Teddys iptables

Ilya Palagin IlyaPalagin-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Sat Nov 22 21:46:02 UTC 2003


Let's Analyze That :-)

There are a some servers in internet which can check your mail server 
for relaying. Did you try them?

If you DEFINITELY aren't an openrelay, but your mail server sends tons 
of junk shortly after smtpd service is started, this means at least one 
of the following:

1.Your qmail was trojaned and you can't fix it with configs
2.Your telnet, ssh, rsh or whatever remote access application is 
compromised and bad guys use it as a tunnel to your mailserver. For 
qmail this mail looks like local, and it relays it.

The best way to find a source of this unauthorized data transfer is to 
execute
`netstat -apn | grep LISTEN`
before and after qmail is started and sends spam and compare both 
outputs. Also, you may keep a sniffer running to observe 
established/dropped connections and their IP addresses and ports.

By the way, iptables may either accept of drop connections to services, 
it works on protocol level, while mail relaying is on application level, 
and they don't cross.

Teddy Mills wrote:

> 
> Trust me Keith and Kevin, when I say I was not an openrelay, it is a fact.
> 
> The fact that I know how to stop it is more important than knowing why I
> couldnt stop it.
> 
> You might not agree with this statement, but I believe it to be true. Its
> like you goto the doctor
> and say, doc I got this disease, and he/she says well its terminal. iptables
> stops it, but I dont
> know why it stops it.   the doc has just bought all the time he/she needs to
> investigate the why.
> 
> I had very knowledable qmail admins guiding me to verify every setting and
> do various tests.
> I was not an openrelay.
> 
> I spent 2 weeks on qmail every day, checking every line of the installation
> out, line by line.
> Every permission, every location of every file. System Security holes etc.
> Changed all passwords etc. I checked everything 100 times over.  The qmail
> system is
> burned into my brain. rcpthosts  as well as 1000 other things where checked
> dozens of times.
> 
> Then after enabling qmail, anywhere from 5 minutes to a day later it would
> start to send hundreds of
> email a minute from anywhere to anywhere.
> 
> I stopped qmail and all its processes and rm'd the entire qmail queue tree
> and rebuild them.
> Started up and wait for it to happen again...
> 
> qmailctl stat
> ps ax |grep mail
> lsof -i |grep smtp, was interesting, it always had a tcp connection to a
> specific IP in Asian.
> ( Thats when I started closing in on him/her/them)
> then i started tcpdump tracing of all packets and just smtp packets...
> 
> 
> Nothing worked until I started adding iptables rules.
> 
> 
> My guess it was
> 
> 1. something like a spoofed ip command to qmail.
> 2. a wrong file permission somewhere, or access right, either in apache,
> virtualhosting, cgi-bins, dns, etc.
> 3. But where ever the problem was, it sure is is not a misconfigured qmail
> or qmail tool.
> 
> 
> Heres the stripped log...
> 
> 218.70.8.186::3292
> tcpserver: pid 2230 from 218.70.8.186
> tcpserver: ok 2230 x.x.x.x 218.70.8.186::3462
> 
> 
> 
> 
> 
> 
> 
> ----- Original Message -----
> From: "Kevin Cozens" <kcozens-qazKcTl6WRFWk0Htik3J/w at public.gmane.org>
> To: <tlug-lxSQFCZeNF4 at public.gmane.org>
> Sent: Saturday, November 22, 2003 1:44 PM
> Subject: Re: [TLUG]: Teddys iptables firewall script needs tweaking
> 
> 
> 
>>At 03:06 AM 11/22/2003 -0500, teddy mills wrote:
>>
>>>I was not an openrelay, but somehow someone from Asia found a way to use
> 
> my
> 
>>>qmail as an openrelay
>>>teddy mills
>>
>>If someone was able to use your machine as an open mail relay and you are
>>using Qmail, there is something very wrong with the configuration of your
>>Qmail system. While it is a good thing to review your firewall settings,
>>that is not the way to stop people from using your machine to relay mail.
>>You need to look at how your Qmail is configured.
>>
>>The likely reason for Qmail acting as an open relay is you do not have an
>>rcpthosts file in your /etc/qmail/control directory (or it may be under
>>/var instead of /etc depending on how Qmail was installed).
>>
>>The rcpthosts file should contain a series of lines with one domain name
> 
> on
> 
>>each line. The lines in this file are the list of domains for which Qmail
>>will accept mail. IIRC, without this file, Qmail will accept mail for all
>>domains. If the file is 0 bytes long, it will refuse mail regardless of
> 
> the
> 
>>domain in the To: lines.
>>
>>There is usually a config and config-fast program in /var/qmail/bin which
>>should be run when Qmail is first installed to set up the basic
>>configuration files needed by Qmail.
>>
>>
>>Cheers!
>>
>>Kevin.  (http://www.interlog.com/~kcozens/)
>>
>>Owner of Elecraft K2 #2172        |"What are we going to do today, Borg?"
>>E-mail:kcozens at interlog dot com|"Same thing we always do, Pinkutus:
>>Packet:ve3syb-XXPEJ3/fxIc at public.gmane.org#con.on.ca.na|  Try to assimilate the world!"
>>#include <disclaimer/favourite>   |              -Pinkutus & the Borg
>>
>>--
>>The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
>>TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>>How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>>
>>
> 
> 
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> 


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list