Archive

Author Archive

Apache2 : webserver sending spam – how to find out what is sending it.

April 23rd, 2010
6 comments

Recently we started getting spam complaints for mails that were sent from our server, obviously not deliberately.

Now since we have a whole bunch of sites running on our server, finding out which one was hacked, promised to be a tedious job.
Until… we found this post : How To Log Emails Sent With PHP’s mail() Function To Detect Form Spam

This script will write out all sites using the PHP sendmail function into a log file, making it very easy to find out where the spam is coming from.
It saved us from a very very long night!
We have put the whole content of the wonderful article by till on our blog and made some minor modifications to the explanation.

Hope it helps!

1 Installing the wrapper script

Create a new file that will contain the script:

touch /usr/local/bin/phpsendmail

Use nano, vi or your favorite text editor to edit the file you just created and enter this script:

#!/usr/bin/php
<?php
 
/**
  This script is a sendmail wrapper for php to log calls of the php mail() function.
  Author: Till Brehm, www.ispconfig.org
  (Hopefully) secured by David Goodwin <david @ _palepurple_.co.uk>
*/
 
$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/mail_wrapper.log';
 
//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');
 
while ($line = fgets($pointer)) {
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
                $logline .= trim($line).' ';
        }
        $mail .= $line;
}
 
//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
        $command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}
 
 
 
//* Write the log
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $_ENV['PWD'] . ' ' . $logline, FILE_APPEND);
//* Execute the command
return shell_exec($command);
?>

If you use a different Linux distribution than Debian, the sendmail binary might be in a different location than /usr/sbin/sendmail and you have to change the sendmail path in the line $sendmail_bin = ‘/usr/sbin/sendmail’; of the script.

Now make the script executable…

chmod +x /usr/local/bin/phpsendmail

… and create the logfile and make it writable:

touch /var/log/mail_wrapper.log
chmod ugo+w /var/log/mail_wrapper.log

2 Modifying the php.ini

Now we reconfigure PHP so that it uses our wrapper script to send the emails.

Open the php.ini file…

vi /etc/php5/apache2/php.ini

… and uncomment the sendmail_path line and put the path to the script we created

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
sendmail_path = /usr/local/bin/phpsendmail

If you use php as cgi, with suphp or as fcgi, then change the same lines in the file /etc/php5/cgi/php.ini, too.

Restart the Apache webserver to apply the changes.

/etc/init.d/apache2 restart

3 Test the setup

To test this setup, create a new php file with the name mailtest.php in one of your websites with the content:

<?php
mail('yourname@yourdomain.com','This is a test message subject','This is a test message body');
echo 'Mail sent.'; 
?>

Then open the file in a webbrowser to execute it. The test message should be logged now into the logfile. Check this with the command:

cat /var/log/mail_wrapper.log

Off course, don’t forget this wonderful command:

tail -f /var/log/mail_wrapper.log
Author: lhe Categories: Apache2, General, Linux (Ubuntu) Tags:

ubuntu 9.10 : getting PPTP, VPNC and OpenConnect VPN to work

April 20th, 2010
No comments

i found this post on the ubuntu forums… works like a charm! kudos to sweisler!

Here’s a synopsis of my VPN setups. I have proven this to work on both x86 and x64 for all 3 VPN types.

Important note/disclaimer: I tested these configurations on VMware Workstation 7 VM’s and a Dell Vostro 220. All installations were fresh installs, not upgrades. Also, please notice that I detail what type of firewall/VPN I am connecting to for each VPN type. There are so many variations on these VPN implementations that it is extremely difficult to generalize a known-good configuration for each.

1. Install various VPN components
a. PPTP

  • pptp-linux
  • network-manager-pptp

b. VPNC

  • vpnc
  • network-manager-vpnc

c. OpenConnect

  • openconnect
  • network-manager-openconnect

2. Reboot

3. PPTP VPN Configuration – This setup works for connecting to ISA 2004/2006 PPTP VPNs. It should work for connecting to MS PPTP VPN implementations in general. I can’t speak for other PPTP VPN implementations.
a. Create new PPTP connection

  • VPN Tab Settings
  • Set Connection name
  • Set Gateway
  • Set username (for domain-based user accounts, use domain\username)
  • DO NOT SET PASSWORD
  • DO NOT SET NT DOMAIN
  • PPTP Advanced Options (Advanced button)
  • uncheck all auth methods EXCEPT MSCHAPv2
  • check “Use Point-to-Point encryption (MPPE)”
    • leave Security set at “All Available (Default)”
    • trying to force encryption level causes this option to become unset
  • check “Allow stateful inspection”
  • uncheck “Allow BSD Data Compression”
  • uncheck “Allow Deflate Data Compression”
  • uncheck “Use TCP Header Compression”
  • uncheck “Send PPP Echo Packets” (although connection works either checked or unchecked)
  • save configuration

b. Initial Connection attempt

  • enter password in login box
  • DO NOT check either password save box at this time
  • once connection establishes, verify remote connectivity – ping, rdp, ssh, etc.
  • disconnect VPN session

c. 2nd connection attempt

  • enter password in login box
  • check both password save option boxes
  • once again verify remote connectivity
  • disconnect VPN session

d. Subsequent connection attempts

  • VPN session should automatically connect using saved auth credentials

4. VPNC VPN Configuration – This setup works connecting to an ASA5510 – software version 8.2(1). I didn’t have any other Cisco devices to test against.
a. Create new VPNC connection

