Directadmin – auto assign custom authorized_keys for newly created users – SSH access

I setup a Directadmin server which was primary for website hosting. Separating every project with new DirectAdmin user is a good practice security vise. If one website/project is hacked, other sites that are with different users are safe. But creating new users and then set up ssh keys that are allowed for every user can be time consumedly. In this case, ssh public keys were the same for every user as only developers were able to ssh connect to user account. I created a simple script that will create .ssh directory and authorized_keys with public keys for every user.

  • First, create script  user_create_post.sh inside /usr/local/directadmin/scripts/custom/.
  • Create template file with all ssh  public keys that should be assign to every new user. I created file /usr/local/directadmin/data/custom-authorized_keys
  • Add this content to the script:
    #!/bin/sh

    mkdir /home/$username/.ssh
    chown $username:$username /home/$username/.ssh
    cp /usr/local/directadmin/data/custom-authorized_keys /home/$username/.ssh/authorized_keys
    chown $username:$username /home/$username/.ssh/authorized_keys
    chmod 600 /home/$username/.ssh/authorized_keys

    echo "SSH keys added!"

    exit 0;
  • Give this script execution rights 
    chmod +x /usr/local/directadmin/scripts/custom/user_create_post.sh

That is it. Every time a new user is created, .ssh directory with authorized_keys will be created inside user’s home account.

Limit number of email recipients with Roundcube

I had an issue with one of the mail servers on which one user’s account password was stolen and was sending spam. Spam was sent from Roundcube and there was a very large number of recipients in one email. Limit the number of recipients in Postfix was not an option. It had to be done on webmail. It is very simple with Roundcube. Just add variable bellow in your Roundcube configuration file – config.inc.php.

$config['max_recipients'] = 10;

This will allow only 10 recipients in one email message. Of course you can change the number according to your needs.

Cpanel – migrate all email accounts to new cPanel server with existing passwords. No password change

For migration of user accounts between cPanel servers, there is a superb “Transfer tool” which is provided and is part of Cpanel. With it, you can simply migrate all data from one server to another. But what about when you have the same accounts on both servers and you don’t want to overwrite data on a new server? I had one account for which the only email was necessary to transfer. This is not something transfer tool can do because I didn’t want to overwrite account.

If you have many email accounts and you don’t know passwords for them, it is realy pain in  the ass to change all passwords and make transfer via imapsync. But luckily, you can simly copy all email accounts from one Cpanel server to another by copy user’s “passwd” and “shadow” file.

Here is how you can migrate all email accounts from one server to another without changing username/password. All passwords will be transferred.

Continue Reading

Directadmin – get disk size information for every email account on your server/user

If you want to get information about how much of disk is consuming every email account on your Directadmin server, then you can use this command.

[root@post ~]# find /home/*/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 60K 
test@domain1.si -> 60K 
lala@domain1.ba -> 529M 
info@somedomain.ba -> 529M 
igor@somedomain.eu -> 772K 
...

If you would want for every email account of some specific user, than you can use this:

[root@post ~]# find /home/user1/imap/*/*/ -maxdepth 1 -type d -exec du -sh {} \; | awk -F '/' {'print $6"@"$5 " -> " $1'}
info@domain1.si -> 1.3G 
test2@domain1.it -> 1.3G 
igor@test.si -> 68M 
...

Simple, but it can save some time 🙂

Build NGINX with GeoIP2 support from source

I used GeoIP library with Nginx for quite some time, but it came to EOL. GeoIP2 is now avalible. It is great tool for blocking unwanted traffic from your webserver. This was done on Centos 7. If you don’t want to pay for getpagespeed’s payed version, than you must build this module from source.

First, you’ll need to know your curent NGINX version


[root@myserver ~]# nginx -v
nginx version: nginx/1.16.1

Then, download exact same version of NGINX from this site and unpack it. In my case:


[root@myserver ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@myserver ~]# tar -xvzf nginx-1.16.1.tar.gz
[root@myserver ~]# cd nginx-1.16.1.tar.gz

Then you should download ngx_http_geoip2_module – geoip2 module for NGINX:


[root@myserver ~]# wget https://github.com/leev/ngx_http_geoip2_module/archive/master.zip
[root@myserver ~]# unzip master.zip

You should install GCC and Development Tools for dependencies.

