Answer the question
In order to leave comments, you need to log in
D
D
Danil Trubitsyn2017-03-21 09:54:26
Danil Trubitsyn, 2017-03-21 09:54:26
How to find out what initiates postfix mail sending?
The server has been infected with a virus(s), video, Malware. There is E-mail spam from my server. It seems that he deleted all the left files and codes, but the outgoing queue is still filled.
2 answer(s)
@ali3412
@younghacker
And in the mailer we allow sending mail only with authentication .
Most hacks will not be able to send spam.
More advanced hacks will have to find authentication and send with it.
In postfix, include smtpd_sasl_authenticated_header = yes (Postfix version 2.3 and higher)
As a result, the name of the authenticated user will appear in the header of each sent email.
By this name, having received an abuse from a spamhouse, you can immediately see who was at fault.
Monitor the send queue. The rapid growth of the queue - most often - the result of hacking and attempts to send spam.
Monitor dnsbl lists.
And finally, what can be done to minimize the risk of hacking?
Block modification and creation of files from php. Yes, wordpress auto-update will fail. But if we prohibit uncontrolled modification of the site, then we prohibit everyone. You can even disable root.
For directories where you want to allow files to be written (for example, upload), disable the handler for processing php files by the php interpreter. Let the web server display it but not execute it. The .htaccess file that this blocks is also write-protected. The main rule is to prohibit arbitrary uncontrolled modification of the code, leaving the ability to write data, but at the same time prohibit the possibility of executing data. :)
It is clear that not every CMS can work normally in this mode.
In this mode, for many years we have been running the site of one client on joomla 1.5 :) A hole is a hole. And if you remove the ridondi and it is hacked within a couple of days.
And a final tip: Don't host sites on a host that is also a mail server. Or at least separate the IP address from which mail is sent from the address from which the web server is running. So that it even looks like different hosts from the outside. Then hacking the site and sending spam will not lead to blocking the IP of the mailer in different dnsbl, from which it is sometimes very difficult and / or long to wash off.
V
Victor Taran, 2017-03-21 @ali3412
I drank it in detail here
https://klondike-studio.ru/blog/kak-opredelit-kako...
don't forget to mark it as solved.
Y
younghacker, 2017-04-01 @younghacker
How to look for a spammer - told. Now one of the options for being proactive is to prevent spam as a result of a hack.
In iptables, we prohibit outgoing TCP connections to any external port 25 from accounts other than postfix, root, mail.
As a result, the web server cannot send mail directly.
We write all violators to the log before reject. We are constantly monitoring the log. The appearance of a mass of entries indicates an attempt to establish external connections on port 25.
-A OUTPUT -o br0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -j SMTPOUT
-A SMTPOUT -d 127.0.0.1 -j ACCEPT
-A SMTPOUT -m owner --gid-owner mail -j ACCEPT
-A SMTPOUT -m owner --uid-owner root -j ACCEPT
-A SMTPOUT -m owner --uid-owner smfs -j ACCEPT
-A SMTPOUT -j LOG --log-uid --log-prefix "Reject outgoing SMTP " # Houston, we have a problem
-A SMTPOUT -j REJECT --reject-with icmp-admin-prohibitedAnd in the mailer we allow sending mail only with authentication .
Most hacks will not be able to send spam.
More advanced hacks will have to find authentication and send with it.
In postfix, include smtpd_sasl_authenticated_header = yes (Postfix version 2.3 and higher)
As a result, the name of the authenticated user will appear in the header of each sent email.
By this name, having received an abuse from a spamhouse, you can immediately see who was at fault.
Monitor the send queue. The rapid growth of the queue - most often - the result of hacking and attempts to send spam.
Monitor dnsbl lists.
And finally, what can be done to minimize the risk of hacking?
Block modification and creation of files from php. Yes, wordpress auto-update will fail. But if we prohibit uncontrolled modification of the site, then we prohibit everyone. You can even disable root.
For directories where you want to allow files to be written (for example, upload), disable the handler for processing php files by the php interpreter. Let the web server display it but not execute it. The .htaccess file that this blocks is also write-protected. The main rule is to prohibit arbitrary uncontrolled modification of the code, leaving the ability to write data, but at the same time prohibit the possibility of executing data. :)
It is clear that not every CMS can work normally in this mode.
In this mode, for many years we have been running the site of one client on joomla 1.5 :) A hole is a hole. And if you remove the ridondi and it is hacked within a couple of days.
And a final tip: Don't host sites on a host that is also a mail server. Or at least separate the IP address from which mail is sent from the address from which the web server is running. So that it even looks like different hosts from the outside. Then hacking the site and sending spam will not lead to blocking the IP of the mailer in different dnsbl, from which it is sometimes very difficult and / or long to wash off.
Similar questions
O
Z
B
M
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question