Tweaking ASSP
|
In this page I'll add articles to tweak ASSP . If
you would add an article please email me with your credits (your
business url and full name).
These tweakings are not supported so please do not email me to ask
support , only my assp.cfg (http://www.grscripts.com/135_50/assp.cfg) is supported. Use these tweaks at your risk .
If you want suggest modification to
http://www.grscripts.com/135_50/assp.cfg or you want suggest
some tweaks to be added on this page,
email me (do not forget to specify your licensed ip) . |
Latest recommended RBLs
(28 Mar 2008) #08
This tweak can be applied with or without "assp scoring mode" enabled .
1)
If want use
KarmaSphere
RBL
Note that
you must register a free account at
KarmaSphere
and provide
to KarmaSphere all your server ip addresses
.
Open the ASSP WEB interface , open DNSBL menu ;
- change RBL Service Providers with following (it's
a single line without spaces)
karmasphere.email-sender.dnsbl.karmasphere.com|zen.spamhaus.org|bl.spamcop.net|ix.dnsbl.manitu.net|list.dsbl.org|dul.dnsbl.sorbs.net|blackholes.five-ten-sg.com|bl.spamcannibal.org|spam.spamrats.com
- Set Maximum Replies to 9
- Set Maximum Hits to 2
(or set 1 for very aggressive settings)
Save settings.
2)
If you do not want use
KarmaSphere
RBL
- change RBL Service Providers with following (it's
a single line without spaces)
zen.spamhaus.org|bl.spamcop.net|ix.dnsbl.manitu.net|list.dsbl.org|dul.dnsbl.sorbs.net|blackholes.five-ten-sg.com|bl.spamcannibal.org|spam.spamrats.com
- Set Maximum Replies to 8
- Set Maximum Hits to 2
(or set 1 for very aggressive settings)
Save settings.
A
powerful tool , find_abusers.php #06
ASSP Deluxe contains an extremly useful tool which can be
executed in this way
# /usr/local/cpanel/3rdparty/bin/php
/usr/local/assp/deluxe/find_abusers.php
It reports a lot of useful information, to undestand in a fast way what kind
of email attack is receiving your server
, which are your accounts under heavy attack , which are bad ips attacking
your server (sorted) , and much more.
Commands
show=n
The command show=n will permit to show you only data over the
number n . If you don't specify it a value of 30 will be used.
example
# /usr/local/cpanel/3rdparty/bin/php /usr/local/assp/deluxe/find_abusers.php
show=30
Requirements
To use this tool correctly you there are 2 requirements
-a ASSP SCORING MODE should be ON on your ASSP WHM
Interface
-b logging option on assp web interface should not be
changed from default
using find_abusers.php as a cronjob
However it's not only a tool to receive information . You can execute
it each 20 minutes (recoomended) with several commands to create a better
Penalty box extreme (collection of bad ips) or to use an alternative to
Penalty box extreme collection of bad ip addresses . So , we can consider 2
situations , if you want collect bad ips with penalty box extreme
(default) or you decided to collect bad ips using the alternative PB.
===================================================================
1) If you are using PB extreme
===================================================================
it means you have
-
assp web interface > PB menu
> PenaltyBox Extreme - IP Profiles (DoPenaltyExtreme)"
set to 1
.
- assp web interface > PB menu
"Use
Exported Penalty BlackBox Extreme for SMTP Denying"
checked.
- assp web interface > PB menu
, "Use Exported Penalty BlackBox Extreme for SMTP Denying
(exportExtremeFileDeny)" set to 1
If an ip address sends emails with repetitive errors (for example
BlacklistedHelo) , also if assp scoring mode does not reject it (because
BlacklistedHelo is only 5 points and required points fro assp scoring are 40
i.e.) , Penalty Box (PB) will count and sum BlacklistedHelo score errors on
PenaltyBox Database , and when the Extreme Scoring Threshold
(PenaltyExtreme) value will be reached
the ip address will be added to /usr/local/assp/pb/exportedextreme.txt
and blocked at smtp time generating following errror ;
554 5.7.1 Penalty Box error, please contact the server support to
ensure delivery
By default assp 1.3.5 and 1.3.3.8 comes installed with
PenaltyBox Extreme enabled .
