Messages

31

E-Mail / Re: postfix sending email every minute

« on: May 29, 2023, 02:07:15 PM »

Yes, cyberspace mentioned the most common vector for spam sending on servers -- an insecure php script that gets exploited/abused to send bulk UCE (unsolicited commercial e-mail). I'm sorry I neglected to mention the possibility in my response, because that's the most common vector these days. In fact, that's the only mail abuse I've seen on my servers is via a malicous php script implanted via a WordPress vulnerability. You may want to consider closing off the php mailer vector altogether and require ONLY authenticated SMTP on the server for mail sending. It depends on your situation, but really I would say generally that using the php mailer functionality is "lazy coding" and you should only use SMTP AUTH for accounting purposes -- it's clear who is sending what and everything is logged.

32

CentOS-WebPanel GUI / Re: CWP Pro proposing gdb-headless updates when not needed

« on: May 28, 2023, 08:01:41 PM »

CWP is just a frontend for YUM, so it is just presenting whatever suggestions yum is recommending for update. If you don't need gdb-headless, consider removing it. I recommend NOT running any unnecessary services on your server, as it just serves to increase your attack surface. Better to run lean an nimble and only install what you absolutely need.

33

CentOS 6 Problems / Re: GUI for CentOS WHM!!

« on: May 28, 2023, 07:57:26 PM »

What's with these AI bot responses lately? Are they trainers for ChatGPT?

[That was not about Igor; it was about some AI Bot response that is now deleted.]

34

CentOS 6 Problems / Re: GUI for CentOS WHM!!

« on: May 28, 2023, 12:47:41 PM »

What's with these AI bot responses lately? Are they trainers for ChatGPT?

35

E-Mail / Re: postfix sending email every minute

« on: May 27, 2023, 05:26:51 PM »

By your log, it looks to be agendada, UID 1010
Try running:

Code: [Select]

id 1010to find the associated account. Then go into your admin panel and rate limit the amount of mail messages the account can send in an hour, to contain collateral damage while you investigate.

I would seriously consider enacting some Postfix rate limiting restrictions as well in /etc/postfix/main.cf:

Code: [Select]

##//delivery rate controls/restrictions
# Parrallel delivery force (local=2 and dest=20 are aggressive)
local_destination_concurrency_limit = 6
default_destination_concurrency_limit = 30
# Max flow rate (1 sec delay per 50 emails/sec over the number of emails delivered/sec)
in_flow_delay = 1s
# Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 10s 
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
# limit max sends per minute
anvil_rate_time_unit = 60s
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 30
smtpd_client_message_rate_limit = 30


36

E-Mail / Re: zombie attack target email account

« on: May 27, 2023, 05:17:15 PM »

And have you hardened your postfix installation to prevent relaying? Pay particular attention to the $mynetworks and $relay_domains directives. Do you have UCE controls properly implemented in Postfix? Don't trust the defaults -- they are just a starting point. You should be much more restrictive than what CWP provides as an initial basis.

37

CentOS-WebPanel Bugs / Re: Apache rebuild doesn't work (again) and workaround

« on: May 26, 2023, 10:43:28 PM »

What version of Apache are you looking for? 2.4.56?

As a quick test, I can curl their older Apache 2.2.27 script:

Code: [Select]

curl -O https://dl1.centos-webpanel.com/files/c_scripts/apache-2.2.27.sh

38

Apache / Re: /usr/local/apache/conf.d/vhosts/domain.ssl.conf gets overwritten

« on: May 26, 2023, 10:29:29 PM »

Code: [Select]

sudo chattr +i /usr/local/apache/conf.d/vhosts/testdomain.nl.ssl.confto make changes, remove the immutable bit:

Code: [Select]

sudo chattr -i /usr/local/apache/conf.d/vhosts/testdomain.nl.ssl.conf

39

DNS / Re: CWP Can't add “One” domain name

« on: May 26, 2023, 10:16:09 PM »

How is your DNS infrastructure set up? Do you use the default CWP DNS servers, or something different? (I use Cloudflare as my NS.)

40

CentOS 7 Problems / Re: Malware found

« on: May 26, 2023, 02:00:57 PM »

Are you running rkhunter to check for a root kit?

Also look for FritzFrog and Ebury:
https://srvfail.com/check-clean-ebury-ssh-rootkit/

41

E-Mail / Re: zombie attack target email account

« on: May 26, 2023, 01:00:08 AM »

Are your SPF and DMARC DNS records set up properly to restrict sending to your own domain and server IP address?

42

CSF Firewall / Re: I need Suggestion

« on: May 25, 2023, 02:14:25 PM »

If you or your customers only do commerce within your own country, or know for sure you don't need access to some regions (eg southeast Asia), you can use CSF to block entire countries in /etc/csf/csf.conf:

Code: [Select]

CC_DENY = "CN,KP,VN"Do a search and see what are the top 10 hacking countries and include those in the block list.

43

How to / Re: How to manage hard drive space without losing data

« on: May 25, 2023, 02:07:11 PM »

The answer to the original question is "very carefully." I have done this on two different servers, using both fdisk (for hard partitions) and lvs resizing techniques (easier/safer). Obviously you are using LVM, and as an aside, I prefer my disk layout to all be one under / (meaning one LVM managed volume -- /dev/mapper/centos7-root -- I don't need the separate /dev/mapper/centos7-home partition. I only feel that is needed if you need it to reside on different storage or foresee expanding /home ad infinitum, or I suppose your backup requirements were specialized.

At any rate, do a FULL backup before proceeding. Be aware if you mess up, you will crash your server.
https://linuxhandbook.com/resize-lvm-partition/

44

Other / Re: how to disable cwp , cpanel ,pma short

« on: May 25, 2023, 01:56:07 PM »

You would have to edit your existing vhost files and the controlling template, going forward. What web server do you use (apache or nginx)?

45

SSL / Re: DNS Redirection problem for xxx.com with www and without it

« on: May 24, 2023, 02:48:23 AM »

Another pitfall for renewing certificates is if you have your web server (apache or nginx) set up to 301 redirect HTTP to HTTPS requests. You need to disable this temporarily while you renew your certificates. LetsEncrypt needs to connect to the server via standard port 80 (HTTP) for the renewal process to complete successfully.