 'Tools/Links' menu and select 'Update SpamAssassin Rule Descriptions' and click 'Run Now'.

9.19 Update the GeoIP database

Change /var/www/mailscanner/geoip_update.php:

vi /var/www/mailscanner/geoip_update.php

dbquery("LOAD DATA INFILE

dbquery("LOAD DATA LOCAL INFILE

Make sure you have allow_url_fopen = On in your php.ini set.

Click on the 'Tools/Links' menu and select 'Update GeoIP database' and click 'Run Now'.

9.20 Setup the Mail Queue watcher (optional)

You can get MailWatch to watch and display your sendmail or exim queue directories - all you need to do is copy mailq.php (from the root of the mailwatch tarball - not from the mailscanner directory - they are different!) to /usr/local/bin and set-up a cron-job to run it.

Edit mailq.php first to change the require line to point to the location of functions.php, then:

cp mailq.php /usr/local/bin
crontab -e

0-59 * * * * /usr/local/bin/mailq.php

Note: mailq.php re-creates all entries on each run, so for busy sites you will probably want to change this to run every 5 minutes or greater.

9.21 Setup the Sendmail Relay Log watcher (optional)

You can get MailWatch to watch your sendmail logs and store all message relay information which is then displayed on the 'Message Detail' page which helps debugging and makes it easy for a Helpdesk to actually see where a message was delivered to by the MTA and what the response back was (e.g. the remote queue id etc.).

cp tools/sendmail_relay.php /usr/local/bin
nohup /usr/local/bin/sendmail_relay.php 2>&1 > /dev/null &

9.22 Fix to allow wildcards in Whitelist/Blacklist

Add the following to the bottom of the return 1 section in your SQLBlackWhiteList.pm:

return 1 if $BlackWhite->{$to}{'*@'.$fromdomain};
return 1 if $BlackWhite->{$to}{'*@*.'.$fromdomain};
return 1 if $BlackWhite->{$todomain}{'*@'.$fromdomain};
return 1 if $BlackWhite->{$todomain}{'*@*.'.$fromdomain};
return 1 if $BlackWhite->{'default'}{'*@'.$fromdomain};
return 1 if $BlackWhite->{'default'}{'*@*.'.$fromdomain};

9.23 Fix for the Reporting Function in Message Operations

Change the following in /var/www/mailscanner/do_message_ops.php file:

vi /var/www/mailscanner/do_message_ops.php

$id = $Regs[1];

$id = str_replace("_", ".",$Regs[1]);

9.24 Fix to Allow Quarantine Release of Messages

Change the following in /var/www/mailscanner/conf.php file:

vi /var/www/mailscanner/conf.php

define(QUARANTINE_USE_SENDMAIL, false);

define(QUARANTINE_USE_SENDMAIL, true);

9.25 Fix to Allow Correct ClamAV Status

Change the following in /var/www/mailscanner/clamav_status.php file:

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 01
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 03
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 04

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 06
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 07

Copyright © 2008 Rocky
All Rights Reserved.

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 04

2008-05-01T00:24:00.003-07:00

Author : Rocky

6.3 Postfix Anti-Spam Settings

6.3.1 smtpd_helo_required

Make any connecting mail server do a proper smtp "handshake" and announce its name. Internet RFCs require this, so we do too.

postconf -e "smtpd_helo_required = yes"

I also changed the smtpd_banner to "$myhostname ESMTP $mail_name SpamSnake".

Preface: Postfix' restriction stages are as follows, and are processed in the following order:

smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
smtpd_data_restrictions

We are only going to place entries in the last three restriction stages. Restriction stages are processed in this order regardless of the order listed in main.cf.

6.3.2 smtpd_sender_restrictions

This restriction stage restricts what sender addresses this system accepts in MAIL FROM: commands (the envelope sender). We will place three tests (restrictions) in this restriction stage.

6.3.4 check_sender_access (Optional)

Here we ask Postfix to compare the envelope sender to entries in an /etc/postfix/sender_access database and act upon those entries if a match is found. We also define what action is taken there (OK, DUNNO, REJECT etc.) on a sender by sender basis. If the sender is not listed in the file, the test evaluates to DUNNO, and the next test is performed.

6.3.5 reject_non_fqdn_sender

Reject when the envelope sender mail address is not in the proper format.

6.3.6 reject_unknown_sender_domain

Reject when the envelope sender's domain part of the mail address has no DNS "A" or "MX" record at all. On occasion, you will see in a report that someone you wish to receive mail from has been rejected by this setting. One possible cause of this is when legitimate senders deliberately use bogus domain names so you will not reply to them. This is where the sender access list comes in handy. You can give them an OK there, and this test will be bypassed.

Now to implement these three restrictions:

postconf -e "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain"

6.3.7 smtpd_recipient_restrictions

The access restrictions that the Postfix SMTP server applies in the context of the RCPT TO: command. This refers to the "envelope recipient" which is what the client gave in the "RCPT TO:" line during the SMTP session, not the header "To:" line. Let's look at those specific restrictions (tests) we place in smtpd_recipient_restrictions:

6.3.8 permit_mynetworks

Allows machines listed in "mynetworks" to skip the rest of the tests in this restriction stage (permit = OK). In other words, it exits this stage and is tested in the next stage (smtpd_data_restrictions). Because permit_mynetworks is placed in front of reject_unauth_destination, this means machines in $mynetworks are allowed to relay mail to any domain. Without this, we would only be able to send mail to our own domain(s). If the IP address of the sender is not listed in $mynetworks, the test evaluates to "DUNNO" and continues on to the next test (reject_unauth_destination).

6.3.9 reject_unauth_destination & reject_unknown_recipient_domain

This, along with permit_mynetworks is used for relay control. This setting, in essence, means that mail bound for any domain that we have not configured our machine to accept mail for will be rejected. In our case Postfix will use the relay_domains setting (or table) that we configured earlier to determine what domains those are. If the domain is listed in relay_domains, this test evaluates to "DUNNO" and the session is allowed to go on to the next test (if any).

6.3.10 reject_unauth_pipelining

Rejects bulk mailers that attempt to use pipelining to speed delivery, without checking if it is supported first (non-RFC, common among spammers).

Now to implement these three restrictions:

postconf -e "smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_rbl_client zen.spamhaus.org"

6.3.11 smtpd_data_restrictions

Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP DATA: command. Like smtpd_recipient_restrictions, this is a restriction stage.

6.3.12 reject_unauth_pipelining

I repeat this setting in smtpd_data_restrictions as it is not always effective when placed in smtpd_recipient_restrictions. I include it in smtpd_recipient_restrictions as I like to place it prior to any policy servers. Note that there are only a couple of restrictions that make good use of smtpd_data_restrictions.

postconf -e "smtpd_data_restrictions = reject_unauth_pipelining"

6.3.13 /etc/postfix/sender_access

We referenced this file in smtpd_sender_restrictions. We use this file to check the sender right at the front door. In this file, we'll list certain senders/domains/IPaddress ranges for special handling. Below are bogus examples, create your own as you see fit. Please read /etc/postfix/sender_access for more information. Although you could use this file for various purposes, considering the way we have set this up in smtpd_sender_restrictions, I suggest using it to either blacklist senders, or allow certain senders to bypass the remaining tests in smtpd_sender_restrictions.

vi /etc/postfix/sender_access

#Example sender access map file
makeabuck@mlm.tld 550 No MLM thanks
allspam.tld 550 Spam is not accepted here
badguy.net REJECT
justaspamminfool@allspamallthetime.com REJECT
newsletter-favorite-lug.org OK
my-really-l337-test-domain.com OK

Since this is a hash table, you need to postmap it as usual:

postmap /etc/postfix/sender_access

6.3.14 Final Look at the Postfix Install

Review changes:

less /etc/postfix/main.cf

Check the contents of the file for errors and repair if needed. Fire up Postfix:

postfix start

Check that Postfix responds:

telnet 127.0.0.1 25

You should see:

220 [yourFQDNhere] ESMTP Postfix (Ubuntu)

Hit [enter] a few times; then type quit to exit.

If it does not reply in this manner, open another terminal window and stop Postfix:

postfix stop

Make sure you ran newaliases and all the postmap commands above. Check all the settings in main.cf and master.cf. Any time you make changes to master.cf or main.cf or to data tables, most (not all) of the time, it is required that you to reload Postfix with:

postfix reload

7 Pyzor, Razor, DCC, SpamAssassin and MailScanner Configuration

7.1 Install MailScanner

Install MailScanner Dependencies by doing the following:

apt-get install libconvert-tnef-perl libdbd-sqlite3-perl libfilesys-df-perl libmailtools-perl libmime-tools-perl libmime-perl libnet-cidr-perl libsys-syslog-perl libio-stringy-perl libfile-temp-perl

Install MailScanner from the Debian .deb Source:

wget http://debian.intergenia.de/debian/pool/main/m/mailscanner/mailscanner_4.68.8-1_all.deb
dpkg -i mailscanner_4.68.8-1_all.deb

7.2 Pyzor Configuration

We need to change some permissions on pyzor first:

chmod -R a+rX /usr/share/doc/pyzor /usr/bin/pyzor /usr/bin/pyzord
chmod -R a+rxX /usr/share/python-support/pyzor

Here we supply the IP address of the Pyzor server to Pyzor. This will create the server's IP address in a servers file therein. Then it will test the connection. If you are behind a firewall, open port 24441/udp in and out to your server. While you're at it also open up 6277/udp for DCC, 2703/tcp for Razor and 783/tcp for SpamAssassin:

pyzor --homedir /var/lib/MailScanner discover
pyzor ping

7.3 Razor Configuration

Create the .razor configuration:

cd
rm /etc/razor/razor-agent.conf
mkdir /var/lib/MailScanner/.razor
razor-admin -home=/var/lib/MailScanner/.razor -create
razor-admin -home=/var/lib/MailScanner/.razor -discover
razor-admin -home=/var/lib/MailScanner/.razor -register
chown -R postfix:www-data /var/lib/MailScanner
chmod -R ug+rwx /var/lib/MailScanner

Make the following changes to /var/lib/MailScanner/.razor/razor-agent.conf:

vi /var/lib/MailScanner/.razor/razor-agent.conf

Change debuglevel = 3 to debuglevel = 0 (yes zero not "o"). This will prevent Razor from filling up your drive with debug information. Those two lines should look like this when done:

debuglevel = 0
razorhome = /var/lib/MailScanner/.razor/

7.4 DCC Setup and Configuration

Install DCC from .deb source:

wget http://launchpadlibrarian.net/11564361/dcc-server_1.3.42-5_i386.deb
wget http://launchpadlibrarian.net/11564359/dcc-common_1.3.42-5_i386.deb
dpkg -i dcc-common_1.3.42-5_i386.deb
dpkg -i dcc-server_1.3.42-5_i386.deb

We are not running a DCC server, so we don't need to waste time checking ourselves.
Once the installation is done run:

cdcc "delete 127.0.0.1"
cdcc "delete 127.0.0.1 Greylist"

Test our installation with:

cdcc info

You should get 'requests ok' from the servers.