  • set connection name
  • set Gateway
  • set Group Name
  • set User Password to “Saved” and enter password
  • set Group Password to “Saved” and enter password
  • set username
  • set domain (if applicable)
  • leave Encryption Method at “Secure (Default)”
  • set NAT traversal to “NAT-T”
  • save configuration

b. Initial Connection attempt

  • open VPNC connection
  • if prompted, select “Always Allow” if you want connection to be automatic
  • verify remote connectivity – ping, rdp, ssh, etc.
  • disconnect VPN session

c. Subsequent connection attempts

  • open VPNC connection – session should automatically connect

5. OpenConnect VPN Configuration – This setup works connecting to an ASA5510 – software version 8.2(1). I didn’t have any other Cisco devices to test against.
a. Create new OpenConnect connection

  • set connection name
  • set Gateway
  • set Authentication type to “Password/SecurID”
  • no need to set username, OpenConnect won’t store it yet
  • save configuration

b. Initial connection attempt

  • open VPN connection
  • check “Automatically start connecting next time”
  • click Close
  • you will get the “No Valid VPN Secrets” VPN failure message

c. 2nd connection attempt

  • open VPN connection
  • accept certificate (if prompted)
  • change Group (if necessary)
  • enter username (may need to be domain\username)
  • enter password
  • click Login
  • if VPN connection fails, see note below
  • verify remote connectivity – ping, rdp, ssh, etc.
  • disconnect session

d. Subsequent connection attempts

  • open VPN connection
  • enter password
  • session should connect

Note: If you get the “Login Failed” message, cancel and wait 15-30 minutes before attempting to connect again. Also, I ended up having to use the NT style domain\username pair for authentication, even though a Cisco AnyConnect client connecting to the same ASA only requires username.
More Detail: OpenConnect has been brutal to get connected. I got failed attempt after failed attempt. When I checked the NPS (IAS) log and the Security Event log on the W2K8 domain controller, I could see my user account authenticating properly via RADIUS from the ASA. Yet the OpenConnect client came back with a “Login Failed” message. I’m not an ASA expert, so I have no idea what to check in the ASA configuration to troubleshoot this problem, other than the basic AAA configuration. But I believe the problem lies in the ASA configuration because when I get the OpenConnect “Login Failed” message, the AnyConnect client from my Windows laptop fails as well. I think it may be a ridiculously short timeout or max failure setting. Whatever the issue is, I have to wait for some length of time (~15-30 minutes) for whatever the problem is to reset.

However, once I finally get the OpenConnect client to successfully connect, it worked from then on. (Just don’t mess with the connection configuration, or you will get to go thru this whole process again.)
—————————–

P.S. Please leave me feedback for what worked and didn’t work for you. Also, if you can, please post a short description documenting what firewall/VPN device you were connecting to and any modifications you may have made to the VPN connection configuration. Maybe we can make this a thread for known-good configurations.

Thanks.

Author: lhe Categories: General, Linux (Ubuntu), VPN Tags:

.htpasswd protecting your phpMyAdmin installation (Debian)

March 16th, 2010
2 comments

So you got yourself a LAMP webserver and started hosting some sites on it. Now, for easy access to your databases, you opt to chose phpMyAdmin.

When installing phpMyAdmin on a Debian system via the synaptic manager (apt-get install phpmyadmin), the installation will be done in this folder

/usr/share/phpmyadmin

You will be able to access your phpMyAdmin via

http://www.mydomain.com/phpmyadmin

You will notice that you are asked for a username and password. This is great! It means that your database is protected…. but what if i want to protect it even more?
What if i would like to add some extra folder protection by using the good old .htpasswd technique?

Well, I looked around for a while but did not find any satisfying solutions. This meant I had to mess around a bit myself and after not too long, success! I had a phpMyAdmin installation where it would first use the .htpasswd protection before bringing me to the phpMyAdmin login page.

How did we do this?

1) create a .htpasswd file in the installation directory (cfr. supra). You can use handy .htpasswd generators like this one: http://www.htaccesstools.com/htpasswd-generator/

2) find and edit the phpMyAdmin apache2 config file:

/etc/apache2/conf.d/phpmyadmin.conf

3) add the necessary lines in the conf file to tell Apache2 it should use the .htpasswd file. Below you will find the before and after of the code.

Before:

# phpMyAdmin default Apache configuration
 
Alias /phpmyadmin /usr/share/phpmyadmin
 
 
		AllowOverride All
		Options Indexes FollowSymLinks
		DirectoryIndex index.php
 
		# Authorize for setup

After:

# phpMyAdmin default Apache configuration
 
Alias /phpmyadmin /usr/share/phpmyadmin
 
 
        AllowOverride All
        Options Indexes FollowSymLinks
        DirectoryIndex index.php
 
        AuthType Basic
        AuthName "HaLe MySQL"
        AuthUserFile /usr/share/phpmyadmin/.htpasswd
        Require valid-user
 
        # Authorize for setup

4) reload your Apache2

sudo /etc/init.d/apache2 reload

5) your phpMyAdmin is now .htpasswd protected!

Cheers
Lajfi

Author: lhe Categories: Databases, General, Linux (Ubuntu), MySQL, PHP Tags: