Skip to main content

Posts

Showing posts from 2020

How to Produce Postfix MTA logfile summary using Pflogsumm on CWP?

Pflogsumm is a log analyzer/summarizer for the Postfix MTA. It is designed to provide an over-view of Postfix activity, with just enough detail to give the administrator a "heads up" for potential trouble spots. Pflogsumm generates summaries and, in some cases, detailed reports of mail server traffic volumes, rejected and bounced email, and server warnings, errors and panics.
CentOS 7:# yum -y install postfix-perl-scripts Generate Log Summary # perl /usr/sbin/pflogsumm -d yesterday /var/log/maillog # perl /usr/sbin/pflogsumm -d today /var/log/maillog Generate Log Once a Day and Received via Mail # crontab -e 0 0 * * * perl /usr/sbin/pflogsumm -e -d yesterday /var/log/mail.log | mail -s 'Logwatch for Postfix' admin@awsmonster.com

How to Configure Postfix SMTP Relay on CWP CentOS 7 with Relay Provider ?

You can configure your Postfix  to send email via relay using SASL authentication. Simple Authentication and Security Layer (SASL) is a standard authentication framework supported by many services including Postfix.
Make sure the SASL authentication framework, and mailx are all installed.
# yum -y install cyrus-sasl-plain mailx In /etc/postfix/main.cf , Add the following lines
#Relay smtp_sasl_security_options = noanonymous smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd header_size_limit = 4096000 In /etc/postfix/sender_relay, add domain that must go through a relay.
@glorency.com smtp-relay.rubel.com:587 In /etc/postfix/sasl_passwd, provide credentials that listed in /etc/postfix/sender_relay.
smtp-relay.rubel.com:587 admin@glorency.com:3Ba4password0nrTg Don't forget the following commands.
# postmap sasl_passwd sender…

How to Remove Sensitive Data from Postfix Headers ?

E-mail header contain some sensitive information. I’ll show you how to remove that information from the Postfix headers. note: some email clients will mark your email as spam if your header doesn’t contain an IP address. It is also very important to keep header details for your analysis. If any user started to spamming or compromised , then we must need header for analysis. So we will remove only our client private network details.

We are assuming that postfix is already up and running and will make below changes.
Step:1 Edit ‘/etc/postfix/main.cf’ file
header_checks = regexp:/etc/postfix/header_checksStep:2 Append the below line in ‘/etc/postfix/header_checks’ [at the bottom]
/^Received:/ IGNORE Step:3 Run postmap to apply the new configuration in /etc/postfix/header_checks
[root@server1 ~]# postmap /etc/postfix/header_checksStep:4 Restart or Reload the postfix server
[root@server1 ~]# systemctl restart postfix [root@server1 ~]# postfix reload
Details:
https://serverfault.com/questions…

How to Block (Virus) Extensions on Postfix Mail Server ?

It's very important to block virus extension on Postfix mail server. Using  mime_header_checks directive on Postfix , we can block some specific extension to protection our mail server from spamming. So we are going to block some dangerous extension for Postfix users .
Login as the root, enter:
# vi /etc/postfix/main.cf Use mime_header_checks postfix config directive, enter:
mime_header_checks = regexp:/etc/postfix/block_attachments Save and close the file. Open /etc/postfix/block_attachments file and append code as follows:
/name=[^>]*\.(bat|com|dll|vbs|exe|pdf|zip)/ REJECT Save and close the file. You must restart or reload postfix:
# /etc/init.d/postfix reload Watch log file: You should see rejected mail log in /var/log/maillog file:
# tail -f /var/log/maillog

MaxIOPS Block Storage VPS : Start Your Free Trial for 5 Months, Promo Code: AQX767

Today I’ll introduce with you a VPS server provider which is the best at its price and performance wise also. They are providing World's fastest cloud server as well as Private Cloud with MaxIOPS block storage services.
Start Your Free Trial for 5 Months, Use Promo Code: AQX767
Sign Up Link
All cloud servers are deployed on enterprise-grade hardware. Together with Upcloud in-house developed software and proprietary MaxIOPS storage technology, you will get industry-leading performance at all times. Cloud servers are deployed in less than 45 seconds. With incredibly fast boot times, you will get up and running within minutes. Yes Upcloud , as the VPS provider it includes DDOS protection, Pure SSD and obviously Fair Usage i.e. no issue in the peak time (safe from noisy neighbors).