8 Configuring MailScanner and ClamAV

8.1 Stop Postfix:

postfix stop

Install the packages:

apt-get install clamav clamav-daemon

Update ClamAV virus defenitions:

freshclam

Once that is done, we need to make a directory for SpamAssassin in the spool and give postfix permissions to it, if you run sa-learn --force as root, bayes databese that is stored in these directories will change to root:root and spamassassin will error looking at the db. Just keep an eye on the mail.log and you'll remember to change the permissions back. Also disable the MailScanner default configs:

mkdir /var/spool/MailScanner/spamassassin

Backup your MailScanner.conf file:

cp /etc/MailScanner/MailScanner.conf /etc/MailScanner/MailScanner.conf.back

Edit MailScanner.conf:

vi /etc/MailScanner/MailScanner.conf

Change the following parameters in MailScanner.conf:

%org-name% = ORGNAME
%org-long-name% = ORGFULLNAME
%web-site% = ORGWEBSITE
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix
Virus Scanners = clamav
Spam Subject Text = ***SPAM***
Send Notices = no
Spam List = spamcop.net SBL+XBL
Required SpamAssassin Score = 6
High SpamAssassin Score = 10
Spam Actions = deliver
High Scoring Spam Actions = delete
Rebuild Bayes Every = 0
Wait During Bayes Rebuild = no
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

The first 9 lines are basically required in order for everything to work, the rest are recommended.

8.2 header_checks & body_checks

Let's go ahead and put this in main.cf. header_checks is required because it allows us to hold all incoming email in order for MailScanner to do its thing:

postconf -e "header_checks = regexp:/etc/postfix/header_checks"

Edit header_checks:

vi /etc/postfix/header_checks

Add this line to the header_checks file, without it MailScanner will not work:

/^Received:/ HOLD

8.3 Fix to Disable Permission Checks on MailScanner Directories

Comment out the lines that check directory permissions on /var/* in /etc/rc2.d/S20mailscanner.

In the file /etc/default/mailscanner, make sure this parameter is at 1:

vi /etc/default/mailscanner

run_mailscanner=1

8.4 MailScanner Webmin Plugin (Optional)

Login to Webmin, https://localhost:10000, and install the MailScanner module for webmin found at http://internap.dl.sourceforge.net/sourceforge/msfrontend/webmin-module-1.1-4.wbm. After this is done, you'll have to enter the following into your mailscanner module to get it to work:

Full path to MailScanner program /etc/init.d/mailscanner
Full path and filename of MailScanner config file /etc/MailScanner/MailScanner.conf
Full path to the MailScanner bin directory /usr/sbin
Full path and filename for the MailScanner pid file /var/run/MailScanner/MailScanner.pid
Command to start MailScanner /etc/init.d/mailscanner start
Command to stop MailScanner /etc/init.d/mailscanner stop

8.5 You can now start the system

/etc/init.d/mailscanner start
/etc/init.d/postfix start

Check your logs for errors:

tail -f /var/log/mail.log

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 01
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 03

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 05

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 06
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 07

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 03

2008-05-01T00:19:00.002-07:00

Author : Rocky

2 DNS Server

Run

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads SYSLOGD="-a /var/lib/named/dev/log":

vi /etc/default/syslogd

SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

3 MySQL

In order to install MySQL, we run

apt-get install mysql-server mysql-client libmysqlclient15-dev

You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on (as was the case with previous Ubuntu versions):

New password for the MySQL "root" user: <-- yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

#bind-address =127.0.0.1

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

tcp 0 0 *:mysql *.* LISTEN 5286/mysqld

4 Apache with PHP5 and Ruby

Now we install Apache:

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert

Next we install PHP5 and Ruby (both as Apache modules):

apt-get install libapache2-mod-php5 libapache2-mod-ruby php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-sqlite php5-tidy php5-xmlrpc php5-xsl

You will be asked the following question:

Continue installing libc-client without Maildir support? <-- Yes

Next we edit /etc/apache2/mods-available/dir.conf and change the following:

vi /etc/apache2/mods-available/dir.conf

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include

Reload the Apache configuration:

/etc/init.d/apache2 force-reload

4.1 Fix for Imagick

Because of a bug that causes the following error, the below must be done as a workaround:

PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20060613/imagick.so' - libWand.so.9: cannot open shared object file: No such file or directory in Unknown on line 0

apt-get remove php5-imagick

apt-get install libmagick9-dev

pecl install imagick

Edit /etc/php5/apache2/php.ini and add the following:

extension=imagick.so

/etc/init.d/apache2 restart

5 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

6 Setting up Postfix

apt-get install postfix postfix-pcre postfix-mysql postfix-ldap cabextract lha unrar razor pyzor spamassassin

You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

Stop Postfix:

postfix stop

6.1 Edit master.cf

BTW watch for the two Postfix configuration files, both located in the /etc/postfix folder. More than one admin has gotten confused between master.cf and main.cf!

First back up the current master.cf:

cp /etc/postfix/master.cf /etc/postfix/master.cf-orig

Edit master.cf:

vi /etc/postfix/master.cf

We need to add two items below the pickup service type. The pickup service "picks up" local mail (local meaning "on this machine") and delivers it. This is a way to bypass content filtering for mail generated by this machine.

Add this just below the 'pickup' service type:

         -o content_filter=
    -o receive_override_options=no_header_body_checks

It should look like this when you are done:

pickup fifo n - - 60 1 pickup
-o content_filter=
-o receive_override_options=no_header_body_checks

6.2 Edit main.cf

First we need to backup the main.cf file.

cp /etc/postfix/main.cf /etc/postfix/main.cf-orig

6.2.1 alias_maps

We simply need to make a correction to the default setting here:

postconf -e "alias_maps = hash:/etc/aliases"

Create the aliases file:

newaliases

Since our system will be configured not to store any local mails, this will be ignored.

6.2.2 myorigin

The domain name that mail created on this machine appears to come from. For example, if cron sends mail to "mnight@secretgovagency.gov" it will appear to come from "root@example.com".

postconf -e "myorigin = example.com"

Obviously, in the above, and all the following commands, replace my example parameters, like "example.com", with your own specific values.

6.2.3 myhostname

The fully-qualified domain name (FQDN) of the machine running the Postfix system.

postconf -e "myhostname = server1.example.com"

6.2.4 mynetworks

These are the machines I trust, and will relay mail for, to any destination. If you will be dealing with multiple internal mail servers, and/or want to allow several machines and/or subnets to relay through this server (careful!), just add them to this parameter in CIDR format and seperate the networks like this:

postconf -e "mynetworks = 127.0.0.0/8, 192.168.0.0/24"

The 127.0.0.0/8 is there to allow the local server to send, you need to at least put this one in.

6.2.4.1 outbound trusted relay IP

If you'd like your SpamSnake to handle outgoing emails as well, be sure to add your local network to the list e.g. 192.168.0.0/24 172.16.0.0/16. If your mailserver is 172.16.5.20 and you only want to trust only that IP, add 172.16.5.20/32. You just have to setup your mailserver to relay (smarthost) to your SpamSnake.

6.2.5 message_size_limit

Maximum size email that Postfix will let in the "front door".

postconf -e "message_size_limit = 10485760"

The above allows email up to 10MB, the value is in bytes (10*1024*1024). Mail larger than this may possibly get bypassed by the anti-virus scanner (ClamAV). You could increase this if you also configure ClamAV to scan files larger than 10MB. If you allow messages larger than 10MB, keep an eye on RAM.

6.2.6 local_transport

Return an error message for local delivery attempts.

postconf -e "local_transport = error:No local mail delivery"

6.2.7 mydestination

An empty mydestination tells Postfix this machine is not the final destination.

postconf -e "mydestination = "

6.2.8 local_recipient_maps

An empty local_recipient_maps tells Postfix there are no local mailboxes.

postconf -e "local_recipient_maps = "

6.2.9 virtual_alias_maps

Our spamfilter must be able to receive mail for postmaster@yourIP. Reportedly, some things actually expect this ability to exist. We will also allow mail to abuse@yourIP. Since we do not allow local mail delivery, mail addressed to our spamfilter's IP address will get rejected with an error message. Setting up virtual_alias_maps allows email to these two accounts to be forwarded to an inside address. Make sure your Exchange server is set up to receive messages addressed to "root", "postmaster" and "abuse".

Set up a reference to the virtual file:

postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"

Then edit the virtual file:

vi /etc/postfix/virtual

Add these lines to the top of the virtual file:

postmaster postmaster@example.com
abuse abuse@example.com
root root@example.com

Save and exit the file, then create the binary file that Postfix will use:

postmap /etc/postfix/virtual

6.2.10 relay_recipient_maps

We are going to build a table of every single user in every single domain that we accept mail for.

Set up a reference to a file we will create to store the data:

postconf -e "relay_recipient_maps = hash:/etc/postfix/relay_recipients"

Then edit relay_recipients:

vi /etc/postfix/relay_recipients

For the moment, we are going to accept mail for all users in our domain(s) so enter each domain you accept mail for in the following format:

@example.com OK
@example2.com OK

Then create the binary file that Postfix will use:

postmap /etc/postfix/relay_recipients

The entries above are temporary. They are wildcards that allow mail to your domains. You MUST remove the entries above at some point in the near future and replace them with every single one of your valid recipients' email addresses. When you are ready to enter each user individually in the relay_recipients file, you would first remove (or comment out) the data above that allows mail to all users in the domain, and then list each user individually in the form:

admin@example.com OK
admin@example2.com OK

6.2.11 transport_maps

Tells Postfix where to look for a transport file. We use the transport file to tell Postfix where to forward valid mail for our domain(s). Setting up transport is similar to setting up relay_recipients.

Create a reference to it in main.cf:

postconf -e "transport_maps = hash:/etc/postfix/transport"

Then edit transport:

vi /etc/postfix/transport

Add 1 new line for each domain for which you will be handling mail, similar to the example below. The IP address is that of whatever server is the final destination of messages addressed to our domain(s) (our Exchange server). It does not matter where you place these items in the file, but I like to put them at the top.

example.com smtp:[192.168.0.x]
example2.com smtp:[192.168.0.x]

Include the brackets on these lines!. You can also use FQDN hostname instead of an IP address (i.e. smtp:[exchange1.example.com]).

