Tuesday, December 12, 2006

Filter rules for exim server antivirus.exim file

Hello,

First off we need to create a special log file for these filters do this:

touch /var/log/filter.log
chmod 0644 /var/log/filter.log

Now open up the configuration file
vi /etc/antivirus.exim

It should have a whole whack of comments at the top.

Here’s the webhostgear.com antivirus.exim configuration. Simple add this to your existing file, save the changes and they take effect instantly.



### CUSTOM WEBHOSTGEAR.COM FILTERS by Steven Leggett info@webhostgear.com
######################################################

# START
# Filters all incoming an outgoing mail


logfile /var/log/filter.log 0644
## Common Spam
if

# Header Spam
$header_subject: contains "Pharmaceutical"
or $header_subject: contains "Viagra"
or $header_subject: contains "Cialis"
or $header_subject: is "The Ultimate Online Pharmaceutical"
or $header_subject: contains "***SPAM***"
or $header_subject: contains "[SPAM]"


# Body Spam
or $message_body: contains "Cialis"
or $message_body: contains "Viagra"
or $message_body: contains "Leavitra"
or $message_body: contains "St0ck"
or $message_body: contains "Viaagrra"
or $message_body: contains "Cia1iis"
or $message_body: contains "URGENT BUSINESS PROPOSAL"
or $message_body matches "angka[^s]+[net|com|org|biz|info|us|name]+?"
or $message_body matches "v(i|1)agra|vag(i|1)n(a|4)|pen( i|1)s|asu|seks|l(o|0)l(i|1)ta|dewacolok"

then
# Log Message - SENDS RESPONSE BACK TO SENDER
# SUGGESTED TO LEAVE OFF to prevent fail loops
# and more work for the mail system
#fail text "Message has been rejected because it hasn
# triggered our central filter."
logwrite "$tod_log $message_id from $sender_address contained spam keywords"

seen finish
endif


# END
# Filters all incoming an outgoing mail


# START
# All outgoing mail on the server only - what is sent out

#Check forwarders so it doesn't get blocked
#Forwarders still work =)

## FINANCIAL FAKE SENDERS
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@citibank.com" or
$header_from contains "@bankofamerica.com" or
$header_from contains "@wamu.com" or
$header_from contains "@ebay.com" or
$header_from contains "@chase.com" or
$header_from contains "@paypal.com" or
$header_from contains "@wellsfargo.com" or
$header_from contains "@bankunited.com" or
$header_from contains "@bankerstrust.com" or
$header_from contains "@bankfirst.com" or
$header_from contains "@capitalone.com" or
$header_from contains "@citizensbank.com" or
$header_from contains "@jpmorgan.com" or
$header_from contains "@wachovia.com" or
$header_from contains "@bankone.com" or
$header_from contains "@suntrust.com" or
$header_from contains "@amazon.com" or
$header_from contains "@banksecurity.com" or
$header_from contains "@visa.com" or
$header_from contains "@mastercard.com" or
$header_from contains "@mbna.com"
)
then
logwrite "$tod_log $message_id from $sender_address is fraud"
seen finish
endif

## OTHER FAKE SENDERS SPAM
## Enable this to prevent users using @domain from addresses
## Not recommended since users do use from addresses not on the server
## Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
$header_from contains "@hotmail.com" or
$header_from contains "@yahoo.com" or
$header_from contains "@aol.com"


)
then
logwrite "$tod_log $message_id from $sender_address is forged fake"
seen finish
endif



## KNOWN FAKE PHISHING
### Log all outgoing mail from server that matches rules
logfile /var/log/filter.log 0644
if (
$received_protocol is "local" or
$received_protocol is "esmtpa"
) and (
#Paypal
$message_body: contains "Dear valued PayPal member" or
$message_body: contains "Dear valued PayPal customer" or
$message_body: contains "Dear Paypal" or
$message_body: contains "The PayPal Team" or
$message_body: contains "Dear Paypal Customer" or
$message_body: contains "Paypal Account Review Department" or


#Ebay
$message_body: contains "Dear eBay member" or
$message_body: contains "Dear eBay User" or
$message_body: contains "The eBay team" or
$message_body: contains "Dear eBay Community Member" or


#Banks
$message_body: contains "Dear Charter One Customer" or
$message_body: contains "Dear wamu.com customer" or
$message_body: contains "Dear valued Citizens Bank member" or
$message_body: contains "Dear Visa" or
$message_body: contains "Dear Citibank" or
$message_body: contains "Citibank Email" or
$message_body: contains "Dear customer of Chase Bank" or
$message_body: contains "Dear Bank of America customer" or




#ISPs
$message_body: contains "Dear AOL Member" or
$message_body: contains "Dear AOL Customer"


)
then
logwrite "$tod_log $message_id from $sender_address is phishing"
seen finish
endif

# END
# All outgoing mail on the server only - what is sent out



The log file will have the logging format like this:
/var/log/filter.log

2006-05-10 12:05:13 1Fds7S-0002Sa-MV from smooth595@gmail.com contained spam keywords
2006-05-10 14:18:47 1FduCn-0006GV-1r from dayton.nowellu7xn@gmail.com contained spam keywords
2006-04-27 15:44:35 1FZDLn-0005Mo-5z from nobody@ocean.wavepointmedia.com is fraud
2006-04-27 16:37:40 1FZEB9-0002KQ-VP from nobody@ocean.wavepointmedia.com is phishing


Date and time, the Exim message ID, the sender and the section of the filter, like phishing, fraud or spam. You can check the mail message by grepping the exim_mainlog for it like this

grep 1FZEB9-0002KQ-VP /var/log/exim_mainlog

If you haven’t already you should enable a higher level of logging in your mail server which will be in our next tutorial.

Enjoy

posted by Jayesh Mahajan at 6:43 PM 0 comments

Wednesday, December 06, 2006

Ftp access of user for files outside home directory

Hello,

You may have face soem problem when we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) at that time we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing).

The problem is that if we configure the chroot restriction for the ftp users we will notice that as expected they will be locked in the chrooted folder (let’s say their home directory). If we try to create a symlink to the other folder they need access, this will just not allow them to change into that folder (break out the chroot) and this is very normal.
To exemplify this let’s consider that I am using vsftpd and one user ftp_user. Chroot restriction is enabled on ftp accounts and his home is in /home/ftp_user. But I need to provide him access for another folder /var/www/dev/. Even though I am using here vsftpd the same concept applies to any other ftp server software.

The configurations for vsftpd are basic ones (but I will include them at the end of the post for reference). The important one here is:

chroot_local_user=YES

Of course that one solution to overcome this limitation is to disable chroot and allow the ftp users full access to all the system files. This is not at all recommended and this little tip will show you how you can achieve this with chroot enabled. The solution to this little problem is to mount the needed directory using the –bind parameter… from the man page of mount: “–bind Remount a subtree somewhere else (so that its contents are available in both places)“.

So we might do something like:

mkdir /home/ftp_user/www_dev
mount --bind /var/www/dev/ /home/ftp_user/www_dev

After this the ftp user will be able to see the needed files in his home directory and use them in his ftp client as if they were local files.

If you need to make this configuration permanent you can either add the mount command in some startup script or you can just include a line in /etc/fstab:

/var/www/dev /home/ftp_user/www_dev none bind 0 0

I hope that you have found this tip useful in case you have a similar issue… Just for the reference here is the vsftpd configuration used (the important parameter is only the one noted above chroot_local_users):

/etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/vsftpd.pem

Enjoy..
Cheap Dedicated server
Cheap Dedictaed Server hosting

posted by Jayesh Mahajan at 7:17 PM 0 comments