I am using two VMs on Upcloud and Migrated from AWS & Azure . Azure Linux instance is very slow to rebbot . Also Linode took more time to reboot the VMs . I was very frustrated that  CWP7.pro was running …

How to Configure Browser Caching for Nginx?

The first time you visit a domain, these files are downloaded and stored in the browser’s cache. On subsequent visits, the browser can serve the local versions instead of downloading the files again. This enables the web page to load much faster as it only needs to retrieve the data that has changed since the last visit. It offers a much better experience for users and is the reason Google’s PageSpeed Insights recommends that it be implemented.
You will add a small piece of code that will tell browsers to store CSS, JavaScript, images, and PDF files in their cache for a period of seven days or max.
Insert the following snippet inside the server block directly after the previous code for Gzip compression:
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf location ~* ^.+\.(3gp|gif|bmp|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|html|htm|txt|js|css|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|woff|ttf|svg|eot|sh)$ { expires max; add_head…

How to enable GZIP compression to increase PageSpeed Score for Nginx?

Gzip is a popular compression algorithm and format on the web. Gzip requires browser support, but you don’t have to worry because most popular browsers have support for it. Although Instructions to enable Gzip varies with different web servers, they are still very similar.  Here’s how Gzip works with Nginx:
Now add the following Code to your Nginx Configuration file or you can add it to your vhost domain
# Compression gzip gzip on; gzip_vary on; gzip_comp_level 6; gzip_min_length 512; gzip_buffers 8 64k; gzip_types application/atom+xml application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/xml+rss application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/png image/svg+xml image/x-icon image/gif image/jpeg text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text…

How to Install Vesta Plugin "Tools" ?

A found a plugin for VestaCP named "Tools". This tool currently lets you view all the users, mail domains, cron jobs, databases, and more in one global view without having to login to each individual user.
# wget https://raw.githubusercontent.com/SS88UK/VestaCP-Tools-Plugin/master/Install_Tools.sh -O ./Install_Tools.sh # chmod 777 ./Install_Tools.sh # sudo ./Install_Tools.sh Open the Configuration file and Add the Following Code that mentioned snapshot
# vi /usr/local/vesta/web/templates/admin/panel.html Source Details:
https://forum.vestacp.com/viewtopic.php?t=12819

How to Strengthening Nginx Security and Website Security Headers with SSL?

Using a SSL certificate that doesn't mean you are secure, but there is a lot more to Strengthening Web Site Security. Whilst most people are happy with just having their site running under SSL after successfully figuring out how certbot and Let’s Encrypt works.

Strengthening Web Site Security is very easy as it only requires you to set up what is called a Content Security Policy (CSP).
What a Content Security Policy does is tell a browser what external resources can be loaded within your site without being regarded and Non-Secure Origins. It’s an essential part of good security especially when it comes to SSL.
But Strengthening Web Site Security does not stop there as there are additional server headers that need to be implemented to prevent cross browser sniffing, people loading parts of your site with a frame in their site and what is called an XSS header which prevents cross scripting attacks from browsers and then also a strict transport security header called HSTS.
To check th…

How to Change Admin Port for Vesta Admin Control Panel?

I will show you  how to change the default Vesta port from port 8083 to port 2087. You could change your port number to any other number. I will use 2087 port because Cloudflare supports that port in their free subscription. So I can protect my server from DDOS Attack using Cloudflare Free Subscription.

In brief the steps to change your port are:
Add the new port(2087) on VestaCP firewallEdit Nginx to Listen to the new portRestart vestaDelete the old port, 8083 . I am not using VestaCP firewall, I am using CSF firewall to my Vesta Control Panel. So I not showing you Step 1.
2.Edit Nginx to Listen to the new port
# vi /usr/local/vesta/nginx/conf/nginx.conf

How to enable http2 and Secure Server FQDN for VestaCp in Ubuntu 16.04 L.T.S?