Now to create the binary file Postfix will use:

postmap /etc/postfix/transport

6.2.12 relay_domains

What destination domains (and subdomains thereof) this system will relay mail for.

postconf -e "relay_domains = hash:/etc/postfix/relay_domains"

Edit relay_domains:

vi /etc/postfix/relay_domains

Add 1 new line for each domain for which you will be handling mail, similar to the example below:

example.com OK
example2.com OK

This file currently has a very similar format to relay_recipients do not mistake the two. This file cannot have '@' in front of the domain name. Just thought I'd mention it, some very smart people have been known to have done this...

Then create the binary file Postfix will use:

postmap /etc/postfix/relay_domains

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 01
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 04

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 05

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 06
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 07

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02

2008-05-01T00:13:00.000-07:00

1.3 Enable The root Account

After the reboot you can log in with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial as root user, we must enable the root account now. Run

sudo passwd root

and give root a password. Afterwards we become root by running

1.4 Install vim-full (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-full:

apt-get install vim-full

(You don't have to do this if you use a different text editor such as joe or nano.)

1.5 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
      address 192.168.0.100
      netmask 255.255.255.0
      network 192.168.0.0
      broadcast 192.168.0.255
      gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start

Afterwards, run

hostname
hostname -f

Both should show server1.example.com now.

1.6 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:

vi /etc/apt/sources.list

#
# deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted

#deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.

deb http://de.archive.ubuntu.com/ubuntu/ hardy main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu/ hardy universe
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy universe
deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ hardy multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy multiverse
deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository. This software is not part of Ubuntu, but is
## offered by Canonical and the respective vendors as a service to Ubuntu
## users.
# deb http://archive.canonical.com/ubuntu hardy partner
# deb-src http://archive.canonical.com/ubuntu hardy partner

deb http://security.ubuntu.com/ubuntu hardy-security main restricted
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted
deb http://security.ubuntu.com/ubuntu hardy-security universe
deb-src http://security.ubuntu.com/ubuntu hardy-security universe
deb http://security.ubuntu.com/ubuntu hardy-security multiverse
deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

1.7 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

ln -sf /bin/bash /bin/sh

1.8 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem).

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove

1.9 Install Some Software

Now we install a few packages that are needed later on. Run

apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential dpkg-dev db4.3-util vim bzip2 perl-doc libwww-perl libdbi-perl libconvert-binhex-perl libmail-spf-query-perl rblcheck libnet-ident-perl tnef pax libberkeleydb-perl unzoo arj lzop nomarch arc zoo libdb-file-lock-perl

(This command must go into one line!)

1.10 Install Unarj

cd /usr/src
wget http://http.us.debian.org/debian/pool/main/a/arj/unarj_3.10.21-2_all.deb
dpkg -i unarj_3.10.21-2_all.deb

1.11 Install Perl Modules(Pre-requisites)

Can be installed via perl -MCPAN or Webmin. I find that doing this through Webmin is better.

perl -MCPAN -e shell
install Module::Build
install Mail::SPF (Needed for SPF Checking)
install NetAddr::IP (Needed for SPF Checking)
install MLDBM::Sync this should also install MLDBM (Needed for MailWatch)

apt-get install libdbd-mysql-perl libapache-dbi-perl (Needed for MailWatch)

1.12 Webmin

apt-get install libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl

Download latest webmin using the following command:

wget http://internap.dl.sourceforge.net/sourceforge/webadmin/webmin_1.410_all.deb

Now we have webmin_1.410_all.deb package; you need to install it using the following command:

sudo dpkg -i webmin_1.410_all.deb

If your server complains that there is some library it does not find, just run the following command

sudo apt-get install -f

You should now be able to login to Webmin at the URL https://localhost:10000/

1.13 Remove Programs

Now we also need to remove some programs, hopefully you don't need PCMCIA or printer support. This server will not need dial-up support either. You will not necessarily have all of these programs installed.

Uninstall the following software (all one line):

apt-get remove pcmciautils ubuntu-minimal pppoeconf ppp pppconfig

1.14 Cleaning up services

Some services might still linger even after uninstalling the daemons. First we need to backup inet.d:

cp -R /etc/init.d /etc/init.d.backup

Now we can stop all of the services that might be running which we don't need:

/etc/init.d/pcmciautils stop
update-rc.d -f pcmciautils remove

Disable all of the services we stopped:

update-inetd --disable time

update-inetd --disable daytime

update-inetd --disable echo

update-inetd --disable chargen

update-inetd --disable ident

update-inetd --disable discard

The last one may ask you a question regarding "multiple entries", answer yes (y).

Check that we got everything:

lsof -i | grep LISTEN

The only daemon you should see at this point is *:ssh and miniserv. You may have to run this again:

update-inetd --disable discard

If there are other programs shown, try rebooting and test again.

The Perfect SpamSnake - Ubuntu 8.04 LTS

2008-05-01T00:00:00.002-07:00

Postfix w/Bayesian Filtering and Anti-Backscatter (Relay Recipients), Apache, Mysql, Bind, MailScanner (Spamassassin, ClamAV, Pyzor, Razor, DCC-Client), MailWatch, SPF Checks, FuzzyOcr, PDF/XLS/Phishing Sanesecurity Signatures, Postfix-GLD (Greylisting Optional), Logwatch Statistical Reporting (Optional), Outgoing Disclaimer with alterMIME (Optional)

Version 2.0
Author: Mohammed Alli

This tutorial shows how to set up an Ubuntu Hardy Heron (8.04 LTS) based server as a spamfilter in Gateway mode. In the end, you will have a SpamSnake Gateway which will relay clean emails to your MTA. You will also be able to view your incoming queue, train your SpamSnake and carry out a few more advanced operations via MailWatch.

I cannot offer any guarantees that this will work for you, the same way it’s working for me.

I will use the following software:

Web Server: Apache 2.2 with PHP 5.2.4 and Ruby
Database Server: MySQL 5.0
Mail Server: Postfix
DNS Server: BIND9
PHP: PHP5
MailScanner: MailScanner v4.68.8
MailWatch: MailWatch v1.0.4

Credit goes to the guys at HowToForge and the developers of MailScanner and MailWatch.

1 Requirements

To install such a system you will need the following:

The Ubuntu 8.04 LTS server CD, available here: ftp://releases.ubuntu.com/releases/hardy/ubuntu-8.04-server-i386.iso
A fast internet connection.

1.1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

1.2 The Base System

1. Insert your Ubuntu install CD into your system and boot from it. Select your language:

2. Select Install to the hard disk:

3. The installation starts, choose your language again:

4. Then select your location:

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):

5. The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:

Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:

6. Now you have to partition your hard disk. For simplicity's sake I will create one big partition (with the mount point /) and a little swap partition so I select Guided - use entire disk (of course, the partitioning is totally up to you - if you like, you can create more than just one big partition, and you can also use LVM):

Select the disk that you want to partition:

When you're finished, hit Yes when you're asked Write the changes to disks?:

Afterwards, your new partitions are being created and formatted.

7. Create a user, for example the user Administrator with the user name administrator (don't use the user name admin as it is a reserved name on Ubuntu 8.04):

8. The only item I select here is OpenSSH server so that I can immediately connect to the system with an SSH client such as PuTTY after the installation has finished:

9. The GRUB boot loader gets installed:

10. The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system:

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 02
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 03

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 04
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 05

The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 06
The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 07

VMware Server On Ubuntu 8.04 Mini-Howto

2008-04-29T22:46:00.004-07:00

Author : alex.revetchi

When upgrading from Ubuntu 7.10 to 8.04 my VMware server stopped working, this what I had to do to get it up and running:

Needed if upgrading VMware installation:

sudo ./vmware-install.pl

VMware wont compile with the new kernel, use this patch:

wget http://vmkernelnewbies.googlegroups.com/web/vmware-any-any-update-116.tgz

tar -zxf vmware-any-any-update-116.tgz
cd vmware-any-any-update-116

Apply the patch:

sudo ./runme.pl
sudo vmware-config.pl

VMware console wont run without this:

cp /lib/libgcc_s.so.1 /usr/lib/vmware/lib/libgcc_s.so.1/libgcc_s.so.1

You might need gcc3.4 as well.

Enjoy!

Web Based Project Management With Collabtive On Ubuntu 7.10 Server

2008-04-29T02:25:00.004-07:00

Author : Shakey

Project management is becoming an increasingly important part of the Sys Admin's life. While Microsoft Project seems to be the standard project management tool used in most environments that I have worked in, it can sometimes be nice to have such tools web based so that multiple users can share information. This is where tools such as Collabtive come in. Collabtive is a web based project management tool that supports everything that you need to plan out and complete your projects.

These tools include milestones, time tracking, tasks and task lists, all presented in a multi language environment. Currently German, English and French are all supported. The web interface itself is intuitive, functional and attractive all at the same time. You can see for yourself though at their online demo - Collabtive online demo

If after having tried the demo, you decide that this is the right tool for you, then this guide should help you to implement Collabtive on your own Ubuntu 7.10 server. This guide is based on the base LAMP install that comes packaged with Ubuntu 7.10 server, but should work equally as well on any Ubuntu LAMP server. The installation is fairly straight forward, so let's begin.

The base Ubuntu installation

As I mentioned earlier, this guide is based on the base LAMP installation included with Ubuntu. The only things that I did during the installation was to assign a static IP address and choose the LAMP and OpenSSH Server options when prompted. Once you have the base system installed along with the LAMP and OpenSSH server, you are ready to move on. I will assume from this point that you are either working at the command line on your server or using an SSH client such as PuTTY.

Update your server

The first step we need to take is to make sure that your server is up to date. Issue the following command to edit your sources.list file:

sudo nano /etc/apt/sources.list

Now that your sources.list file is open, you will need to edit out the cdrom from your updates list. Find the following line in your sources.list file:

deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ - Release i386 (20071016)]/ gutsy main restricted

Now comment it out as shown below:

# deb cdrom:[Ubuntu-Server 7.10 _Gutsy Gibbon_ - Release i386 (20071016)]/ gutsy main restricted

Once you have made the necessary change, you can save the file by pressing "CTRL-O" on your keyboard and can exit the editor by pressing "CTRL-X".

