Over the years of trying to keep denial of service attacks, and a bunch of other people out there trying to take my server down I have developed some one liners that I would like to share with you. I have one liners on Ubuntu Linux that show the amount of connections incoming to your server counts them, and orders them from lowest to highest.

$ netstat -an |grep SERVER_IP:25| awk ‘{print $5}’| awk -F: ‘{print $1}’| sort | uniq -c| sort -n

Example output:
1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5

Here is a one liner that shows the amount of client connections(client=)(email sent) to your postfix server has received in since your last log rotation. Like the previous script this one sorts the IP’s lowest amount of connections to highest.

$ sudo grep client= /var/log/mail.log|grep -v 127.0.0.1|grep -v sasl| awk -F[ '{print $3}'| sed s/]//g| sort | uniq -c | sort -n

Example output:

1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5

Here is another one line script to sort the amount connections to your postfix server. It is different then above. These are connections that are could have sent an email, or not have sent an email. I like to check this just to see if an ip address is abusing my server without sending email. Like the last two scripts the output is in order from lowest to highest.

$ sudo grep “connect from” /var/log/mail.log| grep -v 127.0.0.1|grep -v disconnect| awk -F[ '{print $3}'| sed s/]//| sort | uniq -c | sort -n

Example output:

1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5

Over the years I have had many samba shares for the house for tv shows I am unable to watch via tv, and I have them all stored on a Linux server with 4 500GB drives in a RAID 5 configuration. I always use 3ware contollers for RAID on Linux. The reasoning for this is that they are hardware RAID which allows me to move the data from one machine to the other easily, and the kernel driver is built into most Linux kernels. You want to install Ubuntu server with 20 GB for root or / and 100MB for boot or /boot, and the rest of the data in /home. You can change this up, but just to make is simple I put the 1480GB in /home. The next step after you have installed Ubuntu server on the machine is to upgrade the server, and install samba and ssh on the server. Login locally on the Ubuntu server, and type the following to setup Samba.

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install samba openssh-server

If this is your first time using samba you might also want to install Samba SWAT. Samba SWAT is a web interface on your machine that allows you to install manage Samba via a web interface on port 901.

$ sudo apt-get install swat xinetd

Now that you have everything installed you just have to get the configuration correct. I have a basic setup that will get you going, and then I will show you how to configure Samba SWAT. You should be able to get it all working from there. Make sure your /etc/smb.conf file only contains the following config.

$ vi /etc/samba/smb.conf
# Global parameters
[global]
workgroup = WORKGROUP
server string = Samba
security = SHARE
encrypt passwords = true

[shared]
path = /home/shared
read only = No
guest only = Yes
guest ok = Yes

Save the file, and make the directory in /home.
$ sudo mkdir /home/shared

This configuration will allow everyone to view, and edit files on the Ubuntu server. Only the files in /home/shared.

To change your configuration using SWAT open a browser, and access the machine in a browser using the following url.

http://IPADDRESS:901

It will ask you to login, and I like to use root, just so I don’t have any permissions issues.

I sometimes forget what options I need to change to up max open files, and stuff like that. This is a simple page to help me, and hopefully it helps you. To change sysctl options on boot you will have to change the /etc/sysctl.conf, and add whatever options you want to the file. To see your current sysctl options just use sysctl -a like so.

$ sysctl -a

$ vi /etc/sysctl.conf

Here is what you add to max open files, threads, and inodes on your system.
fs.file-max=16384
fs.inode-max = 65536
kernel.threads-max=2048

Here are some sysctl options that I have used before to help the networking on a Linux server. I have never really been able to really see the difference, but some admins swear by them. Well we know some people are crazy. Like windows administrators.

net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_syncookies = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

After editing your sysctl.conf file you will have to run the following command to update the machine so the options take effect immediately.

$ /sbin/sysctl -p

Well feel free to add comments, and other helpful hints.

So I was building a server the other day, and had to set the duplex and speed on the machine. I was getting errors on the switch between the eth0. On linux I use mii-tool or ethtool package which allows me to change and view the negotiated speed of eth0, and very useful for forcing specific Ethernet speed and duplex settings.

Your ethernet card might not work with one of the tools, so I suggest you install the both ethtool, and mii-tool. There are three tasks to get this setup when your machine boots. Install mii-tool and ethtool, change the speed and duples settins, and finally script in /etc/init.d to run at boot.

