malware acl condition: clamd: unable to send file body to socket (127.0.0.1)

If you see error like this in your mail logs, than chances are that your ClamAV is not able to process attachments files larger than limit set in clamav configuration. In this case, sender which sent email with larger attachment to your server, will get something like this in respond:

[10.10.10.10] #<[10.10.10.10] #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Default] 451-'Temporary local problem - please try later' (delivery attempts: 75)> #SMTP#

In your mail log you’ll see something like this:

+++ 1e248B-000NMy-T6 has not completed +++
1969-08-15 01:40:21 1e248B-000NMy-T6 malware acl condition: clamd : unable to send file body to socket (127.0.0.1)
1969-08-25 01:40:21 1e248B-000NMy-T6 H=some.hostname.com [1.1.1.1] X=TLSv1:RC4-SHA:128 CV=no F=<prvs=449d2f142=senders@email.com> temporarily rejected after DATA

To solve this, open your clamav.conf file (/etc/clamav.conf or find your location) and change value for StreamMaxLength according to your needs. Default value is 25M.

Don’t forget to restart your ClamAV.

Directadmin – install Letsencrypt SSL certificate on server hostname

Letsencrypt is a revolutionary step forward on web security. Free, valid SSL certificates for everyone. I won’t write about how to install and config letsencrypt on Directadmin machine. I will show only how to generate and install letsencrypt certificate on your Directadmin hostname.

When you installed Letsencrypt on Directadmin and tried to install certificate for your server hostname, there is a possibility that you came to this problem: HTTP/1.1 400 Bad Request

Just do this:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

And than install certificate on your server hostname:

/usr/local/directadmin/scripts/letsencrypt.sh request my.serverhostname.com 4096

Open your Directadmin configuration file and change

SSL=0 to SSL=1

Also add this:

carootcert=/usr/local/directadmin/conf/carootcert.pem

Restart your Directadmin and you should be set.

Directadmin – enable and configure Spamassassin automatically on creating user

By default, when you add new user in Directadmin, Spamassassin is disabled. Some users are not aware about Spamassassin, so they’ll have it disabled and will receiving a lot of spam. It is good practice to enable Spamassassin by default and also set some settings. You can do that by adding below code in your /usr/local/directadmin/scripts/custom/user_create_post.sh script. The first step is well described on Directadmin documentation. But you may also want to define some parameters for Spamassassin when user is created. It’s really simple. You can do that by manipulating filter.conf file. Steps below are preformed on Directadmin running on FreeBSD. It should be the same for Linux also.

Continue Reading

fail2ban – Error in FilterPyinotify callback: illegal IP address string passed to inet_aton

Just recently, I discovered great pice of software named fail2ban. Supreme way to provide some additional security to your server. But more about fail2ban next time. So, I configured my jail.local configuration, but getting errors in error log. This was the error:

Error in FilterPyinotify callback: illegal IP address string passed to inet_aton

Error is pretty self explanatory, my whitelisted IP’s defined in variable ignoreip were wrong. If you use commas (,) like I did, then there is your problem. Just replace commas with spaces and it should work fine.

Find and replace whitespaces from your filename

If your files contain whitespaces in their names, it can sometimes be a real pain. Expressly if you are on Linux or Unix systems. I had some problems when running rsync for backup my files. Files with whitespace were causing problems. So bellow is simple command that will remove all whitespace and replace them with “_”. You can change to any symbol that you like. I example bellow, I was searching for all jpg files.

find . -type f -name "* *.jpg" -exec bash -c 'mv "$0" "${0// /_}"' {} \;

Scan your cPanel/Directadmin for excessive files

When dealing with cPanel/Directadmin that contains a lot of users, you need some control of what those users are uploading. Web hosting accounts should be used just for that, hosting websites, and not as data storage – in most cases. Sometimes you even offer packets with unlimited disk capacity but you don’t want that users are storing movies and all kind of other unnecessary files that don’t belong on web hosting account. From web hosting perspective, in most cases, any single file that exceeds 100M is usually not part of website and is just laying there, wasting your precious disk space. In cases like this, account is used as backup service. You’ll be able to find all kind of files. Movies, music, applications, archives …

So you may want to have some reports on regular basis that gives you list of all files that exceed some maximum allowed file size limit – defined by you. Personaly, I scan on interval of 7 days for all files that exceed size of 300M. I created a simple script that will do just that. It will check your /home directory for all files that exceed size that you defined. At the end, report will be sent to your email. You can also scan other directory beside /home if you wish.