We have already secure nginx and vesta-nginx using Let's Encrypt SSL in our previous tutorial. Now it is very important to secure Server FQDN where my Server FQDN is mail.datahead.biz. At first I will enable http2  then i will redirect all http request to https.
1. At first Enable http2 in server block
# vi /home/admin/conf/web/mail.datahead.biz.nginx.ssl.conf server { listen 192.146.82.3:443 ssl http2; server_name mail.datahead.biz ; server_tokens off; root /home/admin/web/mail.datahead.biz/public_html; index index.php index.html index.htm; access_log /var/log/nginx/domains/mail.datahead.biz.log combined; access_log /var/log/nginx/domains/mail.datahead.biz.bytes bytes; error_log /var/log/nginx/domains/mail.datahead.biz.error.log error; #ssl on; ssl_certificate /home/admin/conf/web/ssl.mail.datahead.biz.pem; ssl_certificate_key /home/admin/conf/web/ssl.mail.datahead.biz.key;2. Redirect all http request…

How to Harden Vesta Nginx with Let's Encrypt SSL Certificate ?

Nginx 1.17.10 working as a reverse proxy for Vesta Admin Control Panel where it is installed as nginx-vesta. You can check the vesta-nginx version:
# /usr/local/vesta/nginx/sbin/vesta-nginx -v nginx version: nginx/1.12.2 Vesta Nginx Location
# cd /usr/local/vesta/nginx Take Backup vesta-nginx configuration file
# cd /usr/local/vesta/nginx/conf # cp -a nginx.conf nginx.conf-bak 1. Replace the below code 
# vi /usr/local/vesta/nginx/conf/nginx.conf # SSL PCI Compliance ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on;With
# SSL Settings #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ciphers ECDHE-RSA-AES256-GC…

How to Harden Nginx with Let's Encrypt SSL Certificate and get A+ Score from Qualys Lab ?

I have written those article previously for CentOS Web Panel for both Nginx + Varnish + Apache + PHP-FPM & Apache server only.
Source Details:
1. Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working
2. Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working
My Certificate Score after SSL hardening:

There are some changes needed for both article that i mentioned above. I will do it later for CentOS Web Panel. Now I have started to like VestaCP which is very lightweight control panel and It has many templates based on nginx for many CMS. I am using Nginx+PHP-FPM on Ubuntu 16.04 L.T.S . I have added 4096 bits Let's Encrypt SSL for VestaCP Admin Panel which is working perfectly and no warning getting from any browser.
Article : How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel?

Using a SSL certificate that doesn't mean you are secure. You have to harden(secure) your SSL configuration. My default SSL…

How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel?

VestaCP uses self-sign certificates for VestaCP control panel for login url and you will get warning from your browser. We will generate 4096 bits Let's Encrypt SSL VestaCP Control Panel.
It's very easy process to generate the SSL certificate for VestaCP Control Panel.
We will link the SSL certificate for Server FQDN that will use for login to VestaCP Control Panel.
# mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate.crt.old # mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate.key.old # ln -s /home/admin/conf/web/ssl.mail.datahead.biz.pem /usr/local/vesta/ssl/certificate.crt # ln -s /home/admin/conf/web/ssl.mail.datahead.biz.key /usr/local/vesta/ssl/certificate.key # reboot

Part 1: VestaCP Basic Configuration after Fresh Installation

We need to change some basic configuration after VestaCP successfully installation. There are four default Packages in vestacp as follow : default, gainsboro, palegreen, slategrey .
1. Change the Name Servers on each packages as per your needs where my name server are ns1.datahead.biz & ns2.datahead.biz
2. Create a package as per your needs
3. Change admin password and set SSH Access to nologin

4. Delete alias for Server FQDN
5. Configure DNS for Server FQDN
6. Delete Default database and user from PhpMyAdmin
7. Configure Authoritative DNS from your domain panel

How to Update & Upgrade APT on Ubuntu 16.04 LTS?