Install mii-tool and ethtool tools

If you are using Debian or Ubuntu Linux you can install both of these package with following command:# apt-get install ethtool net-tools

Task: Get speed and other information for eth0

Type following command as root user:
$ ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 32
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: d
Current message level: 0×00000007 (7)
Link detected: yes

Or use mii-tool command as follows:
$ mii-tool eth0
eth0: negotiated 100baseTx-FD flow-control, link ok

Change the speed and duplex settings

Setup eth0 negotiated speed with mii-tool
Disable autonegotiation, and force the MII to either 100baseTx-FD, 100baseTx-HD, 10baseT-FD, or 10baseT-HD:
$ mii-tool 10baseT/Half
$ mii-tool 10baseT/Full
$ mii-tool 100baseT/Half
$ mii-tool 100baseT/Full
$ mii-tool 1000baseT/Half
$ mii-tool 1000baseT/Full

Setup eth0 negotiated speed with ethtool
$ ethtool -s eth0 speed 100 duplex full
$ ethtool -s eth0 speed 10 duplex half

To make these settings permanent you need to create a script into the directory /etc/init.d/ directory and run update-rc.d command to update the script.

Install script to make changes permanent

$ vi /etc/init.d/100Mbs
or
$ sudo vi /etc/init.d/100Mbs

#!/bin/sh
ETHTOOL=”/usr/sbin/ethtool”
DEV=”eth0″
SPEED=”100 duplex full”
case “$1″ in
start)
echo -n “Setting eth0 speed 100 duplex full…”;
$ETHTOOL -s $DEV speed $SPEED;
echo ” done.”;;
stop)
;;
esac
exit 0

Save and close the file. Setup executable permission:
$ chmod +x /etc/init.d/100Mbs
or
$ sudo chmod +x /etc/init.d/100Mbs

Now run script when Debian or Ubuntu Linux boots up. Use update-rc.d command install System-V style init script links:
$ update-rc.d 100Mbs defaults
or
$ sudo update-rc.d 100Mbs defaultsOutput:

Adding system startup for /etc/init.d/100Mbs …
/etc/rc0.d/K20100Mbs -> ../init.d/100Mbs
/etc/rc1.d/K20100Mbs -> ../init.d/100Mbs
/etc/rc6.d/K20100Mbs -> ../init.d/100Mbs
/etc/rc2.d/S20100Mbs -> ../init.d/100Mbs
/etc/rc3.d/S20100Mbs -> ../init.d/100Mbs
/etc/rc4.d/S20100Mbs -> ../init.d/100Mbs
/etc/rc5.d/S20100Mbs -> ../init.d/100Mbs

Reboot the system to take effect or just type scrit name:
$ /etc/init.d/100Mbs start
or
$ sudo /etc/init.d/100Mbs start

Read man page of mii-tool and ethtool for more information.

I like to test all my new mail servers with telnet making sure they are not open relays, and that the amavis and clamav processes are working correctly. I just check after I send a message in the logs.

$ telnet 192.168.0.4 25
RESPONSE 220 192.168.0.4 is a mail server
helo wantlinux.net
RESPONSE 250 mail.example.com
mail from:
RESPONSE 250 2.1.0 Ok
rcpt to:
RESPONSE 250 2.1.5 Ok
data
RESPONSE 354 End data with .
Hello webmaster@example.com. How are you?
sincerely,
webmaster@wantlinux.net
.
RESPONSE 250 2.0.0 Ok: queued as ##########
quit

I thought it was hard to remember all that, but once you use it a few times you will not be looking up this information anymore. I telnet to email servers all the time for testing purposes, and I have never had an issue. If you use windows just open up a command prompt, and try the commands. If it doesn’t work download a Ubuntu or other Linux image and install it. Like always leave a comment if you have questions.

Basic spam and antivirus email server.

This guide helps you configure IMAP, POP, SMTP, and Anti-Spam and an anti-virus server for your company using Ubuntu Linux.

$ sudo apt-get install spamassassin amavis postfix-policyd-spf-perl fuzzyocr clamav clamav-daemon clamav-freshclam libsasl2 libsasl2-modules courier-imap courier-pop

It doesn’t matter what configuration you choose for postfix, and you don’t need web based configuration for courier.

