When Procmail is used in conjunction with SpamAssassin. When used together, these two applications can quickly identify spam emails, and sort or destroy them.
SpamAssassin uses header analysis, text analysis, blacklists, a spam-tracking database, and self-learning Bayesian spam analysis to quickly and accurately identify and tag spam.
The easiest way for a local user to use SpamAssassin is to place the following line near the top of the ~/.procmailrc file:
INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc
The /etc/mail/spamassassin/spamassassin-default.rc contains a simple Procmail rule that activates SpamAssassin for all incoming email. If an email is determined to be spam, it is tagged in the header as such and the title is prepended with the following pattern:
*****SPAM*****
Since SpamAssassin is a Perl script, it may be necessary on busy servers to use the binary SpamAssassin daemon (spamd) and client application (spamc). To start the spamd daemon, type the following command as root: /sbin/service spamassassin start and make sure the spamassassin is set to autostart at booting time
To configure Procmail to use the SpamAssassin client application instead of the Perl script, place the following line near the top of the ~/.procmailrc file. For a system-wide configuration, place it in /etc/procmailrc:
INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc
Monday, March 30, 2009
Sunday, March 22, 2009
Verify That There Are No Accounts With Empty Password Fields
An Account with an empty password field means that anybody may log in as that user without
providing a password at all. All accounts should have strong passwords or should be locked by using
a password string like "!!", passwd will warn when attpting to unlock an account with an empty password.
The Command:
awk -F: '($2 =="") (print $1)' /etc/shadow
providing a password at all. All accounts should have strong passwords or should be locked by using
a password string like "!!", passwd will warn when attpting to unlock an account with an empty password.
The Command:
awk -F: '($2 =="") (print $1)' /etc/shadow
Monday, March 16, 2009
System Network Parameter Tuning (Part 6)
net.ipv4.conf.all.secure_redirects =0
When enabled, this would allow redirects from local routers. It's disbaled for
the same reasons as the above, malicious hosts could lie about the source address
for the redirect.
When enabled, this would allow redirects from local routers. It's disbaled for
the same reasons as the above, malicious hosts could lie about the source address
for the redirect.
Sunday, March 15, 2009
System Network Parameter Tuning ( Part 5)
net.ipv4.conf.all.accept_redirects = 0
When disabled, this system will no longer accept ICMP Redirects message. While these can be occasionally be
legitimately used to temporarily patch an incorrect routing table on a host machine, malicious hosts can use these
to force packets through a sniffer or invalid gateway. For hosts with correct routing tables, this type of packet only
has malicious uses. For hosts with incorrect routing tables, ignoring these packets will only
slightly impact network parameter.
When disabled, this system will no longer accept ICMP Redirects message. While these can be occasionally be
legitimately used to temporarily patch an incorrect routing table on a host machine, malicious hosts can use these
to force packets through a sniffer or invalid gateway. For hosts with correct routing tables, this type of packet only
has malicious uses. For hosts with incorrect routing tables, ignoring these packets will only
slightly impact network parameter.
Wednesday, March 11, 2009
System Network Parameter Tuning (Part 4)
net.ipv4.conf.all.accept_source_route=0
This IP option specifies how incoming and outgoing packets get routed. While originally intended
as a troubleshooting technique, it is used almost exclusively to exploit IP trust relationships with
spoofed source packets, and should be disabled.
This IP option specifies how incoming and outgoing packets get routed. While originally intended
as a troubleshooting technique, it is used almost exclusively to exploit IP trust relationships with
spoofed source packets, and should be disabled.
Monday, March 9, 2009
System Network Parameter Tuning (Part 3)
net.ipv4.conf.all.rp_filter=1
Arriving packets get a simple check; is the packet arriving on the correct interface for its source address? In other words, would a response to this packet go back out the same interface? This simple routing table check can quickly handle some attempts at spoofing source addresses. The only reason why this might need to be left off is if you network using asymmetric routing. One explame might be a statellite link where incoming packets arrive on an ethernet interface, but outgoing packets go out through a modem.
Arriving packets get a simple check; is the packet arriving on the correct interface for its source address? In other words, would a response to this packet go back out the same interface? This simple routing table check can quickly handle some attempts at spoofing source addresses. The only reason why this might need to be left off is if you network using asymmetric routing. One explame might be a statellite link where incoming packets arrive on an ethernet interface, but outgoing packets go out through a modem.
Tuesday, March 3, 2009
System Network Parameter Tuning (Part 2)
net.ipv4.tcp_syncookies = 1
With syncookies enabled, if we reach a point where there are more than 4096 incomplete connections
, this system will change how it responds to new connection requests. Instead of remembering all new connections
, it send out a coded response and completely forgets that the connection request came in at all. If the client actually
completes the connection request with the third ACK packet, the server can see the cokkie coming back and can then rebuild the connection
in memory. The remaining connection requests will never send this third ACK packet, so the server now has a way to hold legitimate conversations without
typing up huge amounts of memory and processor time handling the flood.
With syncookies enabled, if we reach a point where there are more than 4096 incomplete connections
, this system will change how it responds to new connection requests. Instead of remembering all new connections
, it send out a coded response and completely forgets that the connection request came in at all. If the client actually
completes the connection request with the third ACK packet, the server can see the cokkie coming back and can then rebuild the connection
in memory. The remaining connection requests will never send this third ACK packet, so the server now has a way to hold legitimate conversations without
typing up huge amounts of memory and processor time handling the flood.
Monday, March 2, 2009
Security Related System Network Paeameter Tuning (Part 1)
net.ipv4.tcp_max_syn_backlog=4096
tcp_max_syn-backlog specifics the maximum number of incomplete tcp connection requests that
will be remembered. When this system is under system is under a syn flood, a larger number will increase
its chance of being able handle legitimate requests.
tcp_max_syn-backlog specifics the maximum number of incomplete tcp connection requests that
will be remembered. When this system is under system is under a syn flood, a larger number will increase
its chance of being able handle legitimate requests.
Sunday, March 1, 2009
Download and Verifying the Open Source Distribution Package.
For Exp Source Package: Sendmail
To download latest source code distribution, find a local mirror located near to you from www.sendmail.org/mirrors.html, and use wget to download the latest version of the sendmail program source code.
[root@redhat~]$ wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.4.tar.gz
From the sendmail web site, we are given the MD5 signatures of the source tarballs, so use the md5sum command to verify the integrity of the download.
[root@redhat~]$md5sum sendmail.8.13.4.tar.gz
--------------------------------------------------------
61e336750b48b01abaa69b4d7c9473b5 sendmail.8.13.4.tar.gz
--------------------------------------------------------
if the signatures calculated by md5sum matches the signature published on the Sendmail Consortium web site, then you have a good download. Otherwise, delete the file, and retry from another mirror.
To download latest source code distribution, find a local mirror located near to you from www.sendmail.org/mirrors.html, and use wget to download the latest version of the sendmail program source code.
[root@redhat~]$ wget ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.4.tar.gz
From the sendmail web site, we are given the MD5 signatures of the source tarballs, so use the md5sum command to verify the integrity of the download.
[root@redhat~]$md5sum sendmail.8.13.4.tar.gz
--------------------------------------------------------
61e336750b48b01abaa69b4d7c9473b5 sendmail.8.13.4.tar.gz
--------------------------------------------------------
if the signatures calculated by md5sum matches the signature published on the Sendmail Consortium web site, then you have a good download. Otherwise, delete the file, and retry from another mirror.
Subscribe to:
Comments (Atom)
