Friday, October 2, 2009

Linux Securirty Notes 4: Reconnaissance & Vulnerability Checks

Reconnaissance Tool

  • A port scanning utility to check the services, ports, software version & finger print of OS etc.
  • Always update the nmap to the latest version.
Upgrading NMAP:
    Check the current version of nmap
#rpm -qa |grep nmap
    Now upgrade to the latest version by downloading the package
# wget
# rpm -Uvh nmap-5.00-1.i386.rpm

Usage of nmap:
    Running the nmap as root uses the SYN based scan(Half opened connection) which is less tracable
    (SYN Stealth scan)
    nmap (TCP SYN) -> Target (ACK) -> nmap declines ACK
    Running nmap as non-privileged user opens a standard TCP connections (3 way handshake)
    nmap (TCP SYN) -> Target (ACK) -> nmap (SYN|ACK)

#nmap -v localhost
    Shows the ports opened in localhost, scan runns in (-v) verbose mode.

Nmap to store output to a certain file

    We can store the output into varios formats. below option stores as a normal file
# nmap -v oN nmap.scan.localhost.file localhost||remotehost
# vi || cat || less || more   nmap.scan.localhost.file

    This can be kept for the later reference.

Nmap to scan the UDP Listners

    By default NMAP scanns the TCP ports and enabling the -sU option will endup with UDP scan
# nmap -v -sU localhost||remotehost

Nmap to scan a perticular port
# nmap -v -p 631 localhost||remotehost

Nmap to give the Os finger print of remote system
# nmap -v -O localhost||remotehost
    This will give the output about the remote host OS details.

Nmap Lockdown:
    NMAP scanning is done to tune the server for higher security by closing the unnecessary ports. Read  to explore more in NMAP. Keep in mind this might be the same tool that the hackers use to scan our network to check the services running so that they can use its vulnerability to break through.

Vulnerability Tool

NESSUS & Port scanner are the tools that can check the vulnerability in system.

    Download the tool from and exicute the nessus installer as root.
  • shareutils
  • gtk-2.0 (XWindows develop tools)
    These are needed for nessus to be installed.
# run the installation script to install the nessus.
    It will ask for certain criterias to finish the installation including Activation code.

Post installation procedure
   After completion of the Nessus installation, as per the instruction from the script have to finish the following process

Create the SSL certificate for Nessus to communicate with nessus server and client as mentioned in the installation script.
# /use/the/path/provided in installation output
Add a nessusd user according to the output of installion

Start Nessus daemon
#/usr/local/sbin/nessusd -D
    Nessus starts as deamon and listen on port 1241
# lsof -i@
    This will show the service binded to the port

Start Nessus client and start the scanning..
    Now configure the preferences in the GUI interface including the nessus server, port, username plugins that can be enabled etc..
Accept the certificate, enable the plugins for platforms, credentials of remote system in which the nessus should start scan, connection options etc.

To start the scan go to Target and start the scan . After the successfull scan it will show the result of vulnerability scan. This will tell that which services are less secured and what mesures should be taken to secure the services.
Eg:- SSH is supporting older version of the SSH protocols and need to configure the sshd service to use the protocol2 only. SSH protocol-1 uses ssh_host_key. but ssh protocol-ver2 uses ssh_host_rsa||dsa_keys
    Nessus is a powerfull tool that help us to configure our servers more securly by pointing the vulnerability in the packages and configurations of various services.

How To Identify Date and Time of a Unix Command Execution

Question: How do I find out what time I executed a command previously on Unix OS? The history command doesn’t display timestamp?

Answer: Set HISTTIMEFORMAT as shown below. Please note that there is a space before the last single-quotes.