Configure spamassassin

I configure my spamassassin without a Bayes filter it never works properly for me, and it seems to give me more false positives. I use uribl, and Fuzzy OCR for images. This usually works good enough for me. I also add custom rules from sare. I use saupdate to keep them updated.

Install openprotect updates.

# Run “sa-update” once to download the default SA rules from the channel “updates.spamassassin.org”. This should enable SA find all its rules files under the “/var/lib/spamassassin” directory from now onwards.
#

Have gnupg installed, if you wish to check the channel files against our signature.
#

Run the command gpg –keyserver pgp.mit.edu –recv-keys BDE9DC10 to import our public key from the mit keyserver. The output should look like:

gpg: requesting key BDE9DC10 from hkp server pgp.mit.edu
gpg: key BDE9DC10: public key “Opencomputing Technologies (Key to sign all files from openprotect.com) ” imported
gpg: Total number processed: 1
gpg: imported: 1
# Now, export our key alone from root’s public key ring by running the command
gpg –armor -o pub.gpg –export BDE9DC10
The public key has been saved to the file pub.gpg now.

# Import the public key into sa-update’s trusted public keys by running
sa-update –import pub.gpg
#

Another way to import our public key is get the gpg file and import it manually using sa-update and gpg. The commands are
wget http://saupdates.openprotect.com/pub.gpg.
Now, import by running the command
sa-update –import pub.gpg which should return without any error or output messages.
This isn’t the preferred way, as the gpg file could be corrupted or tampered with, if our server is hacked.
# Now schedule daily downloads of rules from this channel using cron using the command

I like to cron the /usr/local/bin/saupdate.sh every night during my down time. Please click the link to look at my spamassassin update script.

$ crontab -e

0 1 * * * /usr/local/bin/saupdate.sh >/dev/null 2>&1

This script will update the spamassassin rules, and the saupdates_openprotect_com rules also.

Change your local.cf file in /etc/spamassassin.
Here is my local.cf file

I add a uribl.cf to my /etc/spamassassin directory.
Here is my uribl.cf file

I also change my /etc/spamassassin/FuzzyOcr.cf file.
Here is my FuzzyOcr.cf file

Now that spamassassin is setup lets configure amavisd-new.

Configuring Amavisd-new

The configuration directory for amavisd-new is /etc/amavis/conf.d. We will be editing the 50-user file, 20-debian_defaults, and 15-av_scanners.

I like to use 5 for a good starting point for my memory, and cpu. You can take this up, and down as needed, but 5 is a good start.

$ echo $max_servers = ’5′; >> 50-user

$ vi 15-av_scanners

I comment everything out in the file but the two clamav scanners. One being the daemon, and one being the clamd process. One being in the @av_scanners, and one in the @av_scanners_backup. Just add # in front of everything else. If your lazy like me I just copy stuff. Here is my
15-av_scanners amavis example configuration.

@av_scanners = (

### http://www.clamav.net/
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
# NOTE: remember to add the clamav user to the amavis group, and
# to properly set clamd to init supplementary groups
# When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"],

@av_scanners_backup = (

### http://www.clamav.net/ – backs up clamd or Mail::ClamAV
['ClamAV-clamscan', 'clamscan',
"--stdout --disable-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

I make sure I have the following settings in the /etc/amavis/conf.d/20-debian_defaults. Use your favorite editor and make sure to change these options.

$sa_spam_subject_tag = ‘***SPAM*** ‘;
$sa_tag_level_deflt = -999.0; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.31; # add ‘spam detected’ headers at that level
$sa_kill_level_deflt = 6.31; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent

$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)
$final_banned_destiny = D_DISCARD; # D_REJECT when front-end MTA
$final_spam_destiny = D_DISCARD;

You also need to add clamav to the amavis group as follows

$ sudo usermod -G amavis clamav

There is also an option in this file that sets the listen port to 10024. Just remember that.

That should be all you have to do with amavisd-new. Now on to postfix.

Configuring postfix

I want to just let you know that I have never configured postfix-policyd-spf-perl but I am highly accomplished at postfix so it can’t be that difficult.

Configure /etc/postfix/main.cf Click on the link for my example postfix configuration for the main.cf file.

