David Hrbáč » mailing http://www.hrbac.cz Just another WordPress weblog Tue, 17 Jan 2012 21:43:41 +0000 en hourly 1 DNSBL for Horde http://www.hrbac.cz/2011/01/dnsbl-for-horde/ http://www.hrbac.cz/2011/01/dnsbl-for-horde/#comments Wed, 05 Jan 2011 09:57:46 +0000 David Hrbáč http://www.hrbac.cz/?p=275 Here we go with a small patch to implement DNSBL for Horde. I have again used PEAR package, this time it is the Net_DNSBL, and as usually CentOS package is in my repos – http://fs12.vsb.cz/hrb33/el5/hrb/stable/i386/repoview/php-pear-Net-DNSBL.html.

The first patch is the important one. We let the attacker to log in, just to make sure he/she owns valid stolen credentials.

--- imp/lib/Auth/imp.php.orig   2011-01-05 10:21:05.224155622 +0100
+++ imp/lib/Auth/imp.php        2011-01-05 10:39:24.699438519 +0100
@@ -146,6 +146,36 @@
             return false;
         }
 
+        # DNSBL START
+        ini_set('include_path', ini_get('include_path').':/usr/share/php');
+        require_once 'Net/DNSBL.php';
+        $dnsbl = new Net_DNSBL();
+        #$remoteIP = '41.206.12.1';
+        $remoteIP = $_SERVER['REMOTE_ADDR'];
+        $dnsbl->setBlacklists(array(
+                'sbl-xbl.spamhaus.org',
+                'bl.spamcop.net',
+                'b.barracudacentral.org',
+                'spam.spamrats.com',
+                'dyna.spamrats.com',
+                'noptr.spamrats.com',
+                'bl.tiopan.com'
+                ));
+        if ($dnsbl->isListed($remoteIP, true)) {
+            $data=$dnsbl->getListingBls($remoteIP);
+            sort($data);
+            $entry = "LOGIN SUCCESS FROM BLACKLISTED IP [$remoteIP] FOR $userID: " . implode(", ", $data);
+            Horde::logMessage($entry, __FILE__, __LINE__, PEAR_LOG_ERR);
+
+            unset($_SESSION['imp']);
+            if (isset($prefs)) {
+                $prefs->cleanup(true);
+            }
+            $this->_setAuthError(AUTH_REASON_BADLOGIN);
+            return false;
+        }
+        # DNSBL END
+
         return true;
     }

The second one is just to log only access from blocked IPs.

--- imp/login.php.orig  2011-01-05 09:08:44.510891298 +0100
+++ imp/login.php       2011-01-05 10:34:26.763968526 +0100
@@ -449,6 +449,33 @@
     'var nomenu = ' . intval(empty($conf['menu']['always'])),
 ));
 
+# DNSBL START
+ini_set('include_path', ini_get('include_path').':/usr/share/php');
+require_once 'Net/DNSBL.php';
+$dnsbl = new Net_DNSBL();
+#$remoteIP = '41.206.12.1';
+$remoteIP = $_SERVER['REMOTE_ADDR'];
+$dnsbl->setBlacklists(array(
+        'sbl-xbl.spamhaus.org',
+        'bl.spamcop.net',
+        'b.barracudacentral.org',
+        'spam.spamrats.com',
+        'dyna.spamrats.com',
+        'noptr.spamrats.com',
+        'bl.tiopan.com'
+        ));
+if ($dnsbl->isListed($remoteIP, true)) {
+    $data=$dnsbl->getListingBls($remoteIP);
+    sort($data);
+    $entry = "BLACKLISTED IP $remoteIP: " . implode(", ", $data);
+    Horde::logMessage($entry, __FILE__, __LINE__, PEAR_LOG_ERR);
+} else {
+    $entry = "Not blacklisted ip $remoteIP" . implode(", ", $data);
+    Horde::logMessage($entry, __FILE__, __LINE__, PEAR_LOG_INFO);
+}
+
+# DNSBL END
+
 // ZMENA
 ini_set('include_path', ini_get('include_path').':/usr/share/php');
]]> http://www.hrbac.cz/2011/01/dnsbl-for-horde/feed/ 0 avgd stops listening on port 54322 http://www.hrbac.cz/2010/08/avgd-stops-listening-on-port-54322/ http://www.hrbac.cz/2010/08/avgd-stops-listening-on-port-54322/#comments Mon, 30 Aug 2010 08:08:44 +0000 David Hrbáč http://www.hrbac.cz/?p=226 Last days I’m experiencing avgd not responding. Avgd stops to listen on port 54322, amavisd-new timeouts on talking to AV. Mails are being held and queue is slowly increasing its number. It’s strange, that I’m experiencing it not only on one production system…