 To Display Date & Time:
$ export HISTTIMEFORMAT='%F %T ' 
After the above setting, history command will display timestamp in
front of all commands. You can also search the history as shown below. 
$ history | less
  351  2009-09-08 09:53:47 ls -lrt
  352  2009-09-08 09:53:49 cd ..
  353  2009-09-08 09:55:39 wget -mk -w 20 -P top5-1 -N
  354  2009-09-08 10:00:04 gk
  355  2009-09-08 10:00:07 cd Bash/Wget/
  356  2009-09-08 10:00:07 ls

To Display AM / PM:
$ export HISTTIMEFORMAT='%F %r '
$ history
  351  2009-09-08 09:53:47 PM ls -lrt
  352  2009-09-08 09:53:49 PM cd ..
To Display In DD-MM-YY time format:
$ export HISTTIMEFORMAT='%d-%b-%Y %r '
$ history
  351  08-Sep-2009 09:53:47 PM ls -lrt
  352  08-Sep-2009 09:53:49 PM cd ..

To Display Timezone:

$ export HISTTIMEFORMAT='%d-%b-%Y %r %Z'
$ history
  351  08-Sep-2009 09:53:47 PM PDT ls -lrt
  352  08-Sep-2009 09:53:49 PM PDT cd ..

Thursday, October 1, 2009

Linux Securirty Notes 3: Basic Security TIPs for SHELL and other command line utility


TTY (Teletype Terminal) and Psuedo Terminals Security:

    this file that has list of the terminals that root can access.
    For Eg:- If root user is not able to login through any terminal the respective terminal will be missing from the
securetty file. So edit the file to restrict the root login to a limited teletype terminals

    This will show the terminal where user have logged in to currently
  •      But some programs such as SSH will by pass this securetty file and will maintain their own configuration.
  •     Whenever a new ssh session is initiated a psuedo terminal is created on the fly and it will be visible under the directory /dev/pts/
  •     Try to login as normal user over network always and issue "su - l". Let the hacker find out the local user credentials first and let him try for root.Make always the way of compromising difficult
Sytem Banners
    This is to warn the users about the authorized use of the server.
# /etc/issue
    This file content will be presented before the user logs in (Before giving the username & password or after accepting the public key).
# /etc/
   Telnet uses this file as "banner"  while clinet makes a connection
# /etc/motd
    This file content will be presented immediate after the successful login.
Including the Banner in SSH:
Now we can include these banner in ssh to warn about the usage of system
Banner /etc/issue
    Restart the deamon to take effect.

Other Useful utilities for checking the system incase of the suspectable compramize occured

# /usr/bin/last

    This will tell the last login details including duration, terminals, from ip etc.
Last reads the contents in /var/log/wtmp and process.
root     pts/1        kiran Thu Oct  1 21:51 - 21:52  (00:00)
root     pts/1        jithu Thu Oct  1 21:35 - 21:44  (00:09)
root     pts/0        test  Thu Oct  1 21:33   still logged in
reboot   system boot  2.6.28-11-generi Thu Oct  1 21:32 - 22:00  (00:28)


# /bin/netstat
    Will show the list of all listening or connected or opened tcp/udp & unix sockets
root@ubuntu:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0    *               LISTEN      2908/sshd
tcp        0      0 *               LISTEN      2342/cupsd
tcp6       0      0 :::22                   :::*                    LISTEN      2908/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      2342/cupsd
udp        0      0 *                           2318/avahi-daemon:
udp        0      0    *                           2439/dhclient
udp        0      0  *                           2318/avahi-daemon:

    The above command shows the list of deamon that have been bound to all ports including TCP & UDP

root@ubuntu:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0    *               LISTEN
tcp        0      0 *               LISTEN
tcp        0     52       ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:631                 :::*                    LISTEN

    netstat with optoins "ant" will show all connections that are currently active in your system

# /usr/bin/lsof
    This command will reveal all the open files as well as opened sockets in the linux systems.
In linux enviornment all the objects are considered to be files. lsof will list the all the opened file.
So this tool will be usefull on post compramised check.