Following commands are available
show=n
The command show=n will permit to show you only data over the
number n . If you don't specify it a value of 30 will be used.
addpb=n
If you use for example addpb=20
spam messages rejected from an ip more than 20
times due to
"email dictionary attack"
"assp scoring mode"
"max errors"
"relay attempt blocked"
"limited connections"
will show you something like this
23 = > 88.247.124.222 (already on PB extreme file)
if the ip address is already listed on PB extreme or
28 = > 89.24.107.214 (added to PB because 28 greater than 20)
if the ip is still not listed on PB extreme file .
log=maillog
The log= command will permit you to enter and analyze an assp
maillog different from current maillog.txt
example
from console
/usr/local/cpanel/3rdparty/bin/php
/usr/local/assp/deluxe/find_abusers.php show=30 addpb=20
or as a cronjob
*/20 * * * * /usr/local/cpanel/3rdparty/bin/php
/usr/local/assp/deluxe/find_abusers.php show=30 addpb=20
===================================================================
2) If you are not using PB extreme, or if you would
NOT use PB extreme
===================================================================
If you are not using PB extreme, or if you would NOT use PB extreme
simply follow this
http://www.grscripts.com/howtofaq.html#70 .
Compared with the ip collected by PB extreme , this way strongly
reduces the risk to block a good/valid ip . If you install this cron ,
Penalty box extreme will be turned off automatically . Be sure you
have latest assp deluxe version (2.8.0) to use it .
I strongly recommend you this usage if you had problems using PB extreme.
You can send comments or contributions to this article at
daniolo @ gmail.com put ASSP on the email
subject or message body .
How to
block a DDOS SMTP attack using ASSP and ASSP Deluxe for cPanel
(#07)
first of all you should
understand if your server is under ddos smtp attack.
You can understand it for example from these points
- Your mailserver is not usable or really sloww.
- If you analyze http://yourserverip:55555/shutdown_list you can see a
lot of smtp sessiion (over 40 i.e) , and several smtp sessions
using the same ip, or you can't open
http://yourserverip:55555/shutdown_list
- if you analyze tail -f /usr/local/assp/maillog.txt (assp
maillog) you can see a LOT of email dictionary attacks
- assp crashes often or the assp cpu usage is high or very high (over 20%)
- server cpu usage is high or very high
- on ASSP STATUS CHART you can see a lot of exim/assp connections , much
more than usual
Do not use this procedure to stop small mail attacks this procedure
should be used only to stop ddos smtp attacks
which makes your mailserver and your server unusable.
If you are in this situation you can reduce and/or stop the attack in this
way
1) Open assp web interface
http://yourserverip:55555 and be sure you have PB extreme enabled
-
assp web interface > PB menu
> PenaltyBox Extreme - IP Profiles (DoPenaltyExtreme)"
set to 1
.
- assp web interface > PB menu
"Use
Exported Penalty BlackBox Extreme for SMTP Denying"
checked.
- assp web interface > PB menu
, "Use Exported Penalty BlackBox Extreme for SMTP Denying
(exportExtremeFileDeny)" set to 1
Now go to smtp session menu (assp web interface) and set these
aggressive values
maxerrors 2
maxsmtpipsessions 2
maxsmtpipconnects 2
maxsmtpipduration 60
maxsmtpdomainip 2
smtpidletimeout 80
Save settings on assp web interface
(all this operation could require time because the assp web interface
under attack will be very slow)
2) go to console and set this aggressive cron
*/8 * * * * /usr/local/cpanel/3rdparty/bin/php
/usr/local/assp/deluxe/find_abusers.php show=8 addpb=8
ore much more aggressive if the attack is really heavy
*/8 * * * * /usr/local/cpanel/3rdparty/bin/php
/usr/local/assp/deluxe/find_abusers.php show=4 addpb=4
remove any other cron line which was using
find_abusers.php , in case you have it
3) report to your clients that your server is under heavy ddos smtp
attack , and they could have some problem
to send email . If during the attack the client can't send,
ask his ip address and put it on
-
assp web interface > PB menu
> NoPB
After about 20 minutes ASSP and find_abusers.php will collect hundred
or thousand of bads ips ;
If you open http://yourserverip:55555/shutdown_list now should show you
already a reduced number of smtp sessions.
you can execute from console
# /usr/local/cpanel/3rdparty/bin/php /usr/local/assp/deluxe/find_abusers.php
to see how many ips is rejecting ASSP using PB extreme
If you analyze the assp maillog in real time ( #tail -f
/usr/local/assp/maillog.txt ) you should see several connections "denied
by exportExtremeFile". ASSP is rejecting the smtp DDOS attack at smtp
time. After about 45/60 minutes ASSP cpu load and server cpu
load should return to normal.