With that done, you can now proceed to update your system. We will also be installing unzip for use later in the guide. Issue these commands:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install unzip

Obtain Collabtive and prepare for the installation

In this step, you will be creating the directory in which Collabtive will be installed, obtaining the Collabtive code itself and setting up permissions. Issue the following commands:

cd /var/www/
sudo mkdir collabtive
cd collabtive/
sudo wget http://superb-west.dl.sourceforge.net/sourceforge/collabtive/collabtive0-4-5.zip
sudo unzip collabtive0-4-5.zip
sudo rm collabtive0-4-5.zip
sudo chmod -R 757 templates_c/
sudo chmod -R 757 files/
sudo chmod 757 config.php

Create the Collabtive database and database user

This step will help you to create a database for Collabtive in MySQL, as well as the user under which access will be granted. To enter the MySQL environment, issue the root login request with this command:

mysql -uroot -p

You will now be prompted for your root MySQL password. After entering it, issue the following commands to create your database and the database user. Please note that you can change the username and password to meet your needs.

create database collabtive;
grant all on collabtive.* to collabuser;
grant all on collabtive.* to collabuser@localhost;
set password for collabuser=password('collabPW');
set password for collabuser@localhost=password('collabPW');
exit

The web setup phase

It is now time to begin the web setup phase of the installation process (almost done). Point your web browser to the URL shown below (adjusting of course, for the local IP address of your server):

http://Server IP address/collabtive/install.php

You should now be greeted with the first page of the web setup. On this page, you can change your language to German, English or French. You can also check to ensure that conditions for the installation are ready to proceed (see the screen shot below) and enter your database information. If you followed the guide above, then the information that you will need is as follows:

Database host: localhost
Database name: collabtive
Database user: collabuser
Database password: collabPW

If everything appears alright here, then you can click on "continue" to move forward to step number 2. In this step, you will be creating your admin user. It is fairly straight forward, simply enter the username and password that you wish to use and click on continue. See the image below for reference.

You should now be greeted with a screen letting you know that the installation was successful, as shown in this image.

If you see anything other than message, then you may want to retrace your steps and make sure that you did not miss something. If you do see the above image though, you can now safely remove the install.php file for security purposes by using the following command:

sudo rm /var/www/collabtive/install.php

Now, you may click on the "Login" link shown above to be taken to the admin login. If all has gone well, then you should now be prompted with a login request (see the image below). This will the admin user that you created in step #2 of the web installation.

Enter your credentials and click on the "Login" button. You should now be presented with the web interface for Collabtive and ready to begin your first project. While I couldn't find any documentation on the usage of Collabtive, it is fairly straight forward, if you are familiar with project management. If you should run into problems though, they do have a forum that has a lot of good information in it. The forums are located at - Collabtive Forums.

Using vi key bindings in bash and zsh

2008-04-28T13:52:00.000-07:00

Author : Vincent Danen, ZDNet Asia

When making command-line changes, you can choose a style that makes sense and makes the use of the command line faster and more efficient.

By default, most shells use emacs-style key bindings for command-line editing and modification.

For users of vi or vim, however, you can instead configure shells to use vi key bindings instead.

This is done by editing ~/.bashrc in the case of bash, or ~/.zshrc in zsh and adding:

set -o vi

in bash, and the following for zsh:

bindkey -v

Once you have saved either ~/.bashrc or ~/.zshrc, exit the shell and open a new terminal.

By default, you will be in insert mode, which means that you type as you normally would.

Commands like [Ctrl]A or [Ctrl]E no longer work, however.

To get into command mode, press [ESC] (as you would in vim) and use vi key commands to navigate the command line, such as $ to go the end of the line or 0 to go to the beginning of the line.

From that point, you can use other vi commands:

b to go back one word
2b to go back two words
dw to delete a word
dd to delete the entire line
d$ to delete from the current cursor position to the end of the line
d0 to delete from the current cursor position to the beginning of the line
w to go forward one word, and so forth

To return to insert mode, simply type i, as you would in vi, and you can edit the command line as you normally would.

If you are more familiar with vim than emacs, using vi key bindings in your shell makes a lot of sense and will make working in the shell much easier as you will be using edit commands that you are already familiar with.

If you use emacs more often, leave the defaults as they are to use the various commands you would normally use in emacs.

On the other hand, if you use neither, choose a style that makes the most sense and makes using the command line faster and more efficient.

How To Install mod_security/mod_security2 On SuSE Linux Enterprise Server 10 (SLES10)

2008-04-18T01:17:00.002-07:00

Author : elconas
Introduction

The Apache module mod_security is a very powerful security module. Combined with predefined rules, you can close many security wholes on your server, opened by bad written php or perl apps.

Unfortunately mod_security is not part of the SLES10 distribution. To install mod_security to have to install some 3rd party modules. This guide helps you to install mod_security on SLES10. It also helps you to remove the module, by building RPM packages you can easily uninstall.

Install Apache2

First of all you have to install apache2. This is very simple with the following command.

yast2 -i apache2

Install requried build packages

Some modules are required to build the mod_security module. Install the following packages:

yast2 -i libxml2-devel pcre-devel apache2-devel curl-devel gcc gcc-c++

Apache2-devel is required for apxs2. curl-devel is optional.

Get and Install checkinstall (for packaging)

To keep track of installed software and enable the user to uninstall and update software, checkinstall can build RPM, DEBIAN (DEB) and Slackware packages. Instead of executing "make install" just run "checkinstall" and checkinstall catches all files, that would be installed by "make install".

Get checkinstall from http://www.asic-linux.com.mx/~izto/checkinstall/download.php.

wget http://www.asic-linux.com.mx/~izto/checkinstall/files/source/checkinstall-1.6.1.tgz
make
make install
checkinstall
cp /usr/src/packages/RPMS/i386/checkinstall-1.6.1-1.i386.rpm .
rpm -ivh checkinstall-1.6.1-1.i386.rpm

Get and Install liblua

The LUA programming language is used by mod_security for configuration. You must compile LUA as shared module.

Get LUA from http://www.lua.org/ftp/lua-5.1.3.tar.gz.

wget http://www.lua.org/ftp/lua-5.1.3.tar.gz
tar -zxvf lua-5.1.3.tar.gz
cd lua-5.1.3
make linux
checkinstall

[...]
1 - Summary: [ The LUA programming language ]
2 - Name: [ lua ]
3 - Version: [ 5.1.3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ Development/Languages/Lua ]
7 - Architecture: [ i386 ]
8 - Source location: [ http://www.lua.org/ftp/lua-5.1.3.tar.gz ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ lua ]
[...]

cp /usr/src/packages/RPMS/i386/lua-5.1.3-1.i386.rpm ..
rpm -ivh ../lua-5.1.3-1.i386.rpm

Now you have to build a shared library from the liblua archive.

cd /usr/local/lib
gcc -shared -o liblua.5.1.3.so /usr/local/lib/liblua.a
ln -s liblua.5.1.3.so liblua.so

Get and Install mod_security

Get mod_security from http://www.modsecurity.org/download/direct.html.

Documentation about the installation can be found here: http://www.modsecurity.org/documentation/index.html.

cd modsecurity-apache_2.5.2
cd apache2
./configure
make
checkinstall

...
1 - Summary: [ mod_security application level firewall ]
2 - Name: [ apache2-mod_security ]
3 - Version: [ 2.5.2 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ Productivity/Networking/Web/Servers ]
7 - Architecture: [ i386 ]
8 - Source location: [ http://www.modsecurity.org/download/ ]
9 - Alternate source location: [ ]
10 - Requires: [ apache2 libxml2 ]
11 - Provides: [ mod_security ]

cp /usr/src/packages/RPMS/i386/apache2-mod_security-2.5.2-1.i386.rpm ../../
rpm -ivh ../../apache2-mod_security-2.5.2-1.i386.rpm

Configure Apache2 for mod_security

# /etc/apache2/conf.d/mod_security.conf
LoadFile /usr/lib/libxml2.so
LoadFile /usr/local/lib/liblua.so
LoadModule security2_module /usr/lib/apache2/mod_security2.so
Include modsecurity/*.conf
LoadModule unique_id_module /usr/lib/apache2/mod_unique_id.so

Extract and Configure Core Rules

Get the core rules from http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.0.tar.gz.

cd /etc/apache2
mkdir modsecurity
cd modsecurity
tar -zxvf ../modsecurity-core-rules_2.5-1.6.0.tar.gz

Modify modsecurity_crs_10_config.conf to meet the location of your config files:

vi modsecurity_crs_10_config.conf
SecAuditLog=...
SecDebugLog=...

Restart Apache and Test your Webpage

First restart apache to get the current configuration:

rcapache restart

To test the installation, write a simple (insecure) PHP script like this:

file $text=$_GET['file'];
echo "Content of File $text";
echo `cat $text`;
?>

Then access it to try opening insecure files:

http://ip.of.your.server.de/index.php?file=/etc/passwd

You should get ERROR 501 in your browser and the SecAuditLog file should show:

[...]
GET /index.php?file=/etc/passwd HTTP/1.1 ...
[...]
Message: Access denied with code 501 (phase 2). Pattern match "(?:\b(?:\.(?:ht(?:access|passwd|group
)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" at ARGS:file. [file "/etc/apache2/modsecu
rity/modsecurity_crs_40_generic_attacks.conf"] [line "114"] [id "950005"] [msg "Remote File Access A
ttempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"]

Caveats

When accessing your server via IP, a rule in modsecurity_crs_21_protocol_anomalies.conf denies this. Edit the file and look for "Check that the host header is not an IP address".

Links and References

mod_security home page: http://www.modsecurity.org/
LUA home page: http://www.lua.org/
Checkinstall home page: http://www.asic-linux.com.mx/~izto/checkinstall/
Author's home page: http://www.elconas.de

Securely delete files with shred

2008-04-16T23:07:00.000-07:00

Author : Vincent Danen, ZDNet Asia

Scrub your data using the shred command for files that contain sensitive information, so that they cannot be recovered later with data retrieval tools.

There are two utilities on a typical Linux box that can be used to delete files. Most users are familiar with the rm command. Most of the time, this command is sufficient for routine deletion, but for files that contain sensitive data, you might need to scrub them so that they cannot be recovered later with other data retrieval tools.

To delete files with sensitive content, rm is not sufficient. Instead, consider using the shred command, which not only deletes a file, but deletes it in such a way that it cannot be recovered. Shred overwrites the file multiple times with garbage prior to deleting it, ensuring that if anything does get retrieved, it isn't your top-secret data.

For instance:

$ echo "this is private data" >private.txt

$ cat private.txt

this is private data

$ ls -l private.txt

-rw-r--r-- 1 vdanen vdanen 21 Mar  4 09:36 private.txt

To illustrate how shred works, call it without any command-line options so that the garbage in the file can be viewed:

$ shred private.txt

$ cat private.txt

?9?-?w?K?=???l;b8SƉ?b???????@,?18!??DM??P?