# /usr/bin/lsof
init         1       root  cwd       DIR        8,1    4096          2 /
init         1       root  rtd       DIR        8,1    4096          2 /
init         1       root  txt       REG        8,1  104364     171411 /sbin/init
init         1       root  mem       REG        8,1 1442180     246132 /lib/tls/i686/cmov/
init         1       root  mem       REG        8,1  117348     228503 /lib/


root@ubuntu:~# lsof /root/
bash            2666   root     cwd    DIR    8,1           4096   32641 /root/
seq              3415   root     cwd    DIR    8,1          4096    32641 /root/
lsof             3416   root     cwd    DIR    8,1         4096    32641 /root/
lsof            3417   root     cwd    DIR    8,1          4096   32641 /root/

    This will show all the files accessed by any binaries inside the /root directory. This is helpfull to find the access of perticular file by any binaries and the i/o as well as the user that is exicuting it
A single open file can prevent a filesystem from being unmounted. lsof should be run as the superuser (root) to see all open files in the given directory.

    This will give the list of the sockets opened in system
root@ubuntu:~# lsof -i
avahi-dae 2318 avahi   14u  IPv4   5946       UDP *:mdns
avahi-dae 2318 avahi   15u  IPv4   5947       UDP *:44467
cupsd     2342  root    2u  IPv6   5997       TCP localhost:ipp (LISTEN)
cupsd     2342  root    3u  IPv4   5998       TCP localhost:ipp (LISTEN)
dhclient  2439  root    5u  IPv4   6201       UDP *:bootpc
sshd      2656  root    3u  IPv4   6628       TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)
sshd      2908  root    3u  IPv4   8011       TCP *:ssh (LISTEN)
sshd      2908  root    4u  IPv6   8013       TCP *:ssh (LISTEN)


    To see the relation between two systems use the follwoing command
# lsof -i@hostname/ip address

root@ubuntu:~# lsof -i@localhost
cupsd   2342 root    2u  IPv6   5997       TCP localhost:ipp (LISTEN)
cupsd   2342 root    3u  IPv4   5998       TCP localhost:ipp (LISTEN)


More Eg:-

For Listing all the connections between localhost and
root@ubuntu:~# lsof -i@
sshd    2656 root    3u  IPv4   6628       TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)


For Listing All the UDP based connections between localhost and   
root@ubuntu:~# lsof -iUDP@

For Listing all the TCP based connections between localhost and
root@ubuntu:~# lsof -iTCP@
sshd    2656 root    3u  IPv4   6628       TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)


For Listing all the connections between localhost and port 4069 from host
root@ubuntu:~# lsof -iTCP@
sshd    2656 root    3u  IPv4   6628       TCP ubuntu.local:ssh->inp-gopalank.local:4069 (ESTABLISHED)


For Listing all the files opened by a process

Using process ID:-
root@ubuntu:~# lsof -p 2656

sshd    2656 root  cwd    DIR        8,1    4096      2 /
sshd    2656 root  rtd    DIR        8,1    4096      2 /
sshd    2656 root  txt    REG        8,1  418340  49205 /usr/sbin/sshd


Using Process Name:-
root@ubuntu:~# lsof -c syslogd
syslogd 1975 syslog  cwd    DIR        8,1    4096      2 /
syslogd 1975 syslog  rtd    DIR        8,1    4096      2 /
syslogd 1975 syslog  txt    REG        8,1   31816 171504 /sbin/syslogd
syslogd 1975 syslog  mem    REG        8,1   42504 246149 /lib/tls/i686/cmov/
syslogd 1975 syslog  mem    REG        8,1   38444 246153 /lib/tls/i686/cmov/
syslogd 1975 syslog    6w   REG        8,1       0 168157 /var/log/mail.log


For listing all the ports opened in the system by IPV4
root@ubuntu:~#  lsof -Pnl +M -i4
avahi-dae 2318      110   14u  IPv4   5946       UDP *:5353
avahi-dae 2318      110   15u  IPv4   5947       UDP *:44467
cupsd     2342        0    3u  IPv4   5998       TCP (LISTEN)
dhclient  2439        0    5u  IPv4   6201       UDP *:68
sshd      2656        0    3u  IPv4   6628       TCP> (ESTABLISHED)
sshd      2908        0    3u  IPv4   8011       TCP *:22 (LISTEN)