Only if you think the attack is
stopped/terminated (if you are lucky it could stop after 12-24 hours)
, you can
understand it looking the number of "denied by exportExtremeFile" on
your assp maillog received per minute ,
you can return everything to standard values so ;
a) Open assp web interface go to smtp session menu (assp web
interface) and return smtp values to standard
maxerrors changed 10
maxsmtpipsessions 10
maxsmtpipconnects 10
maxsmtpipduration 90
maxsmtpdomainip 10
smtpidletimeout 120
save settings
b) Now remove the cron you set above at step 2 .
c) Now clean the PB extreme file (if you are 100% sure the
attack stopped) in this way (I reccomend to clean it because during the
attack
some good ip could be collected)
# cd /usr/local/assp/pb;rm -f pbdb.*;/etc/init.d/assp stop;rm -f
pbdb.*;/etc/init.d/assp start;echo "" > exportedextreme.txt
OR you may use the alternative PB
http://www.grscripts.com/howtofaq.html#70 (which disable PB extreme
automatically).
You can send comments or contributions to this article at
daniolo @ gmail.com put ASSP on the email
subject or message body .
How
to train the ASSP bayesian filter using ASSP NOTSPAM ANALYZER
(updated 11 Mar 2008) #01
Another way to training the ASSP Bayes algorithm is using ASSP
NOT SPAM ANALYZER on ASSP WHM interface;
Open the ASSP NOT SPAM ANALYZER
and look for naughty words with the search tool.
You will probably find some SPAM message inside your NOT SPAM collection.
Move them to SPAM , and
rebuild the spam db . Each time you do this task , you make the bayesian
database better .
for example you can search these keywords on your NOT SPAM
ANALYZER
replica watches|MegaDik| cock |
penis | pills | Original Viagra | better sex life | average penis |
enlargement | orgasm | erections | Viagra | big dick | sperma | Sexual |
Erectionsk | Stamina | sildenafil | citrate | Erectile
(note that there is a space before and after each keyword . Copy and
paste the yellow section on
your search form field , then click search )
If you find some message , it's probably spam . Read the messages and move
them to SPAM
if required . At the end of operation rebuild the spamdb (using the
REBUILD SPAMDB button).
If you analyze the keywords above on your spamDB before and after
this training operation
( cat /usr/local/assp/spamdb | grep "penis" ) , you will notice that ASSP
has assigned more bayesian score to
all the keywords above . If ASSP will receive again an email with one of the
keywords above , it will receive a
greater bayesian score with more probability to block the message. I suggest
you to execute this training
once a week and searching different naughty words.
Note that if you are using assp scoring mode ON
, and you do the bayesian corrrection operation explained above often
(weekly i.e.), after some week your bayesian filter will be much more
great and very efficient , so you can consider to raise the
Bayesian score to 30-35 (from default 25) increasing considerably the
percentuage to block spam using "assp scoring mode".
ASSP
SSL support on port 465 using
stunnel (#03)
(updated 18 April 2008 , compatible with 1.3.3.8 and 1.3.5)
This article has been written by Szymon Rybczynski
(pro-net-hosting.com
and prohost.pl)
HOW TO
All lines starting with # are commands to execute as root.
1. You need stunnel installed. Cpanel should have stunnel installed. To
check:
# stunnel -version
If you get something like "stunnel 4.05 on i686-redhat-linux-gnu
PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003" you can continue.
2. You can make your own certificate for SSL or use Cpanel cert. This howto
shows how to use Cpanel cert. To make your own cert just search google for
instruction and change cert path in stunnel.conf to your cert.
3. Setting up stunnel user and config file:
# adduser stunnel
# passwd stunnel
Set password for user stunnel
# cd /etc/stunnel;nano -w stunnel.conf
copy and paste this:
cert = /etc/stunnel/cpanel.pem
chroot = /usr/local/cpanel/var/run/stunnel-assp/
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel
output = /var/log/stunnel.log
[ssmtp]
accept = 465
connect = 127.0.0.2:26
Save the file.
4. Copy cpanel cert.
# cp /usr/local/cpanel/etc/cpanel.pem /etc/stunnel/
Note : if /usr/local/cpanel/etc/cpanel.pem does not exists you can
find the cpanel certificate also here
/var/cpanel/ssl/cpanel/cpanel.pem , in this case execute this
# cp
/var/cpanel/ssl/cpanel/cpanel.pem /etc/stunnel/
# chown stunnel.stunnel cpanel.pem
5. Create run dir.
# cd /usr/local/cpanel/var/run/;mkdir stunnel-assp;chown stunnel.stunnel stunnel-assp
6. Setup 127.0.0.2 - if you don't do this you will create open relay on SSL
port.