You should first run update, then upgrade. Neither of them automatically runs the other. apt update updates the list of available packages and their versions, but it does not install or upgrade any packages. apt upgrade actually installs newer versions of the packages you have. After updating the lists, the package manager knows about available updates for the software you have installed. This is why you first want to update. Additionally, you can use apt update && apt upgrade to do both steps after each other. # apt update && apt upgrade

CWP : How to Enable PORTFLOOD Protection using CSF firewall?

There is no practical way to actually prevent Dos / DDoS attacks, because your server is connected to the internet. When you are connected to the internet, even with a simple local PC computer you are exposed to remote attacks. The only thing you can do is to mittigate its effects.

When you are under ddos and trying to mitigate the attack, the server will not respond normally, it will get slower than usual, it can often appear down temporary while the attack is decreasing. On large-volume attacks your provider can even null-route the server IP address to avoid from overload their entire network.
Can CSF firewall help me to stop only small / medium attacks? Why not large attacks? Beacuse of the way DDOS works. For very large and distributed attacks, you must use a dedicated firewall, or an specialized antiddos shield that works on network level inside the datacenter where you are hosted, or you can use 3rd party anti-ddos services like Cloudflare, Incapsula or Level3 AntiDDOS services.

CWP : How Configure DDOS Prevention Settings in CSF firewall ?

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are common threats that every publicly accessible web server faces. The purpose of such attacks, in simplest terms, is to flood a server with connections, overloading it and preventing from accepting legitimate traffic.
Step #1: SYNflood Protection A SYNflood attack is a DoS attack exploiting the TCP (Transmission Control Protocol) connection process itself. In basic terms, a TCP connection is established using a three-way handshake:
The client (incoming connection) sends a synchronization packet (SYN) to the server.The server responds with a synchronization acknowledgement (SYN/ACK) to the client.The client then responds with an acknowledgement (ACK) back to the server. A SYNflood attack manipulates that three-way handshake by initiating multiple synchronization requests and then refusing to respond with any final acknowledgements. On a Linux server, you can quickly check for SYN packets by running this command o…

CWP : How to Blocking Access to Specific Ports for Specific Countries ?

Restricting access by port to IP addresses originating in a specific country or countries can be an effective way to help minimize the negative performance impact that country-level blocking can bring. In this example, we’re blocking access to the FTP Ports (20,21) & SMTP Ports(25,110,143,465,587,993,995)  to IP addresses originating in Belgium & Bulgaria.
Step #1: Specify the Country or Countries to be Denied Scroll down to the Country Code Lists and Settings section and add the country code to CC_DENY_PORTS. Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.
List the port that will be blocked in the specified country in the CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP fields.
Step #2: Save Your Changes and Restart the Firewall Scroll to the bottom of the Firewall Configuration page and click on the Change button.
On the next screen, click the Restart csf+lfd …

CWP : How to Allowing Access to Specific Ports for Specific Countries ?

I have some listed ports for my services management and I want that listed ports only accessible from my country. Yes, you can choose to allowing incoming traffic by port to only a specific country or countries. Generally, this should be a better option than attempting to deny port access to a long list of countries because the firewall be working with a smaller CIDR range against which each incoming request must be checked.
My Listed Ports: 22,2030,2031,2086,2087,5550,55004,1025
To limit the ability to connect on a specific port or ports to visitors with IP addresses originating in a specific country or countries, you must:
close the ports in the firewalldefine the country code allowed to connect on those blocked portsspecify the blocked ports to be opened for the specified country In this example, we’re allowing access to above My Listed Ports, to IP addresses based in My Country ( Germany).
Step #1: Close the Ports in the Firewall On the Firewall Configuration page, scroll down to th…

CWP : Improve CSF iptables performance with IPSET

CSF (ConfigServer Firewall) on a Linux system and you block a lot of IP addresses. Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF's iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset.