For listing all the ports opened in the system by IPV6
root@ubuntu:~#  lsof -Pnl +M -i6
cupsd   2342        0    2u  IPv6   5997       TCP [::1]:631 (LISTEN)
sshd    2908        0    4u  IPv6   8013       TCP *:22 (LISTEN)

Linux Securirty Notes 2: Boot Time Security Tips


  •     secure the bios with password (setup password) to provide bios security
  •     If we setup the system password in the BIOS then for booting the system we need to provide the password


  •     To prevent the editing of the grub while booting we have to create the grub loader password.
Creating the Grub Password.
    Create the grub password by exicuting grub_md5_crypt

# grub_md5_crypt
    Give the password to create the md5 generated hash (encrypted password)

Now copy this out put and paste in grub.conf file with following option

# vim /boot/grub/grub.conf
 beneath the timeout session add the line
password --md5 hhdgfwytt223476$$#^jkhsdhgfds
    Now reboot and check the options to edit the grub

Boot Loader Checks - Bootup security measures that has to be taken:

    We can verify any changes for system in boot log. Mainly 2 files are containing the logs from deamons & kernels /var/log/dmesg & /var/log/boot.log
    Any changes in hardware will be logged here. we can use dmesg command to check the same. The binary /bin/dmesg will show the content of /var/log/dmesg.

Check the /var/log/dmesg after a boot for any changes in a suspected compromised system
  • check the kernel version - it should match the current version of the kernel installed
  • check the memory, cpu & NIC from the dmesg and compare with original - this is to check any changes in the kernel, if anything unusual found can conclude that the kernel might be compromised.
    Check the /var/log/boot.log to find out the deamons & kernel options that have been enabled while booting.
    For Eg:- check the routing eabled or check the source routing enabled etc and compare it with the configuration done while server moved to production.

Securing INIT

Process of INIT in relation to system boot
        After Bios initializes the hardwares hands over the control to grub which immediatly hands over to linux kernel.Now Kernel initializes the hardwares and loads the modules and the very first process INIT is launched. The job of init is to configure the enviornment based on the user choice. It reads the key configuration file in /etc/inittab.

Modifying the Inittab file to increase the security.
#vi /etc/inittab
###x-server in linux is a service which runs as server client enviornment. So disable the graphical and the default runlevel to 3.
### disbale the keystrock ctrlaltdel to avoid rebooting the machine from giving the same keystrock
### the session for terminals are given below
1:2345:respawn:/sbin/mingetty    tty1
2:2345:respawn:/sbin/mingetty    tty2

6:2345:respawn:/sbin/mingetty    tty6
    Here we can reduce the number of TTYs by commenting out(teh fewer terminal the fewer shells exposed) this makes sence in disabling the
extra TTY
Now run the following command to take effect of new inittab
# init q
    This reads the inittab files again

RPM Database regular Check
     Check regularly the package list in the system If the system is rpm based try to get the list of packages and document to refer later incase of any comparmize happened.

#rpm -qa > `date +%F`.installed.pkgs.lst
    to compare run the following command
#diff old.list new.list
    An experienced intruder never installs paclages in rpm format. This case makes exception.   

Linux Securirty Notes 1: Information Security


    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

Key concepts

     For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) as the core principles of information security.
C = Confidentiality
I   = Integrity
A = Availability
    (For eg:- gpg allows to encrypt the contents of the packages, ssh provides C & I)


Confidentiality is the of preventing disclosure of information to unauthorized individuals or systems.
For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
    Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.


    In information security, integrity means that data cannot be modified without authorization. This is not the same thing as referential integrity in  databases. Integrity is violated when an employee accidentally or with malicious intent deletes important data files, when a computer virus infects a  computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able  to cast a very large number of votes in an online poll, and so on.
    There are many ways in which integrity could be violated without malicious intent. In the simplest case, a user on a system could mis-type someone's address. On a larger scale, if an automated process is not written and tested correctly, bulk updates to a database could alter data in an  incorrect way, leaving the integrity of the data compromised. Information security professionals are tasked with finding ways to implement controls that prevent errors of integrity.