...

$ ls -l private.txt

-rw-r--r-- 1 vdanen vdanen 4096 Mar  4 09:36
private.txt

The rest of the output is removed as it is binary gibberish. You can also see the file size has changed.

To delete the file after overwriting it with garbage, use the -u option. To see what shred is actually doing, give it the verbose -v option:

$ shred -u -v private.txt

shred: private.txt: pass 1/25 (random)...

shred: private.txt: pass 2/25 (cccccc)...

shred: private.txt: pass 3/25 (111111)...

shred: private.txt: pass 4/25 (000000)...

shred: private.txt: pass 5/25 (999999)...

shred: private.txt: pass 6/25 (aaaaaa)...

shred: private.txt: pass 7/25 (924924)...

shred: private.txt: pass 8/25 (b6db6d)...

shred: private.txt: pass 9/25 (6db6db)...

shred: private.txt: pass 10/25 (888888)...

shred: private.txt: pass 11/25 (492492)...

shred: private.txt: pass 12/25 (db6db6)...

shred: private.txt: pass 13/25 (random)...

shred: private.txt: pass 14/25 (ffffff)...

shred: private.txt: pass 15/25 (bbbbbb)...

shred: private.txt: pass 16/25 (777777)...

shred: private.txt: pass 18/25 (dddddd)...

shred: private.txt: pass 19/25 (333333)...

shred: private.txt: pass 20/25 (555555)...

shred: private.txt: pass 21/25 (222222)...

shred: private.txt: pass 22/25 (eeeeee)...

shred: private.txt: pass 23/25 (666666)...

shred: private.txt: pass 24/25 (249249)...

shred: private.txt: pass 25/25 (random)...

shred: private.txt: removing

shred: private.txt: renamed to 00000000000

shred: 00000000000: renamed to 0000000000

shred: 0000000000: renamed to 000000000

shred: 000000000: renamed to 00000000

shred: 00000000: renamed to 0000000

shred: 0000000: renamed to 000000

shred: 000000: renamed to 00000

shred: 00000: renamed to 0000

shred: 0000: renamed to 000

shred: 000: renamed to 00

shred: 00: renamed to 0

shred: private.txt: removed

As you can see, shred overwrites the file 25 times with garbage. After this, it renames the file 11 times before deleting it.

Shred can also be used to overwrite entire disks instead of just files. If you wished to overwrite the contents of an entire hard drive, a process which would definitely take a fair amount of time, use:

# shred -u -n 30 /dev/hda

This will overwrite the data on the drive with garbage using 30 passes. The drive will need to be re-formatted after this as even the filesystem structure will be destroyed.

Monitoring UPS Power Status Using Network UPS Tools (NUT) 2.2.0 on Multiple OpenSuSE 10.3 Servers

2008-04-14T01:04:00.001-07:00

Author : kian

Network UPS Tools is a collection of programs which provide a common interface for monitoring and administering UPS hardware.

The primary goal of the Network UPS Tools (NUT) project is to provide reliable monitoring of UPS hardware and ensure safe shutdowns of the systems which are connected.

This is a developing project to monitor a large assortment of UPS hardware. Many models have ports on the back to allow other devices to check the status. If it gives basic information about the power and battery status, it can probably be supported without too much difficulty. More advanced features on the higher-end models are also supported to allow tracking of values over time such as temperature and voltage.

Network communications are used so that multiple systems can monitor a single physical UPS and shut down together if necessary without any special "sharing hardware" on the UPS itself.

Pre-installation

Before you have everything up and running on the server, plug the UPS to a power outlet and connect the signal cable (serial or USB) to the server that will run upsd. Do not connect any server power cables to the outlet on the UPS until you feel that you are confident with the working of NUT and how it behaves with your hardware. It is often advised that you use a dummy load such as a lamp when testing the UPS. This will also show you when the UPS delivers power and when it is off, giving you the opportunity to experiment safely and gain confidence with the commands in a way you can't do once you hook up a production server to the UPS.

Installation

Install the nut RPM package. If you use YaST2, required packages will automatically be added. From the command line, you can use

yast2 -i nut

as root.

In OpenSuSE 10.3, you will get nut 2.2.0 installed.

This will place all the necessary binaries in your path and a set of skeleton configuration files. You will have to edit the files as root in order to define your UPS hardware

Configuration

Configuration of a locally connected UPS

Either open a root shell, or use e.g.

sudo vi

to edit the configuration files.

In the file /etc/ups/ups.conf you have a dummy section with default values that looks like this:

[myups]
     driver = undefined
     port = /dev/undefined
     desc = "Local UPS"

Edit the file and set the driver to point to the correct driver for your UPS, the port to where you connected the signal cable and add a description. See /usr/share/nut/driver.list for a list of supported brands and models.

Here is my entry for an APC SmartUPS 1400 connected to the serial port.

[apc_smartups_1400]
     driver = apcsmart
     port = /dev/ttyS0
     desc = "APC SmartUPS 1400"

You have to modify the /etc/ups/upsd.users file to configure users and permissions. The passwords are automatically generated during installation, so you can leave them set to these random values if you like. If you want to use a password that you can remember, edit the file. There are two entries in the default file, I also added an admin user so I can calibrate and test the UPS from the command line.

Note that these users can only connect from localhost, so for now security is not a big issue here. With remote slaves, you should use a more advanced password than what I have in these examples.

Here are the three users defined in the /etc/ups/upsd.users file.

[upsmaster]
      password = masterpass123
      allowfrom = localhost
      upsmon master
[upsslave]
      password = slavepass123
      allowfrom = localhost
      upsmon slave
[upsadmin]
      password = upspass
      allowfrom = localhost
      actions = SET
      instcmds = ALL

The upsd daemon only polls the UPS, you need other programs to check upsd for status. Edit their config files to reflect the new name of the UPS and the login and password.

/etc/ups/upsmon.conf

# MONITOR myups@localhost 1 upsmaster 67fc9377aa master
MONITOR apc_smartups_1400@localhost 1 upsmaster masterpass123 master

I also prefer to get a "wall" notice when power is restored in case I work remotely and there is a short power failure. Change the line:

NOTIFYFLAG ONLINE   SYSLOG

NOTIFYFLAG ONLINE   SYSLOG+WALL

in the /etc/ups/upsmon.conf file.

/etc/ups/hosts.conf is only for the included CGI programs, but you can add the correct information here as well

/etc/ups/hosts.conf

# MONITOR myups@localhost "Local UPS"
MONITOR apc_smartups_1400@localhost "APC SmartUPS 1400"

Now we can finally start all of these programs:

rcupsd start

linux:~ # rcupsd start
Starting NUT UPS drivers done
Starting NUT UPS server done
Starting NUT UPS monitor done

Check that you are up and running and that you can read the stored values from the UPS. First list available devices with

upsc -l

... then read all values with:

upsc

linux:~ # upsc -l
apc_smartups_1400
linux:~ # upsc apc_smartups_1400
battery.alarm.threshold: 0
battery.charge: 100.0
battery.charge.restart: 00
[...]

Testing

Before you connect your server to the power, test a realistic power failure unplugging the power cord to the UPS unit. It should fail over to battery and you get a warning message. If you are logged in and running KDE you get a popup from KWrited with a message such as:

Broadcast Message from upsd@linux
(somewhere) at 22:51
UPS apc_smartups_1400@localhost on battery

Plug the cable back in and observe the reassuring messages that power has been restored.

Broadcast Message from upsd@linux
(somewhere) at 22:51
UPS apc_smartups_1400@localhost on line power

If this works, you can shut your server down and connect the power cord to the UPS. In case of a power failure, you will get the messages you saw during testing. Once the battery charge is so low that the UPS sends a "low battery" signal, NUT will shut down the server. You may be able to set this threshold in the UPS registers, or you will have to script something that does a

shutdown -h -t

(system halt after ) as soon as the UPS is on battery, and then does a

shutdown -c

(cancel shutdown) when the UPS is back on line power. Not all UPS devices will send this "restored" message, though. This is where you just have to test and customize.

Running your equipment on UPS

So your server is now running on battery power until the batteries run out. You may want to once actually run the server until the batteries fail, just to have an idea of how much battery time you have. Most UPS devices can show you the load and a battery charge percentage. UPSes are great when you are working on something really important and there is a short power surge or brownout, and in case of a long lasting blackout you can get the machine to suspend, hibernate or shut down when batteries are low.

If you set your BIOS to start the machine automatically when it starts to received power, it will automatically boot when power is restored. In case of recurrent power failures, you don't want to keep a server running and drain the batteries. Just think of a UPS as a unit that protects you from power surges and spikes, and can provide you with a clean shutdown in case of power failure. Don't run a server on battery just because you can. Batteries in a UPS are not meant to be drained, and when power is restored they normally take a few hours to restore full charge. You don't want to run the servers without a safety net right after a blackout - shut servers down with plenty of battery power left and save it for the rough time period just after power restore when every appliance in the entire city starts up simultaneously and starts to guzzle power. For the same reason, limit what you keep on UPS to important servers. Don't forget to add necessary supporting hardware such as network equipment, KVMs and monitors needed to operate the servers during power failure. Avoid running printers and most workstations on UPS power. Keep emergency light in the server room so you can work there when the normal lights are out. If you keep servers running for a while with your own power source (such as a generator), you may even want to keep HVAC on the same power to avoid overheating the room.

Also remember that when all equipment starts to draw poewr at once - servers and workstations all simultaneously boot, all monitors and lights light up and laser printers start to warm up - you must expect to blow a fuse or two. Which then prolongs your blackout. Make sure all non-critical equipment is shut off during power failures and manually switched on again afterwards.

Remote clients

Allowing remote clients

Now that you know the local UPS is working as it should - keeping the server running on power and notifying the OS via serial port or USB - you may want to connect more servers to the rest of the power outlets. However, there is only one USB or serial cable. This is when you need the NUT upsd daemon on the machine with the serial cable to notify the other servers via the network.

Start by editing the /etc/ups/upsd.conf to allow clients. Here the entire subnet is allowed, you may want to make it more fine-grained and only include specific IPs.