This file has a billion options, and for the course of this config going through ever option is out of the scope of this article. I just want you to look at the following sections.

smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client sbl-xbl.spamhaus.org
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client dsn.rfc-ignorant.org,
reject_rbl_client dnsbl.ahbl.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client spam.spamrats.com,
check_policy_service unix:private/policy-spf,
reject_unauth_destination
local_destination_concurrency_limit = 5
virtual_alias_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
home_mailbox = Maildir/

These section allow for the recipient restrictions, and concurrency limit for the amavis process. It also has the files for aliases, and virtual aliases. That is how I like to run my servers. I have also allowed Maildir delivery, and sasl auth options.

You will now need to configure your /etc/postfix/master.cf. Please look at my example postfix configuration for the master.cf. There are a few options you want to make sure you set in the file for email to go from amavis, and back to postfix.

This allows for emails to be processed by amavis, and when the email com backs through it doesn’t get processed again by postfix checks.
smtp inet n – – – – smtpd
-o content_filter=smtp:localhost:10024

127.0.0.1:10025 inet n – – – 50 smtpd
-o content_filter=
# -o local_recipient_maps=
# -o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

You will need this in the bottom of the master.cf file for the spf rule checks.

policy-spf unix – n n – – spawn
user=nobody argv=/usr/sbin/postfix-policyd-spf-perl

Once you have completed this you can add a email address, and user or 5.

Adding a user a user for email and setting the password. Notice I set the shell to /bin/false so the user cannot login to the unix side of the machine.

$ sudo useradd -c “webmaster for wantlinux.net” -g users -s /bin/false -d /home/mail/webmaster webmaster
$ sudo passwd webmaster
Enter new UNIX password:
Retype new UNIX password:

Adding an email address.

$ vi /etc/postfix/virtual
webmaster@wantlinux.net webmaster
whateveryourwant@wantlinux.net(TAB)USERNAME
createagroup@wantlinux.net(TAB)USERNAME, USERNAME

Save the file.

Postmap the virtual file so it is a hash.

$ cd /etc/postfix
$ sudo postmap virtual

This should have created a file virtual.db.

Configuring sasl

It is pretty easy so let me make this complicated. Just install this config or copy this and put it in a file.

pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path:/var/run/courier/authdaemon/socket

You will also want to change permissions on the /var/run/courier/authdaemon to 755 like so.
$ sudo chmod 755 /var/run/courier/authdaemon

I also change /etc/init.d/courier-authdaemon.

$ vi /etc/init.d/courier-authdaemon

add run_dir=”/var/run/courier/authdaemon” below daemonscript=”${sbindir}/authdaemond”.
and chmod 755 ${run_dir} below chown daemon:daemon ${run_dir} /var/run/courier.

Save the file, and you should be good to go for a courier configurations.

Configuring Courier

The default configuration files should be good for a basic setup.

Now that we have spamassassin, amavis, postfix, courier, and sasl all setup we just need to restart the services.

$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/amavis restart
$ sudo /etc/init.d/courier-authdaemon restart
$ sudo /etc/init.d/courier-imap restart
$ sudo /etc/init.d/courier-pop restart

Your email server should be working. If you want to test look at my sending email with telnet tutorial HERE

I have been using OpenVZ for years, and it does everything I have ever needed it to do. I have run mail servers, and web servers, and everything else you would want to do. I have even installed OpenVPN on a client successfully. Here is the host install for Ubuntu on 8.04 Hardy. I use the installer from https://help.ubuntu.com/community/OpenVZ. They also have a Fiesty install for the server on the ubuntu help page. If you have issue with my install of Openvz on Ubuntu server.

Install the kernel and tools

$ sudo apt-get install linux-openvz vzctl

Important! Please use the linux-image-2.6.24-17-openvz kernel or later as linux-image-2.6.24-16-openvz is broken and the kernel does not boot, see [WWW] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/210672.

Reboot into the openvz kernel

Remove the -server kernel or the -generic if you are on a desktop machine

$ sudo apt-get remove --purge --auto-remove `dpkg -l linux-image-*server | awk '$1 ~ /ii/ {print $2}'`

Change the sysctl variables in /etc/sysctl.conf

This step might not be necessary once the vzctl package is going to be updated

# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled

net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.ip_forward=1

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# TCP Explict Congestion Notification
#net.ipv4.tcp_ecn = 0

# we do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

Apply the sysctl changes

$ sudo sysctl -p

Create a symlink to /vz because most of the vz tools expects the OpenVZ folders to reside there. This step is not necessary, but can eliminate further problems when other vz related components are installed.