For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.
High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals.

Reconnaissance(exploration conducted to gain information) tools(nmap) are used to check the services that runs in any machines, as a result the Hackers use it in negative way. Prior to that we have to lock down the security holes.

Wednesday, September 30, 2009

SENDMAIL Notes 14: Sendmail SMTP AUTH

Sendmail SMTP AUTH

      SMTP Auth support allows to relay mails based on the smtp authentication when the client or users IP is getting changed(For a Roaming user).

Inorder to enable the smtp-auth support in sendmail the following packages are needed.
  1. cyrus-sasl    
  2. cyrus-sasl-plain (For Plain Authentication)
  3. cyrus-sasl-devel (Some devel libs are needed by sendmail)
  4. cyrus-sasl-crammd5 (For CRAM MD5 auth)
  5. cyrus-sasl-digestmd5
  6. cyrus-sasl-otp
  7. cyrus-sasl-gssapi

      cyrus-libraries are needed for SMTP-AUTH. After installation the above packages the cyrus-libs will be installed in   /usr/lib

      If the distribution is not supporting the cyrus package, then we have to download it compile with all the auth mechanism and install.

Now we need to compile the sendmail with cyrus and install the binaries.

Compiling & installing the sendmail for SMTP AUTH:

Got to the following directory
# cd sendmail-8.14.2/devtools/Site
        The Top Level Build Script (which creates the sendmail binaries) while compiling will consult the Site directory and if it finds the site.config.m4 it will include the contents for compiling. So this file is used to include additional variables or modules or extend the features sendmail. For enabling such features we have to include some derivatives in the site.config.m4.

To test the existing sendmail has SMTP-AUTH enabled:
# telnet localhost 25
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP Sendmail 8.14.2/8.14.2; Thu, 1 Oct 2009 17:41:53 +0400
ehlo localhost Hello localhost.localdomain [], pleased to meet you
250 HELP
    If the SMTP-AUTH was enabled we could see an extra out put of 250-AUTH for the command ehlo localhost

The other way of testing the sendmail for the feature of SMTP-AUTH is
# sendmail -v -d0.10
    This will echo to shell all the feature of sendmail in debug mode. here look for the sasl in output.

Now we will create some derivatives in the site.config.m4 file and compile & install sendmail again to enable the SMTP-AUTH in sendmail.
#This will tell sendmail to include the support sasl version 2
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
#This will tell sendmail to use the given libraries that can be found in the lib directory as mentioned in the next derivative
APPENDDEF(`confLIBDIRS', `-L/usr/lib')
#This will tell sendmail the location of the header files
  # Now save the configuration. re-compile the binary.
    Remove the obj.Linux.2.6.18-128.el5.i686 directory before compiling the sendmail again. Now run the build script
# cd sendmail-8.14.2
# ./Build
    Check the build process to find the sasl2 has been including or not. The build process has to complete successfully
Before copying the sendmail binary to /usr/sbin location we will check whether the new compiled binary has the the option of sendmail SMTP-AUTH
To check this navigate to following directory
# cd sendmail-8.14.2/obj.Linux.2.6.18-128.el5.i686/sendmail
# ./sendmail -v -d0.10
    Here we should get an output similar to
Now copy this sendmail binary to the path of running sendmail
# cp sendmail /usr/sbin
    Now we have the new binaries. verify the permission of the binaries
# chown root:smmsp /usr/sbin/sendmail
# chmod g+s /usr/sbin/sendmail
    So this will make the sendmail to execute as the user group (smmsp)
To verify
# ls -ltr /usr/sbin
-r-xr-sr-x 1 root smmsp   678197 Oct  1 18:54 sendmail

Now configure the file to include the smtp-auth
# cd sendmail-8.14.2/cf/cf
# vi

    TRUST_AUTH_MECH this will tell sendmail to trust the authentication mechanisms can use for relaying.
    configuration auth mechanism tells sendmail that these are the authentication mechanisms that have been configured.
    This will make sendmail to hands over the authentication to cyrus libs.