Aug 29 04:59:46 rakosnicek amavis[25940]: (25940-01-5) (!)AVG Anti-Virus av-scanner FAILED: run_av error: Too many retries to talk to 127.0.0.1:54322 (timed
out) at (eval 111) line 373.\n

It seems working after changing a little bit AVG configuration with following values:

avgcfgctl -w Default.setup.features.antispam=false
avgcfgctl -w Default.tcpd.avg.limiter_start=150
avgcfgctl -w Default.tcpd.avg.limiter_stop=200
avgcfgctl -w Default.tcpd.avg.timeout=5000
avgcfgctl -w Default.tcpd.smtp.enabled=false
avgctl --restart=tcpd
]]> http://www.hrbac.cz/2010/08/avgd-stops-listening-on-port-54322/feed/ 1 Zoner Antivirus with Amavisd-new http://www.hrbac.cz/2010/02/zoner-antivirus-with-amavisd-new/ http://www.hrbac.cz/2010/02/zoner-antivirus-with-amavisd-new/#comments Mon, 01 Feb 2010 21:05:04 +0000 David Hrbáč http://www.hrbac.cz/?p=157 Today I have decided to test Amavisd-new with free Zoner Antivirus for Linux. First of all you have to download the package, (test it), install, and change the ownership. Then edit the configuration.

wget http://update.zonerantivirus.com/download/zav-1.2.2-redhat-i586.rpm --nodeps
rpm -Uhv zav-1.2.2-redhat-i586.rpm --test
rpm -Uhv zav-1.2.2-redhat-i586.rpm
chown amavis: /opt/zav -R
chown amavis: /var/run/zav -R
vi /etc/zav/zavd.conf

So, we have changed the ownership. Now we have to change the daemon user to amavis too.

# user under which to run the daemon
ZAVD_USER               = "amavis"
ZAVD_GROUP              = "amavis"
# Your license key for accessing ZAV update
UPDATE_KEY              = "11111-22222-SAMPLE-33333-44444"

We can start and update ZAV with:

/etc/init.d/zavd start
/etc/init.d/zavd update

Finally we have to change Amavisd-new configuration by adding the following:

 ### http://www.grisoft.com/
 ['Zoner Anti-Virus',
#  '/opt/zav/bin/zavcli', '-z /var/run/zav/zavd.sock {}',
  '/opt/zav/bin/zavcli', ' {}',
  [0,1,2,3,4], [5,6,7,11],
  qr/^.*:\ (SUSPICIOUS|PROBINFECTED|INFECTED)\ \((.*)\)$/
]
]]> http://www.hrbac.cz/2010/02/zoner-antivirus-with-amavisd-new/feed/ 0 Send file as attachment from commnad line http://www.hrbac.cz/2010/01/send-file-as-attachment-from-commnad-line/ http://www.hrbac.cz/2010/01/send-file-as-attachment-from-commnad-line/#comments Mon, 18 Jan 2010 13:04:28 +0000 David Hrbáč http://www.hrbac.cz/?p=145 There’s an easy way of sending files as attachment from command line:

uuencode file name | mail -s "Subject" "to@tld.cz"  -- -ffrom@tld.cz

Yes, there is double hyphen and -f before the from email address.

]]> http://www.hrbac.cz/2010/01/send-file-as-attachment-from-commnad-line/feed/ 0 AVG 8.5 with Amavisd-new http://www.hrbac.cz/2009/10/avg-8-5-with-amavisd-new/ http://www.hrbac.cz/2009/10/avg-8-5-with-amavisd-new/#comments Tue, 13 Oct 2009 13:35:31 +0000 David Hrbáč http://www.hrbac.cz/?p=124 Amavisd-new is a quite powerful tool capable to co-operate with a large amount of AV scanners. Today I have decided to test it with free AVG Antivirus for Linux. First of all you have to download the package, (test it), install, and change the ownership. Then edit the configuration.

wget http://download.avgfree.com/filedir/inst/avg85flx-r287-a2632.i386.rpm
rpm -Uhv avg85flx-r287-a2632.i386.rpm --test
rpm -Uhv avg85flx-r287-a2632.i386.rpm
chown amavis: /opt/avg -R
vi /opt/avg/avg8/etc/init.d/avgdinit.conf

So, we have changed the ownership. Now we have to change the daemon user to amavis too.

# user under which to run the daemon
SUSER=amavis

We can start AVG with:

/etc/init.d/avgd start

Finally we have to change Amavisd-new configuration by commenting out  AVG section and changing the port:

 ### http://www.grisoft.com/
 ['AVG Anti-Virus',
   \&ask_daemon, ["SCAN {}\n", '127.0.0.1:54322'],
   qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ],
]]> http://www.hrbac.cz/2009/10/avg-8-5-with-amavisd-new/feed/ 0