Continue Reading

cPanel Webmail: internal server error 500 user is over quota cpanel

This user cpanel account reached disk quota limit and mail stopped working. User deleted about 4G of emails and released some disk space. Problem was that he still wasn’t able to login to webmail. This error was shown:

internal server error 500 user is over quota cpanel

It didn’t make sense since he released his disk space. Cpanels quota was showing new value, but login to webmail was still impossible.

What you have to do is remove cpanels overquota file manually. Let’s say that user user4 is having issue described above.

root@cpanel [~]# cd /var/cpanel/overquota/
root@cpanel [/var/cpanel/overquota]# ls
./  ../  user1  user2  user3  user4 
root@cpanel [/var/cpanel/overquota]# rm user4

After I deleted /var/cpanel/overquota/user4, webmail was started to working again.

Replacing string from variable with sed: unknown option to `s’

Sed is great command to use. I was writing some bash script and I needed to replace some strings in file with string saved in variable.

sed “s/string1/$string2/g; s/string3/$string4/g”  $CFGFILE

When executed, script was returning this error:

[root@vincentvega]# ./myscript
sed: -e expression #1, char 14: unknown option to `s'

After googling around for a while I figured out that / was causing the problem. So I replaced / with | and now works fine. I think that you can also use some other char than | if you want.

sed “s|string1|$string2|g; s|string3|$string4|g”  $CFGFILE

How to chown symbolic link – symlink

By default, if you try to chown symbolic link, e.g. symlink, it won’t work. User and group of symlink will stay the same after attempt. What you can do is add -h flag in your chown command. This flag stands for –no-dereference and it means »affect symbolic links instead of any referenced file«.

Example:

 
### symlink is owned by root
[root@myserver www]# ls -l
lrwxrwxrwx  1 root  root  13 May 14 14:51 html -> /var/www/html

### try to chown directory with nginx user and group
[root@myserver www]# chown nginx:nginx html

### no changes
[root@myserver www]# ls -l
lrwxrwxrwx  1 root  root  13 May 14 14:52 html -> /var/www/html

### try chown with -h flag
[root@myserver www]# chown -h nginx:nginx html

### ownership of symbolic link html is now changed
[root@myserver www]# ls -l
lrwxrwxrwx  1 nginx nginx 13 May 19 14:52 html -> /var/www/html

Find CryptoPHP hacks on your server / False php scripts

CryptoPHP is nasty little shit! A while ago I had a problem with spam on one of our hosting servers. When we ended on several RBL lists, one of them stated that there is a possible way that our machine is infected with CryptoPHP. Hacked files can be very hard to find. PHP code was hidden in false .png files! This pngs were then included in some legit php files, like index.php. So every time index.php was loaded, hacked code inside included png file was loaded too.

Here is how you can find if there are false png files on your system. Just scan your directory with this line:

find -L /path/to/dir/ -type f -name "*.png" -exec file {} + | grep PHP

You could also scan your system for other types of files. Just replace *.png with something elese, for example *.jpg.

Output for legit files will look something like this:

./wp-includes/js/tinymce/skins/wordpress/images/more-2x.png:    PNG image data, 3800 x 40, 4-bit colormap, non-interlaced

Output for script that pretends to be regular PNG file – hacks – will look something like this:

./test.png:   PHP script, ASCII text

© 2017 geegkytuts.net
Hosted by Hosterdam


About author