    Sendmail hands over the control to cyrus libraries for authentication. Cyrus-libs will check the passwd file or ldap for authentication.
# cd sendmail-8.14/cf/cf
# m4 ../m4/cf.m4 >

# cp /etc/mail
# restart the sendmail service
Testing the SMTP-AUTH support is turned on
[root@centos ~]# telnet localhost 25
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP Sendmail 8.14.2/8.14.2; Fri, 2 Oct 2009 17:18:57 +0400
ehlo localhost Hello localhost.localdomain [], pleased to meet you
250 HELP

Here we are looking for the line "250-AUTH LOGIN PLAIN DIGEST-MD5"
      If this test fails even if all the configurations have been made correctly, troubleshoot the issue by rechecking configuration files and binaries time stamp as well use netstat command to verify that the sendmail process is bind to the port 25.  

Now have to configure cyrus to accept the request of sendmail
# cd /usr/lib/sasl2
# vi smtp.conf
# vim /etc/sasl2/sendmail.conf

pwcheck_method: saslauthd
# mv smtp.conf Sendmail.conf
    We have to rename the smtp.conf to Sendmail.conf . In filename Sendmail.conf S is capital.

Now start the saslauthd service
# service saslauthd start
    Now test the auth mechanism by connecting MUA like evolution,thunder bird or outlook

If we are getting any errors like -  AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed
Try uninstalling all the "cyrus" packages and reinstall one bye one will sort out the issues. It worked for me

Monday, September 28, 2009

SENDMAIL Notes 13: Sendmail Content Scanning


Configuring the full functional content scanning using Mailscanner, Clamav and Spamassassin

Initially we will configure the clamav antivirus.


Installation of CLAMAV Antivirus:

Download the Source code of the software

# wget
# tar -zxvf clamav-0.95.2.tar.gz
# cd clamav-0.95.2

    The clamav relies upon mainly the following packages. So have to install the packages prior to compiling and installation of clamav. so install the following packages prior to compiling.

1. zlibs It needs zlib-1.2.2 atleast
2. bzip2
3. gmp
4. curl

Add the following user and group.

#groupadd clamav
#useradd -g clamav -s /sbin/nologin clamav

Now Compile the clamav

# ./configure
# make
# make install

    This will copy the binaries to the standard location. Normaly to /usr/local/*. Now type clam can see the new binaries that installed by make-install.

Configuring CLAMAV Antivirus:

#cd /usr/loca/etc

it will contain 2 files clamd.conf (this is read by clamd deamon) and freshclam.conf (Reads by the update tool).

For starting the clamd daemon, have to edit the following parameters in clamd.conf

#vim clamd.conf
#comment out the Example

#vim freshclam.conf
#comment out the Example

    Now create the log file to log by freshclam.

#touch /var/log/freshclam.log
#chmod 600 /var/log/freshclam.log
#chown clamav.clamav /var/log/freshclam.log

Now update the virus database and start the freshclam daemon.

#/usr/loca/bin/freshclam -d

    This runs the freshclam as a daemon. Add the freshclam entry to the cron job to update daily twice or thrice. And any update regarding the virus signatures will be logged to /var/log/freshclam.log.

It is time to start the clamd daemon now.

#ps -ef |grep clam

    this will show both (freshclam and clamd) daemon runns.

Adding clamd daemon to init startup(This part is optional).

#cd clamav-ver/contrib/init
#vim clamd

    Change the path parameters to suite the installation. and place it in init directory.

#cp clamd /etc/init.d

Now start configuring the Spamassassin



Download the Source code of the software

# wget
# tar -jxvf Mail-SpamAssassin-3.2.5.tar.bz2
# cd Mail-SpamAssassin-3.2.5

We need the following packages for compiling the spamassassin:
1. HTML::Parser

Install the pre-requiesties using cpanel.

>install HTML::Parser

Download from and compile and install

#tar -zxvf HTML-Parser-version.gz
# cd HTML-Parser-version
# perl
# make
# make install

The spamassassin uses the perl for compiling

#perl Makefile.PL

    This will prompt us certain details.
1.mail address of admin for whom can send mail about the spam report. test
3.Checks for all the dependencies of modules. if script exits by any failed dependencies install it.