ACL all 0.0.0.0/0
ACL localhost 127.0.0.1/32
ACL upsnet  192.168.1.0/24
ACCEPT localhost
ACCEPT upsnet
REJECT all

Now allow the slave to connect from this network in /etc/ups/upsd.users:

[upsslave]
      password = slavepass123
      allowfrom = localhost upsnet
      upsmon slave

Restart the upsd daemond again to pick up the changes.

rcupsd restart

linux:~ # rcupsd restart
Shutting down NUT UPS monitor done
Shutting down NUT UPS server done
Shutting down NUT UPS drivers. done
Starting NUT UPS drivers done
Starting NUT UPS server done
Starting NUT UPS monitor done

Or better, reload the configuration, this is much faster than restarting the daemons when you only need to reconfigure any setting except for the driver settings which demands a service restart as above.

rcupsd reload

linux:~ # rcupsd reload
Reload service NUT UPS (excluding upsdrvctl) done

And allow the clients through the firewall (OpenSuSE by default runs an iptables firewall called SuSEfirewall). upsd listens on TCP port 3493, and by default listens on all interfaces.

Create a SuSEfirewall2 service definition, since the RPM didn't include one. Make a new file named /etc/sysconfig/SuSEfirewall2.d/services/upsd . with this content:

# Service description for upsd, the UPS daemon from NUT
# (Network UPS Tools)
#
## Name: NUT upsd
## Description: Allows remote monitoring of UPS power status
# space separated list of allowed TCP ports
TCP="3493"
# space separated list of allowed UDP ports
UDP=""
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""

Now start

YaST

as root and choose "Security and Users" -> "Firewall". Select the correct network and choose NUT upsd in the drop-down list. Add the service and click the Next button. This adds upsd to the list of allowed services in the FW_CONFIGURATIONS_EXT variable in the /etc/sysconfig/SuSEfirewall2 configuration script. Port 3493 is now allowed through the iptables firewall.

Configuring remote clients

Install nut on a remote machine, this one is called linux64.

Comment out everything in /etc/ups/ups.conf since we don't have a local UPS attached:

#[myups]
#       driver = undefined
#       port = /dev/undefined
#       desc = "Local UPS"

Edit /etc/ups/upsmon.conf to monitor the server where the UPS is connected:

#MONITOR myups@localhost 1 upsmaster 04fb251a3f master
MONITOR apc_smartups_1400@linux 1 upsslave slavepass123 slave

Add the UPS server to /etc/ups/hosts.conf:

#MONITOR myups@localhost "Local UPS"
MONITOR apc_smartups_1400@linux "APC SmartUPS 1400"

Now start the upsd service, which will ignore the actual upsd and UPS driver since they are unconfigured, and only start upsmon.

rcupsd start

linux64:~ # rcupsd start
Starting NUT UPS monitor done

Check that the connection is working, and that you can read the status values of the remote UPS server.

upsc apc_smartups_1400@linux

linux64:~ # upsc apc_smartups_1400@linux
battery.alarm.threshold: 0
battery.charge: 094.0
battery.charge.restart: 00
[...]

Test the UPS again, and check that the new client also picks up the message

Broadcast Message from upsd@linux64
(somewhere) at 0:13 ...
UPS apc_smartups_1400@linux on battery

Connect the power cable for this server to the UPS, and you now have two servers protected from blackouts and they are both monitoring power status.

References

Tne Network UPS Tools (NUT) homepage

Copyright (c) 2008 Kian Spongsveen
Permission is granted to copy, distribute and/or modify the content of
this page under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is available at http://www.gnu.org/licenses/fdl.html

MySQL Backups Using ZRM For MySQL 2.0

2008-04-11T01:20:00.001-07:00

Author : Paddy Sreenivasan

Zmanda Recovery Manager (ZRM) for MySQL simplifies life of a database administrator who needs an easy to use yet flexible and robust backup and recovery solution for MySQL server. Significant features are:

* Schedule full and incremental logical or raw backups of your MySQL database
* Centralized backup management
* Perform backup that is the best match for your storage engine and your MySQL configuration
* Get e-mail notification about status of your backups
* Monitor and obtain reports about your backups (including RSS feeds)
* Verify your backup images
* Compress and encrypt your backup images
* Implement Site or Application specific backup policies
* Recover database easily to any point in time or to any particular database event
* Custom plugins to tailor MySQL backups to your environment
* MySQL backup using Linux LVM and Solaris ZFS snapshots

Release 2.0 of the community project was released last week. It can be downloaded from Zmanda downloads page. It supports all Linux and Solaris distributions. The documentation is available on ZRM wiki. ZRM forums can be used to get questions answered about the project.

This example assumes that the ZRM server and MySQL server are the same machine. We are backing up MySQL database

myisamnetflix

to the same machine running Ubuntu 7.04.

ZRM For MySQL Installation

* Installation has to be done as super user.

* ZRM for MySQL requires perl 5.8.7 or later. Ubuntu 7.04 already has perl 5.8.8 installed.

* Install perl-DBD and perl-XML-parser modules

# apt-get install libxml-parser-perl libdbd-mysql-perl

* Download ZRM for MySQL debian packages from Zmanda downloads page.

* Install ZRM for MySQL (ZRM server package is sufficient because MySQL server and ZRM server are the same machine).

# dpkg -i mysql-zrm_2.0_all.deb

Selecting previously deselected package mysql-zrm.
(Reading database ... 108342 files and directories currently installed.)
Unpacking mysql-zrm (from mysql-zrm_2.0_all.deb) ...
Setting up mysql-zrm (2.0) ...
Updating ownership of previously backedup data sets

MySQL Server Configuration

* Check to see if MySQL server is running. If MySQL server is not installed, please install "mysql-server" using "apt-get" command. Update the "root" MySQL server with a password using mysqladmin command (mysqladmin --user root password boot12). We are using "boot12" as the root password. This user will be used for doing MySQL backups and restores. It is better to user a specific user with minimal privileges to do MySQL backups instead of using "root" MySQL user.

* The MySQL server has to run as "mysql" user and "mysql" OS user should belong to "mysql" group. The default installation of ZRM for MySQL requires MySQL server to run as "mysql" user.

* "ps" output shows mysql server is running using the default MySQL port

mysql 22034 21995 0 14:38 pts/2 00:00:09 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock

* Enable binary logging on the MySQL server. Binary logging must be enabled to do incremental backups of the MySQL server.

* Edit /etc/mysql/my.cnf configuration file. Add "log-bin" in mysqld section.

 [mysqld]
log-bin

* We have mysql database "myisamnetflix" that contains two tables. We will be backing this database. This database uses MyISAM storage engine:

* MySQL client commands are installed in /usr/bin/ directory. If they are not, accordingly configure the client command location and binary log location in mysql-zrm.conf.

ZRM Configuration

* This should be done as mysql user:

$ id

uid=1002(mysql) gid=1001(mysql) groups=1001(mysql)

* Create the backup set directory. The backup set is called "netflix".

$ mkdir /etc/mysql-zrm/netflix

* Create mysql-zrm.conf configuration file. Backup compression is enabled and "myisamnetflix" database is being backed up. The location of MySQL binary logs are also specified ("mysql-binlog-path").

$ cat /etc/mysql-zrm/netflix/mysql-zrm.conf

 host="localhost"
databases="myisamnetflix"
password="boot12"
user="root"
compress=1
mysql-binlog-path="/var/log/mysql"

Perform ZRM Backups

* This should be done as "mysql" user.

* Perform full backup of the database immediately using "mysql-zrm-scheduler".

$ mysql-zrm-scheduler --now --backup-set netflix --backup-level 0

schedule:INFO: ZRM for MySQL Community Edition - version 2.0
Logging to /var/log/mysql-zrm/mysql-zrm-scheduler.log
backup:INFO: ZRM for MySQL Community Edition - version 2.0
netflix:backup:INFO: START OF BACKUP
netflix:backup:INFO: PHASE START: Initialization
netflix:backup:INFO: backup-set=netflix
netflix:backup:INFO: backup-date=20080326161652
netflix:backup:INFO: mysql-server-os=Linux/Unix
netflix:backup:INFO: host=localhost
netflix:backup:INFO: backup-date-epoch=1206573412
netflix:backup:INFO: mysql-zrm-version=ZRM for MySQL Community Edition - version 2.0
netflix:backup:INFO: mysql-version=5.0.38-Ubuntu_0ubuntu1.4-log
netflix:backup:INFO: backup-directory=/var/lib/mysql-zrm/netflix/20080326161652
netflix:backup:INFO: backup-level=0
netflix:backup:INFO: backup-mode=raw
netflix:backup:INFO: PHASE END: Initialization
netflix:backup:INFO: PHASE START: Running pre backup plugin
netflix:backup:INFO: PHASE END: Running pre backup plugin
netflix:backup:INFO: PHASE START: Flushing logs
netflix:backup:INFO: PHASE END: Flushing logs
netflix:backup:INFO: PHASE START: Find table type
netflix:backup:INFO: PHASE END: Find table type
netflix:backup:INFO: PHASE START: Creating raw backup
netflix:backup:INFO: raw-databases=myisamnetflix
netflix:backup:INFO: PHASE END: Creating raw backup
netflix:backup:INFO: PHASE START: Calculating backup size & checksums
netflix:backup:INFO: next-binlog=mysql-bin.000009
netflix:backup:INFO: backup-size=122.27 MB
netflix:backup:INFO: PHASE END: Calculating backup size & checksums
netflix:backup:INFO: PHASE START: Compression/Encryption
netflix:backup:INFO: compress=
netflix:backup:INFO: backup-size-compressed=37.65 MB
netflix:backup:INFO: PHASE END: Compression/Encryption
netflix:backup:INFO: read-locks-time=00:00:01
netflix:backup:INFO: flush-logs-time=00:00:00
netflix:backup:INFO: compress-encrypt-time=00:02:20
netflix:backup:INFO: backup-time=00:00:15
netflix:backup:INFO: backup-status=Backup succeeded
netflix:backup:INFO: Backup succeeded
netflix:backup:INFO: PHASE START: Running post backup plugin
netflix:backup:INFO: PHASE END: Running post backup plugin
netflix:backup:INFO: PHASE START: Mailing backup report
netflix:backup:INFO: PHASE END: Mailing backup report
netflix:backup:INFO: PHASE START: Cleanup
netflix:backup:INFO: PHASE END: Cleanup
netflix:backup:INFO: END OF BACKUP
/usr/bin/mysql-zrm started successfully

* Delete some entries from the "myisamnetflix" database (so that we can do incremental backup of the database)
mysql> use myisamnetflix;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> delete from MovieID where MovieTitle = "Alien Hunter";
Query OK, 1 rows affected (0.01 sec)

* Perform incremental backup of the backup set.

