Directadmin – get disk size information for every email account on your server/user

If you want to get information about how much of disk is consuming every email account on your Directadmin server, then you can use this command.

[root@post ~]# find /home/*/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 60K
test@domain1.si -> 60K
lala@domain1.ba -> 529M
info@somedomain.ba -> 529M
igor@somedomain.eu -> 772K
...

If you would want for every email account of some specific user, than you can use this:

[root@post ~]# find /home/user1/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 1.3G
test2@domain1.it -> 1.3G
igor@test.si -> 68M
...

Simple, but it can save some time 🙂

Build NGINX with GeoIP2 support from source

I used GeoIP library with Nginx for quite some time, but it came to EOL. GeoIP2 is now avalible. It is great tool for blocking unwanted traffic from your webserver. This was done on Centos 7. If you don’t want to pay for getpagespeed’s payed version, than you must build this module from source.

First, you’ll need to know your curent NGINX version


[root@myserver ~]# nginx -v
nginx version: nginx/1.16.1

Then, download exact same version of NGINX from this site and unpack it. In my case:


[root@myserver ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@myserver ~]# tar -xvzf nginx-1.16.1.tar.gz
[root@myserver ~]# cd nginx-1.16.1.tar.gz

Then you should download ngx_http_geoip2_module – geoip2 module for NGINX:


[root@myserver ~]# wget https://github.com/leev/ngx_http_geoip2_module/archive/master.zip
[root@myserver ~]# unzip master.zip

You should install GCC and Development Tools for dependencies.

[root@myserver ~]# yum groupinstall ‘Development Tools’
[root@myserver ~]# yum install gcc

Continue Reading

Make single Roundcube instance use multi different databases

I had to configure webmail service with Roundcube which would allow connecting multi mail servers o one platform. Every mail server had it’s own Roundcube instance already, but idea was, that only one installation can handle all mail servers.

I found out, that this can be done pretty symple with some php in roundcube configuration.

Open your roundcube configuration file, for example:

vi /var/www/roundcube/config/config.inc.php

Fetch correct hostname for specific webmail instance in php variable.

$host = $_SERVER['SERVER_NAME'];

Then you should create switch statement that will be able to manage correct database connection and host for specific server name – mail service. You can also have different types of database. For example mysql and postgres.

Continue Reading

Fix high server load and memory/cpu consumption of clamd ( ClamAV )

I had troubles with one of Directadmin servers which was constantly loading because clamd process. When executing top command, clamd was always top on the list. As I researched, there is no way you can limit ClamAV’s memory and CPU consumption via its configuration itself. This is how you do it.

What you have to do is limit clamd within startup script, so that clamd will start with some limitations.

Just open ClamAV startup script. I this case CentOS 7:

vi /etc/systemd/system/clamd.service

Then add this lines. Of course change according to your needs.

IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

Your startup script should now look something like this:

[Unit]
Description = Generic clamav scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStartPre=-/bin/mkdir -p /var/run/clamd
ExecStartPre=-/bin/chown -R clamav:clamav /var/run/clamd
ExecStart = /usr/local/sbin/clamd --foreground=yes
Restart = on-failure
PrivateTmp = true
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

[Install]
WantedBy = multi-user.target

Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file (ip_blacklist_ratelimit.map) which is included in rspamd multimap  definition – permanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:


# limit outgoing authenticated users
user = {
bucket = [
{
burst = 10; # capacity of 10 messages in bucket
rate = "1 / 1min"; # leak 1 messages per minute
},
{
burst = 100; # capacity of 100 messages in bucket
rate = "30 / 60min"; # leak 30 messages per hour
}]
}
}

Rspamd multimap definition for blocking blacklisted IPs:


# block users exceeded ratelimits 5 times
IP_BLACKLIST_RATELIMIT {
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/ip_blacklist_ratelimit.map";
action = "reject";
}

Fail2ban jail configuration:


[rspamd-ratelimit]
enabled = true
action = rspamd-banip
ratelimit-alert[name=Rspamd-ratelimit, dest=terminator@myemail.com]
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:


# Fail2Ban filter for rspamd ratelimit
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:


#
# Author: Igor Mazej
#
#
[Definition]
actionstart = touch /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
[Init]

Block wp-login and xmlrpc brute force attacks with CSF / cPanel

Another great counter attack to “flooders” on your WordPress installations. This time with CSF firewall. I had massive brute force attacks on WordPress installations on some cPanel server which were causing very high server loads.  Here is great way to block abusers with CSF firewall. Here is how.

First, create custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests. Edit your /etc/csf/csf.conf like bellow:

CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"

Because majority of those attacks are from some very well known country’s that are causing problems, you may want to white list country’s from which users shouldn’t be blocked. Add list of white list country’s in CC_IGNORE.

Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one. Then add this:

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}

Restart CSF and check if LFD is doing his new job. On success you should see something like this:

May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (PL/Poland/s1.hekko.net.pl): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (TR/Turkey/5.5.5.5.linuxhosting.com.tr): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:34:24 cp lfd[590012]: (WPLOGIN) WP Login Attack 6.6.6.6 (DE/Germany/static.6.6.6.6.clients.your-server.de): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]83247]: (WPLOGIN) WP Login Attack 7.7.7.7 (VN/Vietnam/-): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
...

Requests for ignored country’s should look like this:

May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 - ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 - ignored
...

I hope this helps. 🙂

[kofi]

Pure-FTPd: install valid SSL certificate / solve untrusted localhost certificate problem on CentOS 7

If you installed Pure-FTPD on your CentOS 7 machine and trying to install SSL certificate on it, chances are that you added your pem file to “/etc/ssl/private/”. I installed valid certificate in this directory and still getting untrusted warning for localhost certificate. Later, I found out that this path is wrong and self signed certificate was being used. Right path on CentOS 7 is “/etc/pki/pure-ftpd/”.

Here is how to do it right on Centos.

  • Create pem certificate that contains your key, crt and intermediate all in one file – pure-ftpd.pem
  • Move this certificate to /etc/pki/pure-ftpd/ as this is the right directory on CentOS.
  • In your pure-ftpd.conf, set TLS to 2.
  • Enable PassivePortRange from 30000 – 65000.
  • Restart pure-ftpd.

It should work.

SFTP: Command failed

If you try to connect via SFTP with some FTP/SFTP client and you are getting error “Command failed”, you’re sftp-server path in sshd_conf is wrong.

Open your sshd_config file and edit sftp-server path accordingly to your OS.

Ubuntu:

Subsystem sftp  /usr/lib/openssh/sftp-server

CentOS:

Subsystem sftp /usr/libexec/openssh/sftp-server

Restart your ssh and it should work.

YUM: Error: Network error: Connection reset by peer

If you get this error message when trying to install packages via yum package manager, than just execute command bellow and it should fix your problem.

yum clean expire-cache

© 2021 geegkytuts.net
Hosted by SIEL


About author