# make
# make install

    This wil setup the spamassassin with all of the rules in /usr/share/spamassassin. The installed bnaries will  be /usr/binspamc(The client binaries) & /usr/bin/spamd(spamassassin daemon binaries).

Now we can install the init scripts from the source code.

#cd Mail-SpamAssassin-3.2.5/spamd
# ./ start

    This will start the daemon. So copy the file to /etc/init.d/ and rename it if we need to run as init daemon.

Now start the spamd

# spamd -d -c -m5 -H

    This starts the spamassassin daemon and runs in background.

Its time to install and configure the Mailscanner

    mailscanner need not to have clamd or spamassassin running to initialize or run the service.In fact it just need the perl modules that required to start.
Download the source code of the software.

#tar -zxvf MailScanner-install-4.75.11-1.tar.gz
# cd MailScanner-install-4.75.11-1
it contains perl modules and install script

    This installs the mailscanner in /opt directory. And mailscanner creates a new queue directory struchure in /var/spool (MailScanner,

    This is a temperory directory userd for processing the msgs.

    After starting the Mailscanner daemon we need to update the sendmail configuration to reflect the new queue structure. The new queue structure is implemented for the new two sendmail daemons. One for processing the inbound msgs i.e, the standard MTA which will accepts the mail on port 25 process the msgs and places those msgs in to queue in queue only mode. Those msgs are then re-routed in to the directory (we will be altering the sendmail configuration to queue msgs to not to deliver them).From there Mailscanner that had configured to check the for all 5 sec will scan the by consulting clamav, spamassassin and other mailicious contents and then places the msg in to mqueue directory. From here the second instance of the sendmail will deliver the msg to the destination.

    port25 sendmail(1) recieves msg -> Place the msg in -> Mailscanner scans and places in mqueue -> sendmail(2) will deliver the msg from mqueue to destination.

Configuring MailScanner:

#cd /opt/MailScanner
    This is a symbolic link created by for the installed version of MailScanner.
# cd /opt/MailScanner/etc
    This file contains the main configuration of MailScanner.

Edit the main configuration to change some key settings to start the MailScanner.

# vi MailScanner.conf
%org-name% = kiranjith
%org-long-name% = Kiran's School for Linux Lovers
%web-site% =
Max Children = 5
#by default mailscanner will launch upto 5 process to handle the mails in the This can be increased according to the msg queue.
Run As User = root
# has to specify the mailscanner to run as.
Queue Scan Interval = 5
# this tells the mailscanner to check the directory in every 5 sec for a new msg.
Incoming Queue Dir = /var/spool/
#This is the directory where the 1st sendmail instance will put the incoming mails for scanning.
Outgoing Queue Dir = /var/spool/mqueue
#This is the directory where the mailscanner will place the scanned mails for 2nd instance of the sendmail to deliver.
Incoming Work Dir = /var/spool/MailScanner/incoming
#This is the directory where mailscanner process the msgs.
Quarantine Dir = /var/spool/MailScanner/quarantine
#In this directory MailScanner places the msgs which is infected by Virus.
Restart Every = 14400
#Every 14400 sec the child process will get restarted
MTA = sendmail
#This specifies the current mta running in the system.
Sendmail = /usr/lib/sendmail
#path to sendmail which used to deliver the error generated on scanning
Max Normal Queue Size = 800
# this tells mailscanner to stop scanning if the mail queue is this much big
#Note:- TNEF Module is needed to scan the content send from MS Outlook.
Virus Scanning = yes
# This enables the virus scanning
Virus Scanners = clamav
#sets the virus scanner to clamav.
Use SpamAssassin = yes
# makes mailscanner to invoke the spamassassin
Always Include SpamAssassin Repot = yes
#this invokes mailscanner to involve the result of spamassassin.
# The SpamAssassin returns a score for the scanned msg and mailscanner will make a decission upon this score. This will invoke both clamav and spamassassin.
Always Include SpamAssassin Report = yes
# This will include the spamassassin repot in the mail header.