# cp /etc/sysconfig/network-scripts/ifcfg-lo
/etc/sysconfig/network-scripts/ifcfg-lo:1;
# nano -w /etc/sysconfig/network-scripts/ifcfg-lo:1
Change it to look like this:
DEVICE=lo:1
IPADDR=127.0.0.2
NETMASK=255.0.0.0
NETWORK=127.0.0.0
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=myloop
Save.
7. Now bring lo:1 up.
# /etc/sysconfig/network-scripts/ifup-aliases lo
# ifconfig
It should now list 127.0.0.2
8. Login to assp web interface (ip:55555) and change:
Network Setup:
------------
Second SMTP Listen Port
26
------------
Second SMTP Destination
127.0.0.1:125
------------
Force SMTP AUTH on Second SMTP Listen Port
Checked
------------
Relaying:
------------
Accept All Mail
127.0.0.1
If you make a mistake here you can make your mail server open relay so
double check the settings.
8. Open TCP port 465 on your frewall.
9. Now you are ready to start stunnel. Execute:
# stunnel /etc/stunnel/stunnel.conf
At this moment your SSL connection should work. Test it:
# openssl s_client -quiet -connect localhost:465
If you get error then something is wrong and you need to check
/var/log/stunnel.log
If you get something like:
"depth=0
/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net
verify error:num=18:self signed certificate
verify return:1
depth=0
/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=dom.host.com/emailAddress=ssl.net
verify return:1
220-pol.nameserverus2.com ESMTP Exim 4.63 #1 Mon, 23 Jul 2007 15:42:14 +0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail."
Everything is ok and ready to use.
10. if you would monitor stunnel demon in case
it goes down you can add checkssl=yes to your status.php cron in this
way
*/2 * * * * /usr/local/cpanel/3rdparty/bin/php
/usr/local/assp/deluxe/status.php check_ssl=yes
Sanesecurity signatures
(#04)
This article has been written by David
Norelid (Houston Computer Repair )
This How TO is NOT supported .
You can use SaneSecurity and MSRBL clamAV definitions along with ASSP to
improve spam detection.
What are the SaneSecurity definitions?
From the SaneSecurity site:
"Clam AntiVirus is a GPL anti-virus toolkit for UNIX and was coded to detect
email viruses.
ClamAV's scanning engine is quite flexible and so has also been used to scan
for phishing signatures. The Official phishing signatures in ClamAV are
great but I've seen a number of phishing attempts get past the Official
ClamAV signatures, so I thought I'd try to produce my own signatures to stop
these phishing attempts (phish.ndb.gz). I've also produced a small scam
database (scam.ndb.gz) which will help detect some types of stock, lottery
419 and some image spams that are around at the moment."
In order to use them you will need to download and run an updater script to
keep the definitions updated properly. There are several available here:
http://www.sanesecurity.co.uk/clamav/usage.htm
Script 1 is recommended. To download it, you can run the following
command:
cd /usr/local/assp/;
wget
http://www.sanesecurity.co.uk/clamav/UpdateSaneSecurity.sh
From there, we need to get it to run no more than 4 times a day to check
for updates. Get into your crontab (crontab -e) and add this line:
10 */6 * * * /usr/local/assp/UpdateSaneSecurity.sh
That will have the script run every 6 hours on the 10th minute of the hour.
The script automatically waits a random amount of time (3s-10m) to make sure
everyone doesn't go and download the definitions at the top of the hour.
That's it! The script knows where to put the definition and ClamAV
automatically reloads when the new definitions are installed, so there's
nothing else you need to do!
You may optionally wish to disable antivirus notifications (assp web
interface), since you will be getting a lot more hits now !
This article has been written by David
Norelid (Houston Computer Repair )
This How TO is NOT supported .
WHM addon to
allow administrators to access the ASSP web interface without login
file created By
RadixHosting
DOWNLOAD
Just unzip the text file, rename it to "addon_assp.cgi" and move it to
/usr/local/cpanel/whostmgr/docroot/cgi/.
Now login to WHM as a root user and you'll see the link "ASSP Web Interface"
under the "Plugins" category in the WHM menu.
The script will automatically read the password and the port from the ASSP
configuration file and redirect you to the interface. The link is only
visible to WHM root users and the plugin is protected in case non-root users
still try to access it.
RadixHosting
