Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - idovecer

Pages: [1]
1
E-Mail / X-Envelope-From and From different
« on: January 14, 2022, 09:47:20 AM »
Today I received one email where fields "X-Envelope-From" and "From" field are different,
client is confused because he is deceived that email was sent from his coworker on the same domain from e***d.com domain.

The sender wants to intentionally confuse the recipient from whom it was sent, because the server accepts email from X-Envelope-From and the client on the email client application see only From as sender which is actually not true.

My question is,
what service on Centos Webpanel should remove or just mark this mail as SPAM or as deceiving email.
Maybe Spamassasin or Postfix?

Where to configure to check incoming emails for valid SPF, DKIM, DMARC?

I do not have installed on server:
"AntiSpam/AntiVirus (recommended): ClamAV, Amavis & Spamassassin, Requires 2Gb+ RAM"



Thank you.


Header of this email:
Code: [Select]
Return-Path: <carola.scheffel@mydkt.com>
Delivered-To: vt@e***d.com
Received: from srv.m***r.com
    by srv.m***r.com with LMTP id uO/ALc4q4WGVWAAAoUtXVA
    for <vt@e***d.com>; Fri, 14 Jan 2022 08:48:30 +0100
Received: from mta1dc6.protectedservice.net (mta1dc6.protectedservice.net [194.1.166.173])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by srv.m***r.com (Postfix) with ESMTPS id B4422A405AB
    for <vt@e***d.com>; Fri, 14 Jan 2022 08:48:30 +0100 (CET)
X-Envelope-From: carola.scheffel@mydkt.com
X-Hid: 5c2eeee9-750e-11ec-bd20-00163e218517
Received: from zimbra-mbox25dc1.protectedservice.net (ec2-3-9-3-218.eu-west-2.compute.amazonaws.com [3.9.3.218])
    by smtp.protectedservice.net (Halon) with ESMTPS
    id 5c2eeee9-750e-11ec-bd20-00163e218517;
    Fri, 14 Jan 2022 07:48:27 +0000 (GMT)
Received: from zimbra-mbox25dc1.protectedservice.net (localhost [127.0.0.1])
    by zimbra-mbox25dc1.protectedservice.net (Postfix) with ESMTP id B83D7470F25
    for <vt@e***d.com>; Fri, 14 Jan 2022 07:48:27 +0000 (UTC)
Date: Fri, 14 Jan 2022 07:48:27 +0000 (UTC)
From: RS <rs@e***d.com>
Reply-To: office.mobilemail7@gmail.com
To: vt@e***d.com
Message-ID: <84477814.4167090.1642146507695.JavaMail.zimbra@mydkt.com>
Subject: =?utf-8?Q?Payment?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailer: Zimbra 8.8.15_GA_4018 (ZimbraWebClient - GC96 (Win)/8.8.15_GA_4026)
Thread-Index: YFWfkK3jx1TTazTDLfBNMsQQSbIiiQ==
Thread-Topic: =?utf-8?Q?Payment?=

2
I didn't have any client until today with ipv6 address and this client can't access to any web service, mail nor even ping the server.
I tried to list iptables there were no ipv6 addresses then checked ip6tables, rhis list was empty.
When I disable firewall on server, he can access to all services (web, mail, ping), when I turn firewall back on, he is unable to reach anything.

I even added his IPv6 address to whitelist in panel in Whitelist configuration and restart firewall and he still can't access. I checked and his address is listed in ip6tables.

Client then resets his modem to get new IPv6 address, with new IPv6 address he can't access to the server at all.
What to solve that? Does Centos WebPanel prevents all ipv6 addresses by default or?

Tnx in advance for any tips and help.


3
PHP / How to lists all domains with used php-fm versions?!
« on: October 15, 2021, 11:29:04 AM »
How can I list or simply find out which domains on CWP uses which versions of php-fm?
Some simple list, with listed all domains on server with php versions.

I would like to update some php-fpm versions so I can know in advance which domains will be affected.
Tnx.

4
How to / How to prevent bad bots (web crawlers) with mod security
« on: October 10, 2021, 11:07:05 AM »
I'm using apache + mod_security (with Comodo WAF rules):

1. Install mod_security
How to install here > http://wiki.centos-webpanel.com/mod_security-for-cwp
Optional: select Comodo WAF rules (I use this rules, CWPanel -> Security -> ModSecurity -> Select Comodo WAF )

2. Check what web crawlers are the most common on your server
Command to list top 100 agents on your apache:
#cat /usr/local/apache/domlogs/*.log | awk -F\" '{print $6}' | sort | uniq -c | sort -nr | head -100

Short wiki about web crawlers: https://linuxreviews.org/Web_crawlers

3. Add rules in modsecurity to prevent some web bots / web crawlers
Add rules below in file #/usr/local/apache/modesecurity-cwaf/custom_user.conf (this is file custom user conf file if you are using Comodo WAF rules)

Examples:
Code: [Select]
SecRule REQUEST_HEADERS:User-Agent "@contains blexbot" "id:'1000000',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains semrushbot" "id:'1000001',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains ahrefsbot" "id:'1000002',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains dotbot" "id:'1000003',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains mj12bot" "id:'1000004',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains barkrowler" "id:'1000005',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"
SecRule REQUEST_HEADERS:User-Agent "@contains megaindex" "id:'1000006',t:none,t:lowercase,deny,nolog,msg:'BAD BOT - Detected and Blocked. '"

4. Reload apache
Reload apache to reload updated mod_security custom rules
#systemctl reload httpd.service

5. Check one of your domain logs
Check log to see if your rules are valid and working, you must get 403 response (403 forbidden error)
Example: #less /usr/local/apache/domlogs/somedomain.com.log
Code: [Select]
185.191.171.39 - - [10/Oct/2021:13:00:08 +0200] "GET /page/ HTTP/1.1" 403 199 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"





5
Dovecot / Dovecot auto restart (watchdog)
« on: July 23, 2021, 07:03:01 AM »
Due to backup unfortunately the server was briefly left without space and at that point dovecot service stop in the night around 00:57 min.

The server had free space soon after the backup, and in the morning at 08:00am when I checked, there was currently 20GB of free space on the server, but of all the services only the dovecot was not running.

Does the centos webpanel have some watchdog that monitors services that don't work so that it can autostart them, and how come the dovecot isn't started?

Tnx.

Code: [Select]
dovecot STATUS
dovecot.service - Dovecot IMAP/POP3 email server
Loaded: loaded (/usr/lib/systemd/system/dovecot.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Pet 2021-07-23 00:57:49 CEST; 7h ago


dovecot.log
Jul 23 00:56:01 imap (mail@example.com): Error: open (/var/vmail/example.com/example//dovecot.autoexpunge.lock859f5c32d3ce40e7) failed: No space left on device


Pages: [1]