            This file consists of the rules for the spamassassin, eg:-,the white list, Black list, Spam score threshold.


            This file contains the preferences of Virus scanner.


            This Directory is contains the rules of mail contents (rules about the extension of the mail attachment)


            This directory contains the executables to run and check the mailscanner service.


            This will launch the mailscanner service

#ps -ef |grep -i mailscanner

            This will show the mailscanner configuration

Sendmail Integrating with MailScanner:

            By default the sendmail will be running as MSP as queue directory /var/spool/cilentmqueue and as MTA that binds to the default port of 25.

#/usr/sbin/sendmail -L sm-msp-queue -Ac -q30m
#/usr/sbin/sendmail -L sm-mta -bd -q30m

            These are the default deamon options that runs sendmail. So we have to change the deamon options or change the init script of sendmail with the following options.

#kill any existing sendmail deamons

Now create a sendmail start script

#Run the sendmail as MSP program.
$sendmail -L sm-msp-queue -Ac -q30m
#Run the sendmail MTA for inbound (To accept the mail and keep in /var/spool/ directory in queueonly mode)
$sendmail -L sm-mta-inbound -bd   -OprivacyOptions=noetrn   -OdeliveryMode=queueonly   -OqueueDirectory=/var/spool/  -OPidFile=/var/run/  -q30m
#Define the Outbound MTA for delivery msg from /var/spool/mqueue directory,which has been scanned by and placed by MailScanner. The inervel should be short for delivering the mail ASAP.
$sendmail -q1m

Save and execute the script.

#ps -ef |grep sendmail

            This will show the 3 sendmail process running

Check the mail logs

# tail /var/log/maillog

If the sendmail installation is RPM Based. Then follow this

Change Commands That Start Sendmail. Currently, your copy of sendmail will be started by a script such as /etc/init.d/mail or /etc/rc.d/init.d/sendmail. Somewhere in this script will be the command to start sendmail itself. This should look like this:

sendmail −bd −q15m
You should change this to the following two lines:
sendmail −bd  -OprivacyOptions=noetrn   -OdeliveryMode=queueonly   -OqueueDirectory=/var/spool/  -OPidFile=/var/run/ -q30m
sendmail -q1m


This first starts the copy of sendmail that provides SMTP service, building the work queue for MailScanner. It then starts the copy of sendmail that delivers the output from MailScanner. You also might need to change the commands used to shut down sendmail as it now needs to find 2 copies and kill them both.

            The spamd and clamd deamons are not needed to be running. It is just to ensure the configuration files working or not.

Sunday, September 27, 2009

SENDMAIL Notes 12: Sendmail Mailertable

    It is a type of mail relaying. It is useful when using the virtual domains. for example if you want to forward mails to internal protected server in DMZ zone after the content scanning, mailertable can provide a solution rather than using the smarthost or nullclient.

Configuring the Mailer Table:

Configure the following in the server which is configured to recieve the mails through MX record.
Create the /etc/mail/mailertable
#vim /etc/mail/mailertable
(The format is as follows
Left Column                                      
domain name                                       
(To which domian it accepts          
the mail for)

Right Column
Routing Rules:
(Specify the mailer type(smtp or local):
user@domain or FQDN of host))

    Here any mail that comes to domain will be forwarded to and all the mail comes to domain will forward to the user jeo at host

For Example:
This used primarily in the following scenario.
We have the mailertable enabled server facing the internet configured with MX record and all the mail scanning softwares. And other servers will be inside the network. So the mailertable enabled server recieves the mail primarly, scans the mail and forwards to respective servers according to the configuration in mailertable. So all the mails for a domain can be accepted by a single system and after scanning the mails can be redirected to respective sub-domains.

Now create the db file of mailertable
#makemap hash mailertable < mailertable
Now configure the sendmail for the Feature of mailertable. Edit the file
    This will enable the mailertable support in sendmail.
# compile configuration file with m4 to create file and restart the sendmail