[Nottingham] Disable Ports

Robert Postill robertpostill at yahoo.co.uk
Tue Aug 29 23:39:09 BST 2006

Johan Boshoff wrote:
>My server is hosted at a company in America and they told me that SPAMMERS are using my server to send out mail.  I did ask them to send me more details and am still waiting.
Two things I'd note here:
1) Most ISPs want spam stopped more than you do, so if they're being vague that's not good at all.  Maybe time for a change?
2) There are ISP contracts that will allow them to terminate your contract for spamming, so I'd make certain to turn *everything* off right now.  You can turn it on later when you're sure its OK.
>The thing is, I don;t want people to use the server to send out mail.  It is a web and mail server, but not to send out mail to the public.
OK, so the question is what's happening?  Turn it all off, then turn it back on piece by piece as you can assure yourself (and your ISP) that's its safe.  If, as someone mentioned before, you've been rooted (someone has installed a rootkit on your machine) you're better off having the machine wiped, you can never trust a rooted machine.  Try doing the following:
1) Check your machine is not an open relay - see http://www.tech-recipes.com/sendmail_tips381.html for some help in that regard.
2) Check if you're using a mail script on your website, formmail.pl (http://www.scriptarchive.com/formmail.html) is the kind of absolutely terrifying app you cannot have on your site without a clear and careful plan about securing it.  Remove any kind of mailing app from your webserver. 
>Basically I tighten up the SSHD because I get so many IP's trying to connect to the server via SSH.  Disabled ROOT access and the GraceTime to only 10 seconds and only gave two users access to log in 
> via SSH.
Honestly, you're closing the stable door after the horse has bolted.  More effective for your next steps are SMTPAUTH for your mailserver (see http://www.jonfullmer.com/smtpauth/) and CGI security (http://users.easystreet.com/ovid/cgi_course/lessons/lesson_three.html),
>for the SSH and has nothng to do with sendmail.
Please, not sendmail! Get a Postfix or Exim installation, they're much easier to administer.  Postfix is a lot more secure too (Exim is no slouch but Postfix noses ahead in received opinion).
>And yes, I am fairly new to Linux, but still have about 2 years experience administering it to a certain extend (Internal Networks) and this is my first time administering it as a web and mail server.  I also know > that I need to do a course or two, but time is precious and I don;t have much.
No one does, it's the old question of balance.  Here's my advice, if you're bothered about what other people think of your site, make time for this or hire someone who has these skills already.  When you think about how annoying spam is and how much that costs you, it suddenly starts to cost a lot less to work this thing out.
>Any ideas where I can get some free online courses on security, mailservers, 
Free?  Nope but look into CISSP (from Cisco) or the LPI (www.lpi.org) for certification.  Get hold of magazines like 2600 for education. You should also get an audit, some security companies do them for a fixed price I think.  Also check out tools like nessus to help but understand these are sharp tools, misuse is worse than no use.  This is long raod, the step from small/home networks to the real internet is large and you may well need a lot of help to get where you need to be.

More information about the Nottingham mailing list