[root@myserver ~]# yum groupinstall ‘Development Tools’
[root@myserver ~]# yum install gcc

Continue Reading

Make single Roundcube instance use multi different databases

I had to configure webmail service with Roundcube which would allow connecting multi mail servers o one platform. Every mail server had it’s own Roundcube instance already, but idea was, that only one installation can handle all mail servers.

I found out, that this can be done pretty symple with some php in roundcube configuration.

Open your roundcube configuration file, for example:

vi /var/www/roundcube/config/config.inc.php

Fetch correct hostname for specific webmail instance in php variable. 

$host = $_SERVER['SERVER_NAME'];

Then you should create switch statement that will be able to manage correct database connection and host for specific server name – mail service. You can also have different types of database. For example mysql and postgres.

Continue Reading

Fix high server load and memory/cpu consumption of clamd ( ClamAV )

I had troubles with one of Directadmin servers which was constantly loading because clamd process. When executing top command, clamd was always top on the list. As I researched, there is no way you can limit ClamAV’s memory and CPU consumption via its configuration itself. This is how you do it.

What you have to do is limit clamd within startup script, so that clamd will start with some limitations.

Just open ClamAV startup script. I this case CentOS 7:

vi /etc/systemd/system/clamd.service

Then add this lines. Of course change according to your needs.

IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

Your startup script should now look something like this:

[Unit]
Description = Generic clamav scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStartPre=-/bin/mkdir -p /var/run/clamd
ExecStartPre=-/bin/chown -R clamav:clamav /var/run/clamd
ExecStart = /usr/local/sbin/clamd --foreground=yes
Restart = on-failure
PrivateTmp = true
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

[Install]
WantedBy = multi-user.target

cPanel – change email password without cPanel access – edit shadow file

I had issue with cPanel on which license was expired. So web interface wasn’t accessible. One client had situation and need to change email password urgently. Because cpanel wasn’t accessible, he was unable to do so. There is a trick. You can change mail password without accessing cpanel directly. You can modify shadow file and paste new password hash. cPanel stores email passwords in shadow file. Here is how you can do it.

First, you need to generate new password hash in SHA512 format. You can do it with python:

[root@machine ~]# python3 -c 'import crypt; print(crypt.crypt("mynewpassword", crypt.mksalt(crypt.METHOD_SHA512)))'
$6$Xy/Xjk9kArTdnMeh$tZemrVaYPG8kqW0DFxpxGXzurUWYx/3qoYA5xw1KYokYaVS/34jMWrFbrjf95xjOlOrskVAZeXSnKLAPn56pi.

Then you need to locate shadow file for your user and edit it:

root@cpanel [~]# cd /home/test/etc/testdomain.com
root@cpanel [/home/test/etc/testdomain.com]#
root@cpanel [/home/test/etc/testdomain.com]# vi shadow

Here is original hash for our user. You should change it with hash generated in first step. Change part which is marked with bold:

test:$6$o/dl07XTG2tht5ir$GZQ8DCOQQ1FG9U/G87aq0kOiEru8ndwWK8RbrDy6vbl9DCKSDEsejjIxwfvO329a4dONuypsQx9HuUj6MVuqx.:18269::::::

so it looks like this:

test:$6$Xy/Xjk9kArTdnMeh$tZemrVaYPG8kqW0DFxpxGXzurUWYx/3qoYA5xw1KYokYaVS/34jMWrFbrjf95xjOlOrskVAZeXSnKLAPn56pi.:18269::::::

That’s it, you should be able to login in webmail with new password, generated with python – frist step.

Migrate all databases to remote server with mysqldump in one step – 1:1 migration

Here is quick one, last in this year :). So I had to move a lot of databases to another server, but problem was, that on source server there wasn’t enough disk available. Also it was migration from very old mysql version to mariadb so mysqldump is your friend. Mysqldump all databases was out of the question because of low disk space. Dumping each database on its own would take too long and too many effort. But you can create dump of database and import it on new server in the same step.