$ sudo ln -s /var/lib/vz /vz

Now that you have a working openvz kernel installed, and sysctl options setup we We want to download a template from http://openvz.org/download/template/cache/. I use the ubuntu-8.04-i386-minimal.tar.gz template for my containers. Here are the commands to download the template.

$ cd /var/lib/vz/template/cache
$ wget http://download.openvz.org/template/precreated/ubuntu-8.04-i386-minimal.tar.gz

We have a host system, and template for a container.  We now just have to setup a container.

Creating a container

$ sudo vzctl create 101 --ostemplate ubuntu-8.04-i386-minimal

Adding an ip address

$ sudo vzctl set 101 --ipadd SET_IP_ADDRESS_HERE --save

Setting hostname

$ sudo vzctl set 101 --hostname SET_HOSTNAME_HERE --save

Setting nameserver

$  sudo vzctl set 101 --nameserver SET_NAMESERVER_IP_HERE --save

Setting virtual name

$ sudo vzctl set 101 --name SET_VENAME_HERE --save

Now that we have all this set we will start the container.

$ sudo vzctl start 101 (you can also use the VENAME)

There seems to be a strange bug in the kernel that is causing the networking, and hostname not to copy over to the container so here is a simple fix I have come up with.  These aren't really fixes, but workarounds for us who love Ubuntu, and know they will fix the problem next release.  Hopefully.

Problem:

cp: skipping file `/etc/network/interfaces', as it was replaced while being copied
/bin/cp: skipping file `/etc/hosts', as it was replaced while being copied

Fixing the networking problem.

Backup the /etc/vz/dists/scripts/debian-add_ip.sh file however you feel like.

$ vim /etc/vz/dists/scripts/debian-add_ip.sh

And replace the cp line:
# cp -f ${CFGFILE} ${CFGFILE}.bak

with this:
[ -e ${CFGFILE}.bak ] && rm ${CFGFILE}.bak
cat ${CFGFILE} >${CFGFILE}.bak

Fixing the hostname problem.

$ sudo vzctl enter 101
$ vi /etc/hostname
Add what you want the hostname to be set to. Save the file and exit the container with
$ exit

Restart the container.
$ sudo vzctl stop 101
$ sudo vzctl start 101

Once you restart the container you will be all fixed, but the error will still show up for /etc/hosts but who needs that anyway.  I believe just editing the file in the container will be sufficient for the changes you need.

You have a running hardware node and a running container you need to some minor configurations to the container.

Enter the container this will chroot you in the container.  Make sure you are not on the hardware node.

$ sudo vzctl enter 101

You will need a language support. Of course I use english so here is the command.

$ apt-get install language-pack-en-base

Set the timezone

$ dpkg-reconfigure tzdata

Exit the container

$ exit

If you want to stop the vps do the following.

$ sudo vzctl stop 101 (you can also use the VENAME)

There is a bug in the 2.6.24-17 kernel that affects the cp and mv functionality inside the contain and prevents the network settings from being copied.

To take a backup or snapshot just run a vzctl chkpnt on the hardware node.

$ sudo vzctl chkpnt 101 --dumpfile DUMPFILE_NAME

Restore from a chkpnt or revert to a snapshot.

$ sudo vzctl restore 101 --dumpfile DUMPFILE_NAME

If you want to destroy a container and start over just use the following command.

$ sudo vzctl destroy 101

Here are some other usable commands to run on the hardware node

Running list of VPS's

$ sudo vzlist

List all Containers

$ sudo vzlist -a

I also tend to know how many containers I will install on a hardware node, and use vzsplit to build my configs.  I tend to change the size of the DISKSPACE I use for each one, but other then that it is a nice command. It asks for the number ot VEs.  Just enter the number of containers you want.  It will output a config for you to use in your /etc/vz/conf/101.conf.

$ vzsplit
Enter the number of VEs:

Let me know if you have any questions about my walkthrough please add a comment.