$ mysql-zrm-scheduler --now --backup-set netflix --backup-level 1

schedule:INFO: ZRM for MySQL Community Edition - version 2.0
Logging to /var/log/mysql-zrm/mysql-zrm-scheduler.log
backup:INFO: ZRM for MySQL Community Edition - version 2.0
netflix:backup:INFO: START OF BACKUP
netflix:backup:INFO: PHASE START: Initialization
netflix:backup:INFO: backup-set=netflix
netflix:backup:INFO: backup-date=20080326164433
netflix:backup:INFO: mysql-server-os=Linux/Unix
netflix:backup:INFO: host=localhost
netflix:backup:INFO: backup-date-epoch=1206575073
netflix:backup:INFO: mysql-zrm-version=ZRM for MySQL Community Edition - version 2.0
netflix:backup:INFO: mysql-version=5.0.38-Ubuntu_0ubuntu1.4-log
netflix:backup:INFO: backup-directory=/var/lib/mysql-zrm/netflix/20080326164433
netflix:backup:INFO: backup-level=1
netflix:backup:INFO: PHASE END: Initialization
netflix:backup:INFO: PHASE START: Running pre backup plugin
netflix:backup:INFO: PHASE END: Running pre backup plugin
netflix:backup:INFO: PHASE START: Flushing logs
netflix:backup:INFO: PHASE END: Flushing logs
netflix:backup:INFO: PHASE START: Creating incremental backup
netflix:backup:INFO: incremental=mysql-bin.[0-9]*
netflix:backup:INFO: PHASE END: Creating incremental backup
netflix:backup:INFO: PHASE START: Calculating backup size & checksums
netflix:backup:INFO: next-binlog=mysql-bin.000013
netflix:backup:INFO: last-backup=/var/lib/mysql-zrm/netflix/20080326162210
netflix:backup:INFO: backup-size=0.03 MB
netflix:backup:INFO: PHASE END: Calculating backup size & checksums
netflix:backup:INFO: PHASE START: Compression/Encryption
netflix:backup:INFO: compress=
netflix:backup:INFO: backup-size-compressed=0.00 MB
netflix:backup:INFO: PHASE END: Compression/Encryption
netflix:backup:INFO: read-locks-time=00:00:00
netflix:backup:INFO: flush-logs-time=00:00:00
netflix:backup:INFO: compress-encrypt-time=00:00:00
netflix:backup:INFO: backup-time=00:00:00
netflix:backup:INFO: backup-status=Backup succeeded
netflix:backup:INFO: Backup succeeded
netflix:backup:INFO: PHASE START: Running post backup plugin
netflix:backup:INFO: PHASE END: Running post backup plugin
netflix:backup:INFO: PHASE START: Mailing backup report
netflix:backup:INFO: PHASE END: Mailing backup report
netflix:backup:INFO: PHASE START: Cleanup
netflix:backup:INFO: PHASE END: Cleanup
netflix:backup:INFO: END OF BACKUP
/usr/bin/mysql-zrm started successfully

ZRM Backup Reports

* Use "mysql-zrm-reporter" to look at the status of backups available.

$ /usr/bin/mysql-zrm-reporter --where backup-set=netflix --show backup-status-info

REPORT TYPE : backup-status-info

backup_set backup_date backup_level backup_status comment
-----------------------------------------------------------------------------------------------------------
netflix Wed 26 Mar 2008 04:44:33 1 Backup succeeded ----
PM PDT
netflix Wed 26 Mar 2008 04:16:52 0 Backup succeeded ----
PM PDT

* ZRM reports can also provide information on impact on MySQL application.

$ /usr/bin/mysql-zrm-reporter --where backup-set=netflix --show backup-app-performance-info

REPORT TYPE : backup-app-performance-info

backup_set backup_date backup_level backup_size backup_time read_locks_time flush_logs_time
-------------------------------------------------------------------------------------------------------------------------------------
netflix Wed 26 Mar 2008 04:44:33 1 0.03 MB 00:00:00 00:00:00 00:00:00
PM PDT
netflix Wed 26 Mar 2008 04:16:52 0 122.27 MB 00:00:15 00:00:01 00:00:00
PM PDT

Database Recovery

* Use ZRM reporting tool to identify the location of MySQL backup images.

$ /usr/bin/mysql-zrm-reporter --where backup-set=netflix --show restore-info

REPORT TYPE : restore-info

backup_set backup_date backup_level backup_directory backup_status comment
-----------------------------------------------------------------------------------------------------------------------------------------------------
netflix Wed 26 Mar 2008 04:44:33 1 /var/lib/mysql-zrm/netflix/20080326164433 Backup succeeded ----
PM PDT
netflix Wed 26 Mar 2008 04:16:52 0 /var/lib/mysql-zrm/netflix/20080326161652 Backup succeeded ----
PM PDT

* You can parse incremental backups to identify database events of interest. In our example, we will look for the "DELETE" event.

$ /usr/bin/mysql-zrm-parse-binlogs --source-directory /var/lib/mysql-zrm/netflix/20080326164433 | grep delete

parse-binlogs:INFO: ZRM for MySQL Community Edition - version 2.0
/var/lib/mysql-zrm/netflix/20080326164433/mysql-bin.000011 | 13634 | 08-03-26 16:28:03 | Query | use myisamnetflix/*!*/; delete from MovieID where MovieTitle = "Alien Hunter"/*!*/;

* Restore the database from the full backup done at 16:16:52.

$ /usr/bin/mysql-zrm-restore --user=root --password=boot12 --source-directory=/var/lib/mysql-zrm/netflix/20080326161652

restore:INFO: ZRM for MySQL Community Edition - version 2.0
BackupSet1:restore:INFO: Restored database from raw backup: myisamnetflix
BackupSet1:restore:INFO: Restore done in 9 seconds.
MySQL server has been shutdown. Please restart after verification.

* Restart the MySQL server
# /etc/init.d/mysql restart
* Stopping MySQL database server mysqld [ OK ]
* Starting MySQL database server mysqld [ OK ]
* Checking for corrupt, not cleanly closed and upgrade needing tables.

* Check the database recovery.

mysql> use myisamnetflix;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from MovieID where MovieTitle = "Alien Hunter";
+---------+------+--------------+
| MovieID | Year | MovieTitle |
+---------+------+--------------+
| 17770 | 2003 | Alien Hunter |
+---------+------+--------------+
1 row in set (0.02 sec)

Scheduled Backups With Rsyncbackup On Debian Etch - Page 2

2008-04-10T01:37:00.005-07:00

4.3 Configuration

4.3.1 Main

This file contains the standard rsync options for all backups.

vi /etc/rsyncbackup/config.conf

The content could look like this:

--stats
--progress
--links
--hard-links
--times
--recursive
--perms
--owner
--group
--compress
--backup

Note: You can also use the short style - e.g.: "-p" instead of "--perms". I chose the long style for better understanding.

4.3.2 Sources

This file contains all files/folders that shall be available in the backup sets.

vi /etc/rsyncbackup/sources.conf

The content could look like this:

configs|local:/etc|true|
logs|local:/var/log|true|

The syntax: tag|source path|conditional shell code|optional rsync options

Note: "true" means that this source is enabled - "false" would disable it.

4.3.3 Destinations

This file contains all destinations that shall be available in the backup sets.

vi /etc/rsyncbackup/destinations.conf

The content could look like this:

store_configs|ssh[key=id_rsa,incremental=7,tag=increment]:root@192.168.0.102:/backups/configs/|/usr/bin/traceroute -m 2 192.168.0.102|--bwlimit=300 --delete
store_logs|ssh[key=id_rsa,incremental=7,tag=increment]root@192.168.0.102:/backups/logs/|/usr/bin/traceroute -m 2 192.168.0.102|--bwlimit=300 --delete
store_manual|ssh[key=id_rsa]:root@192.168.0.102:/backups/manual/|/usr/bin/traceroute -m 2 192.168.0.102|

The syntax: tag|destination path (optional with ssh & incremental settings)|conditional shell code|optional rsync options

In this example (first and second destination) we use our backup server as destination and authenticate against it with the private ssh key. We want to keep seven increments (incremental=7) whose names begin with "increment" (tag=increment). The optional shell code (/usr/bin/traceroute -m 2 192.168.0.102) will return true (and start the backup) if the backup server is running and at least two hops away. Also we use two optional rsync options (--bwlimit=300 and --delete) - so we have a bandwidth limit for this destination and deleted files on the main server will also be deleted on the backup server (for a new increment). Please note that you can only use ONE source for a backup set that has an incremental destination.

4.3.4 Backup Sets

This file joins the souces with the destinations.

vi /etc/rsyncbackup/backupset.conf

It could look like this:

[manual]
configs,logs|store_manual|true|

[daily]
logs|store_logs|true|

[weekly]
configs|store_configs|true|

As you can see, we've created three backup sets.

The syntax: source tags|destination tags|conditional shell code|optional rsync options

4.4 Test

Now let's test if our configuration is ok.

rsyncbackup -x /etc/rsyncbackup -vv -d -s manual

The output should look like this:

PATH DIR:/etc/rsyncbackup/
LOG DIR:/etc/rsyncbackup/logs
CONFIG_FILE:/etc/rsyncbackup/config.conf
SOURCE FILE:/etc/rsyncbackup/sources.conf
DESTS_FILE:/etc/rsyncbackup/destinations.conf
BACKUPSET_FILE:/etc/rsyncbackup/backupset.conf
BACKUPSET:manual

Backup set 1 configs to store_manual
Source : configs
Source dir : [local] /etc
Source opts :
Source cond : true
Destination : store_manual
Destination dir : [ssh] root@192.168.0.102:/backups/manual/ [key=id_rsa,sshport=22]
Destination opts:
Destination cond: /usr/bin/traceroute -m 2 192.168.0.102
Config options : --stats --progress --links --hard-links --times --recursive --perms --owner --group --compress --backup
Backupset opts : true
All options : --stats --progress --links --hard-links --times --recursive --perms --owner --group --compress --backup
All conditions : /usr/bin/traceroute -m 2 192.168.0.102 true true

Backup set 2 logs to store_manual
Source : logs
Source dir : [local] /var/log
Source opts :
Source cond : true
Destination : store_manual
Destination dir : [ssh] root@192.168.0.102:/backups/manual/ [key=id_rsa,sshport=22]
Destination opts:
Destination cond: /usr/bin/traceroute -m 2 192.168.0.102
Config options : --stats --progress --links --hard-links --times --recursive --perms --owner --group --compress --backup
Backupset opts : true
All options : --stats --progress --links --hard-links --times --recursive --perms --owner --group --compress --backup
All conditions : /usr/bin/traceroute -m 2 192.168.0.102 true true

If all looks ok, we'll do our first backup.

rsyncbackup -x /etc/rsyncbackup -b -s manual

After that the backup should be on the backup server - if not, have a look at the logs (/etc/rsyncbackup/logs/ or /var/log/rsyncbackup/).