First, you’ll need list of all databases on your source server and create them on new server. If your mysqldump creates “create database”, then you don’t need to create them manually on new server. If you want, you can skip mysql and any other databases that you don’t wish to transfer with grep. Put list of databases in some file – databases.txt for example. But first, make shure that command bellow show all databases. It is also necessary that you can remote access to mysql from source server to new server.

Test list all databases (exclude unwanted ones):

[root@oldserver ~]# mysql -e 'show databases' | grep -v "|" | grep -v "Database\|information_schema\|mysql\|performance_schema"
database1
geekytuts
database2
database3
database4
database5

Then put list of databases in text file databasest.txt:

[root@oldserver ~]# mysql -e 'show databases' | grep -v "|" | grep -v "Database\|information_schema\|mysql\|performance_schema" > databases.txt

Then you can import database to remote server like this:

mysqldump -u root -ppassword --single-transaction --skip-lock-tables database1 | mysql -h 1.1.1.1 -u root -ppassword database1

If you want to import all/multi databases, then use database.txt that we created in first step with for loop:

for i in `cat databases.txt`; do mysqldump -u root -ppassword --single-transaction --skip-lock-tables $i | mysql -h 1.1.1.1 -u root -ppassword $i; done

Bonus: If you need to create all databases listed in databases.txt on new server manualy, then you can also create all of them in one step. Use databases.txt on new server. If your mysqldump creates “create database” also, then you can skip this step.

[root@newserver ~]# for i in `cat databases.txt`; do mysql -u root -ppassword -e create database $i; done

Hope this helps someone.

Happy new year!

Permanent block ratelimited user with Rspamd and fail2ban

This one was a little tricky. I had few mail servers with a lot of accounts. I setup rspamd instance in proxy mode. Then I called rspamd on every mail server with postfix milter. Rspamd works beautifully, ratelimiting is very useful too. But I in case of abusive mail sender, I wanted to permanently block IP from which spam originated. You can’t permanently block IPs with rspamd because ratelimit module can’t add IP address to some file.

So Fail2ban came to mind. I setup fail2ban on my rspamd installation and create filter which watches rspamd log and wait for cases when ratelimit is triggered. When fail2ban counts 10 cases of triggered ratelimit, filter puts IP of ratelimited sender to special blacklist file (ip_blacklist_ratelimit.map) which is included in rspamd multimap  definition – permanent block. Spamer IP is blocked permanently this way. 

I had few cases when some users password was stolen and spam was sending. Fail2ban and rspamd sucsessfuly banned those IPs. I also created action which will notify administrator when fail2ban blocks IP.

Rspamd ratelimit config:


# limit outgoing authenticated users
user = { 
bucket = [ 
{ 
burst = 10; # capacity of 10 messages in bucket 
rate = "1 / 1min"; # leak 1 messages per minute 
}, 
{ 
burst = 100; # capacity of 100 messages in bucket 
rate = "30 / 60min"; # leak 30 messages per hour 
}] 
}
}

Rspamd multimap definition for blocking blacklisted IPs:


# block users exceeded ratelimits 5 times
IP_BLACKLIST_RATELIMIT {
type = "ip";
prefilter = "true";
map = "${LOCAL_CONFDIR}/local.d/maps/ip_blacklist_ratelimit.map";
action = "reject";
}

Fail2ban jail configuration:


[rspamd-ratelimit]
enabled = true
action = rspamd-banip
ratelimit-alert[name=Rspamd-ratelimit, dest=terminator@myemail.com]
backend = auto
filter = rspamd-ratelimit
logpath = /var/log/rspamd/rspamd.log
maxretry = 10
bantime = 3600

Fail2ban filter for rspamd – rspamd-ratelimit.conf:


# Fail2Ban filter for rspamd ratelimit
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = rspamd_proxy
failregex = ^.*rspamd_proxy.*ip: .*?Ratelimit ".*?" exceeded

# Author: Igor Mazej

Fail2ban action for rspamd – rspamd-banip.conf:


#
# Author: Igor Mazej
#
#
[Definition]
actionstart = touch /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionban = printf %%b "\n" >> /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
actionunban = sed -i "//d" -i.backup /etc/rspamd/local.d/maps/ip_blacklist_ratelimit.map
[Init]

© 2024 geegkytuts.net
Hosted by SIEL


About author