Filter out Scam and Phishing emails using SaneSecurity Clamav signatures

Clamav is probably the most popular open source antivirus software for Linux. At this time it contains 153727 signatures that will detect most viruses and the signatures are updated regularly to allow many mail servers to filter out the viruses before even reaching the users mailboxes.

This post will show how easy it is to install and use SaneSecurity 3rd party Clamav signatures to extend the antivirus protection built-in clamav with Scam and Phishing filtering. This can be very useful as these types of emails can be hard to detect by common antispam rules (spamassassin for ex.) – like the latest pdf spams, or phishing mails that are not always easy to detect. These will be filtered out directly by Clamav that is normally running prior to antispam measures.

Read the rest of this entry »

Posted in Linux, Security, Tools |September 18th, 2007 1 Comment »

phpAdsNew 2.0.8-pr1 CRITICAL BUGFIX RELEASE

Here we go again… phpAdsNew is a great software, but anyone using it will know that we need to be very careful to patch it quickly to avoid to have our system exploited by many of the bugs that are constantly discovered (this is not only true for phpAdsNew, but most of the popular php scripts have this problem…). Anyway, yesterday (20061024) there was new bugfix version released, 2.0.8-pr1, and anyone logging in the phpAdsNew admin interface was warned to perform the upgrade as soon as possible.

Read the rest of this entry »

Tags: , , ,

Posted in Security |October 26th, 2006 1 Comment »

Allowing FTP access to files outside the home directory chroot

When we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) we might face a dilemma: we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing).

Read the rest of this entry »

Posted in Centos, Debian, Fedora, Linux, RHEL, Security, Tips & Tricks, Ubuntu |July 27th, 2006 66 Comments »

How to restore a hacked Linux server

Every sysadmin will try its best to secure the system/s he is managing. Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. Working on several projects to restore a compromised Linux system for various clients, I have developed a set of rules that others might find useful in similar situations. The type of hacks encountered can be very variate and you might see very different ones than the one I will present, or I have seen live, but even so, this rules might be used as a starting point to develop your own recovery plan.

Read the rest of this entry »

Posted in Linux, Security |July 17th, 2006 55 Comments »

How to safely connect from anywhere to your closed Linux firewall

In general all the great ideas are the simple ones. Many times we see a great idea in practice and we wander why didn’t we thought of that before? It is just so simple… The first time I have seen the knockd project I liked it instantly. The idea is so simple, and though so effective. Knockd is a port-knocking application that silently runs on a server passively listening to network traffic. Once it will see a port sequence it has an action configured for it, it will run that action. We can see this as a remote control to our server: once we hit the right button it will take the appropriate action!

How does a port knocker work?

  • we install the port knocker daemon on our server (knockd)
  • we configure some port sequences (tcp, udp, or both), and the appropriate actions for each sequence.
  • the knockd daemon will be running in the background, at low level passively on the network interface. It is completely stealth and it will not open any ports on the server.
  • once it will see a port sequence it will run the configured action for the sequence.

Read the rest of this entry »

Posted in Centos, Debian, Fedora, Linux, RHEL, Security, Ubuntu |July 5th, 2006 40 Comments »

Using fail2ban to Block Brute Force Attacks

From the category of log based tools I have chosen to present fail2ban because I consider it to be the best available log based brute force blocker. Basically, as any other log based brute force blockers, fail2ban will monitor the system log files and when certain configured events occur they will trigger fail2ban to block the offending host.

Here are the main features of fail2ban:

  • running as daemon (no delay to take actions as in cron based tools).
  • can use various methods to block the attack:
    • iptables (this is the default, and will most certainly be the best choice for most users)
    • TCP Wrappers (/etc/hosts.deny): this might be particular useful if you are running a VPS that has no access to iptables rules.
    • any other method you might need to implement in your firewall setup (you will have to define the rules yourself in this case).
  • can handle more than one service: sshd (default), apache, vsftpd/proftpd, etc.
  • can send e-mail notifications.
  • can ban IPs for a limited amount of time and since 0.6.1 can also permanently ban hosts.

Read the rest of this entry »

Posted in Debian, Security, Ubuntu |July 3rd, 2006 35 Comments »

How to find out if a daemon was build with TCP Wrappers support (hosts.allow/hosts.deny)

Most of the time we will protect our servers with firewall rules, but in some situations this might not be applicable (like in a VPS environment where we don’t have access to iptables). TCP wrappers (Wietse Venema’s TCP wrappers library) can be used in such cases to allow or deny access based on the configured rules in /etc/hosts.allow and /etc/hosts.deny. Most of the daemons that we might consider protecting this way will probably have build-in support for TCP Wrappers (ssh, ftp, xintetd, etc.), but how can we be sure? We might be writing the correct lines in hosts.allow/deny but we can’t see any results. In this little post I will show how we can verify if any daemon has been build with TCP Wrappers support. Read the rest of this entry »

Tags:

Posted in Security |July 2nd, 2006 3 Comments »

Using PAM to Block Brute Force Attacks

The idea to use PAM (Pluggable Authentication Modules for Linux) to block brute force attacks sounds like a good idea, right? After all, we are using PAM for most of the authentications mechanisms, so adding a module to check against repeated failures would be great. Surprisingly even if this sounded like something normal, I found only one PAM module that was written for this purpose. This is called pam_abl and you can find it here: http://hexten.net/pam_abl

Read the rest of this entry »

Posted in Security |June 29th, 2006 4 Comments »

Using iptables to Block Brute Force Attacks

We can use the iptables recent module to write some iptables rules that can block brute force attacks. In order to use this method you need a kernel and iptables installation that includes ipt_recent. If your linux distribution doesn’t include the ipt_recent module or you are using a custom compiled kernel you might need to first include the iptables recent patch that can be found on the author’s website or in the iptables patch-o-matic area. If you are using Debian/Ubuntu you don’t need to do anything special as this is already included in your system.

Read the rest of this entry »

Posted in Security |June 28th, 2006 25 Comments »

Linux Tips: Password usage in sudo (PASSWD / NOPASSWD)

If you are using sudo you most certainly know that the default setup will require the user running sudo to enter a password (by default the password of the user running sudo).
I will show you in this post what options sudo offers related to passwords and how they can be used. Read the rest of this entry »

Posted in Centos, Debian, Fedora, Linux, RHEL, Security, Tips & Tricks |June 18th, 2006 47 Comments »

« Previous Entries
Next Entries »

Marius on Twitter

Recent Posts

Archives