4.5 Cronjob

Now we create cronjobs for the backups.

crontab -e

The content could look like this:

# m h  dom mon dow   command
# Backups
00 02 * * *     /usr/local/bin/rsyncbackup -x /etc/rsyncbackup -b -v -s daily >> /var/log/rsyncbackup/backup.daily.log
00 04 * * 0     /usr/local/bin/rsyncbackup -x /etc/rsyncbackup -b -v -s weekly >> /var/log/rsyncbackup/backup.weekly.log

The backup set "daily" will be backed up every day at 2:00am, the backup set "weekly" every sunday at 4:00am. Optional, if you want to get mails when errors occurs, you can add the option "-e email@domain" to the rsyncbackup command - it should look like this:

# m h  dom mon dow   command
# Backups
00 02 * * *     /usr/local/bin/rsyncbackup -x /etc/rsyncbackup -b -v -s daily -e email@domain >> /var/log/rsyncbackup/backup.daily.log
00 04 * * 0     /usr/local/bin/rsyncbackup -x /etc/rsyncbackup -b -v -s weekly -e email@domain >> /var/log/rsyncbackup/backup.weekly.log

4.6 Manual

Please have a look at the manual for further information. It is included in the package that you downloaded in step 4.1.

5 Links

Debian: http://www.debian.org/
Rsyncbackup: http://code.google.com/p/rsync-backup/

Scheduled Backups With Rsyncbackup On Debian Etch

Configure Snort to log packets to MySQL

2008-04-02T23:02:00.000-07:00

Author : Vincent Danen, ZDNet Asia

Administrators can take advantage of the Snort facility to to detect intrusions to the network.

Snort, a network intrusion detection system, can be configured to log packets to a remote MySQL server. A graphical Web interface can be used to view captured packets and statistics.

To begin on the MySQL server, the database must first be created.

In this scenario, the Snort server is “snort.host” and the MySQL server is "mysql.host".

Connect to the database as root:

# mysql -u root -p

mysql> create database snort;

mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on snort.*
to snort@snort.host;

mysql> set password for snort@snort.host=PASSWORD('snortpass');

mysql> flush privileges;

mysql> q

With the Snort documentation comes a file called create_mysql, which has the schema for the database.

On a typical Linux install, this file would be found in /usr/share/doc/snort-[version]/create_mysql.

Load this file as root:

# mysql -u root -p snort

Next, on the system where Snort will be running, edit the /etc/snort/snort.conf configuration file and tell it to log to the database:

output database: log, mysql, user=snort password=snortpass
dbname=snort host=mysql.host

Finally, make sure that /etc/snort/snort.conf is mode 0640 and owned root:snort:

# chown root:snort /etc/snort/snort.conf

# chmod 0640 /etc/snort/snort.conf

The next step is to start Snort; a supplied initscript will start Snort monitoring or you can launch it to the background:

# /usr/sbin/snort -c /etc/snort/snort.conf &

Starting Snort once without sending it to the background is a good idea to ensure the connection takes. You can also look on the MySQL server to ensure that logging is active:

# echo "SELECT hostname FROM sensor;" | mysql -u root -p snort

The IP address that Snort is listening on should be displayed.

Now that Snort is logging data to MySQL, using BASE (Basic Analysis and Security Engine) is a great way to view the data via a Web interface. BASE requires a Web server and PHP. Once you have unarchived it where it needs to be, copy the base_conf.php.dist file to base_conf.php and edit it, in particular, setting the $alert_dbname and related variables to point to the Snort log database.

You will also want to add a snort@localhost user with privileges to the MySQL database if you did not do so earlier (i.e., if your Snort and MySQL servers are physically separate).

Once that is done, navigate to the BASE install that you just set up and follow the instructions presented to set up the caching table for BASE. When that is complete, BASE is now available to view and graph the logged Snort data.

How To Install The Openbravo ERP On Debian Etch

2008-03-30T01:54:00.002-07:00

Author: Oliver Meyer
Last edited 03/07/2008

This document describes how to set up Openbravo ERP (enterprise management system) on Debian Etch. Taken from the Openbravo page: "Openbravo is an open source ERP solution designed specifically for the SME (small to midsize firm). Developed in a web based environment, it includes many robust functionalities which are considered part of the extended ERP: procurement and warehouse management, project and service management, production management, and financial management."

I can't list all the features here - please have a look at http://www.openbravo.com/product/product-features/.

This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.

1 Preparation

1.1 Debian Backports

This repository provides Sun's JDK that we need for this setup.

vi /etc/apt/sources.list

Add the following lines.

# Debian Backports
deb http://www.backports.org/debian etch-backports main contrib non-free

Afterwards refresh apt ...

apt-get update

... and import the gpg-key.

apt-get install debian-backports-keyring

1.2 Needed Packages

Now let's install and configure the needed packages.

1.2.1 PostgreSQL

Install it via:

apt-get install postgresql-8.2

Afterwards we have to set the PostgreSQL admin password.

sed -i 's/ident sameuser$/trust/' /etc/postgresql/8.2/main/pg_hba.conf
/etc/init.d/postgresql-8.2 restart

Open a PostgreSQL shell.

psql -U postgres
alter role postgres with password '%new_PostgreSQL_admin_passowrd%';
\q

sed -i 's/trust$/md5/' /etc/postgresql/8.2/main/pg_hba.conf
/etc/init.d/postgresql-8.2 reload

1.2.2 Java JDK

Install it via:

apt-get install sun-java6-jdk

Afterwards make it systemwide available.

update-java-alternatives -s java-6-sun
echo 'JAVA_HOME="/usr/lib/jvm/java-6-sun"' | tee -a /etc/environment

After that log out and in again to take the changes effect.

1.2.3 Apache Tomcat

Install it via:

apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps

Afterwards we have to configure it.

rm /var/log/tomcat5.5/catalina.out
vi /etc/init.d/tomcat5.5

Change:

TOMCAT5_SECURITY=yes

To:

TOMCAT5_SECURITY=no

Restart Tomcat.

/etc/init.d/tomcat5.5 restart

Now let's look if all went well.

netstat -tap | grep java

Tomcat should be listening on port 8180.

tcp6 0 0 *:8180 *:* LISTEN 3571/java

As a last resort make it systemwide available.

echo 'CATALINA_HOME="/usr/share/tomcat5.5"' | tee -a /etc/environment
echo 'CATALINA_BASE="/var/lib/tomcat5.5"' | tee -a /etc/environment
echo 'CATALINA_OPTS="-server -Xms384M -Xmx512M"' | tee -a /etc/environment

After that log out and in again to take the changes effect.

1.2.4 Apache Ant

Apache ant has already been installed as dependency at the step before - so only the configuration is left.

echo 'ANT_HOME="/usr/share/ant"' | tee -a /etc/environment

After that log out and in again to take the changes effect.

2 Openbravo

2.1 Get It

Please have a look at http://sourceforge.net/projects/openbravo/ to find out which is the latest version. When I was writing this howto it was version 2.35mp1.

cd /tmp/
wget http://mesh.dl.sourceforge.net/sourceforge/openbravo/OpenbravoERP-2.35-MP1-linux-installer.bin
chmod +x OpenbravoERP-2.35-MP1-linux-installer.bin

2.2 Installation

A text based installer will guide you through the installation.

./OpenbravoERP-2.35-MP1-linux-installer.bin

First press a few times "Enter" to read the single parts of the license agreement. Type in "yes" at the end if you agree with it.

Before the installation begins you'll be asked a few questions - answer them as follows.

Hit "Enter" to choose the default (/opt/OpenbravoERP) when you're asked for the installation directory.
Hit "Enter" to choose the default (/opt/OpenbravoERP/AppsOpenbravo/attach) when you're asked for the attachments directory.
Hit "Enter" to choose the default (Full (standard) installation) when you're asked for the installation type.
Hit "Enter" to choose the default (Full) when you're asked again for the installation type.
Choose PostgreSQL as database to use.
Hit "Enter" to choose the default (/usr/lib/jvm/java-6-sun) when you're asked for the java home directory.
Hit "Enter" to choose the default (/usr/share/ant) when you're asked for the Apache ant home directory.
Hit "Enter" to choose the default (/var/lib/tomcat5.5) when you're asked for the Tomcat installation directory.
Type in your web server's domain (e.g.: server1.example.com) when you're asked for it.
Enter "8180" when you're asked for the http port.
Hit "Enter" to choose the default (openbravo) when you're asked for the context name.
Enter "/usr/bin" when you're asked for the directory that contains the PostgreSQL binaries.
Hit "Enter" to choose the default (localhost) when you're asked for the database server parameters.
Hit "Enter" to choose the default (4532) when you're asked for PostgreSQL's listening port.
Hit "Enter" to choose the default (openbravo) when you're asked for the database name.
Next enter the PostgreSQL admin password (twice) that you created earlier at step 1.2.1.
Hit "Enter" to choose the default (tad) when you're asked for the openbravo database user.
Next type in a password (twice) for the new user.
Now type in "y" to start the installation - this will take a while...

2.3 Webinterface

Now you can access Openbravo via http://%servername%:8180/openbravo . Log in with the username "Openbravo" and the password "openbravo".

3 Links

Debian: http://www.debian.org/
Openbravo: http://www.openbravo.com/
Openbravo user manual: http://wiki.openbravo.com/wiki/User_Manual_2.3

VMware Server v1.04 On Fedora 8 With Kernel 2.6.24

2008-03-08T04:34:00.005-07:00

Version 1.0
Author: Oliver Meyer
Last edited 03/07/2008

This document describes how to set up VMware Server v1.04 on Fedora 8 with the brand-new kernel 2.6.24 (2.6.24.3-12.fc8).

This howto is a practical guide without any warranty - it doesn't cover the theoretical backgrounds. There are many ways to set up such a system - this is the way I chose.

1 VMware Server Is Not Installed Yet

Download and install the VMware Server as described at step 14.3.16, but DON'T apply the any-any patch. Afterwards proceed with step 2.

2 VMware Server Is Already Installed

Download this patch. After that open a terminal, become root and switch to the folder where you downloaded the patch. Unpack the patch and copy the included .tar-files to the VMware module-sources directory.

tar xvfj vmware.tar.bz2
cd vmware/
cp vm* /usr/lib/vmware/modules/source/

Now type in:

vmware-config.pl

Answer all the questions with "yes" and accept the license agreement (if you agree with it). After that you'll be asked a few questions about install paths etc. - simply hit enter for every question. As a last resort you have to insert your serial number. Afterwards the VMware Server is available in the gnome applications menu.

3 Links

Fedora: http://fedoraproject.org/
VMware Server: http://www.vmware.com/download/server/