This option allows you to use ipset v6+ for the following csf options:
CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER

ipset will only be used with the above options when listing IPs and CIDRs. Advanced Allow Filters and temporary blocks use traditional iptables. To use this option you must have a fully functioning installation of ipset installed either via rpm or source from http://ipset.netfilter.org/

It’s a straight forward process. CentOS, Red Hat and Fedora (yum based) users :
# yum install ipset -y Ubuntu or Debian:
# sudo apt-get instal…

Part 5 : Run PrestaShop 1.7.6.3 Installation again after Nginx 504 Gateway Time-out Solutions

In our Previous Tutorial Part 4, We have fixed Nginx 504 Gateway Time-out for our PrestaShop installation. Now We will run PrestaShop installation again. You have to delete all the tables from DB(datahead_db) that you created for PrestaShop. Open your Browser and visit your domain again. Follow all the steps and also provide DataBase details again and Click on "Next"
Your PrestaShop installation is finished successfully. For security purposes, you must delete the "install" folder.
Login to your Admin Panel
PrestaShop 1.7.6.3 DashBoard:

Part 4 : How to fix Nginx 504 Gateway Time-out for PrestaShop 1.7.6.3 on CWP7?

Welcome to our serious tutorial. When we are installing PrestaShop 1.7.6.3 on CWP7.pro server, we are getting error "Nginx 504 Gateway Time-out " That means CWP The gateway did not receive a timely response from the upstream server or application.
1. Adjust Timeout Value  for proxy settings 
# vi /etc/nginx/proxy.inc proxy_connect_timeout 600s; proxy_send_timeout 600; proxy_read_timeout 600;2. Change the default_socket_timeout 
# vi /opt/alt/php-fpm72/usr/php/php.ini default_socket_timeout 600Change PHP-FPM Configuration: Default Location:
/opt/alt/php-fpm72/usr/etc/ /opt/alt/php-fpm72/usr/etc/php-fpm.d/ /opt/alt/php-fpm72/usr/etc/php-fpm.d/users/3. Add following value cwpsvc.conf file :
# vi /opt/alt/php-fpm72/usr/etc/php-fpm.d/cwpsvc.conf [cwpsvc] listen = /opt/alt/php-fpm72/usr/var/sockets/cwpsvc.sock listen.owner = cwpsvc listen.group = cwpsvc listen.mode = 0640 user = cwpsvc group = cwpsvc ;request_slowlog_timeout = 5s ;slowlog = /opt/alt/php-fpm72/usr/var/log/php-fpm-s…

CWP: How to Configure Connection Limit Protection with CSF on CentOS 7 ?

Connection Limit Protection: This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of concurrent new connections per IP address that can be made to specific ports This feature does not work on servers that do not have the iptables module xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels.
VPS server admins should check with their VPS host provider that the iptables module is included

Note: Run /etc/csf/csftest.pl to check whether this option will function on this server
Step: Go to your CSF WebUI Panel and Select "Port Flood Settings" :

You can set limit for the number of connections to particular port by altering the value “CONLIMIT”.
CONNLIMIT = 80;20,443;15 The above value will limit only
20 connections to the port 80 and
15 connections to the port 443 from single IP
Where is my Sett…

How to Install MailScanner Stable v5.2.1-1 Email Security System on CentOS 7 with CWP Server ?

MailScanner is a highly respected open source email security system design for Linux-based email gateways. It is used at over 40,000 sites around the world, protecting top government departments, commercial corporations and educational institutions. This technology has fast become the standard email solution at many ISP sites for virus protection and spam filtering.

MailScanner scans email for viruses, spam, phishing, malware, and other attacks against security vulnerabilities and plays a major part in the security of a network.
Install MailScanner
First stop and disable postfix. We will use MailScanner in the future.
# systemctl stop postfix # systemctl disable postfix Download MailScanner and install:
# cd /usr/local/src/ # git clone https://github.com/MailScanner/v5.git # cd v5 # cd builds # rpm -ivh MailScanner-5.2.2-1.rhel.noarch.rpm # /usr/sbin/ms-configure1. Hit Enter to start
2. Intsall an MTA? [1] : N
3. Install EPEL? : n
4. Install missing tnef via RPM?: Y
5. Install missing unrar…