Exim and its queue: quick HowTo

Today we are posting a quick HowTo for those admins running exim on their server. Typically, this will also be useful for all those who run servers that use cPanel as their hosting platform. We will show the list of command to display the queue as such, how to remove single or all messages from the queue, and how to identify nasties in the queue.

  1. What’s in the queue?
    exim -bp
  2. How many message are in the queue?
    exim -bpc
  3. How do I get rid of a specific message?
    exim -Mrm {message-id}
  4. How do I empty the entire queue?
    exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

    or

    exim -bp | exiqgrep -i | xargs exim -Mrm
  5. What is spamming from my server?
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort

We hope this will come in handy for you as much as it does for us at times!

 

This cheatsheet has been compiled from two sources:

http://www.cyberciti.biz/faq/exim-remove-all-messages-from-the-mail-queue/
http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim

 

NTP Amplification Attack – the gist of it

With recent DDOS attacks increasingly using NTP as an attack vector, and one of Cloudflare’s clients recently having been hit with a DDOS attack just short of 400gbps, we believe it is necessary to summarise what’s been going on, how such attacks are made possible at all, and what the community, and providers can do to prevent or mitigate such attacks as best possible.

A concise overview by means of a CERT alert can be found here: https://www.us-cert.gov/ncas/alerts/TA14-013A.

Essentially, an attacker send a certain command to a vulnerable NTP server, using a spoofed source address. The command itself is very short and produces very little traffic. The response, however, is a lot larger, besides the response is going to be sent back to the spoofed source address. This response is typically about 206 times larger than the initial request – hence the name amplification – a very effective means to quickly fill up even very powerful internet pipes.

Cloudflare published a very interesting article as well, giving a quick overview about the most recent attack and the technology behind it: http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack.

The recommended course of action here is to secure your NTP server (cf. https://isc.sans.edu/diary/NTP+reflection+attack/17300) , as well as ensure that spoofed packets do not leave your network. Sample procedures are explained at BCP38.info.

 

phpMyAdmin

(this post will also appear in our virtual private server blog)

Since phpMyAdmin, the tool to manage MySQL databases and the underlying server engine, is often the target (and one hard to miss!) of intrusion attacks, we feel it might be worth to mention some aspects and tips that could improve the security of your server, be it a dedicated server or a virtual private server (VPS).

  1. Keep your phpMyAdmin installation up to date. While this doesn’t prevent attacks per se, it makes sure that all old bugs have been fixed;
  2. Do not allow anyone to access the setup scripts, or remove them altogether;
  3. Allow access only from trusted IP addresses;
  4. Move the phpMyAdmin installation away from the default path /phpMyAdmin and outside the webserver root;
  5. Possibly even add another authentication on top of the phpMyAdmin authentication to prevent robots and brute force attackers obtaining valid user credentials directly;

(1) and (2) should be mandatory for every phpMyAdmin installation;

(3) is a good idea, but might not be feasible for you, or the range of allowed IPs is so large that it won’t matter anyway. It also requires some minor webserver configuration changes;

(4) and (5) require additional meddling with the webserver configuration, something that might be hard to do if you are running a control panel on top of your dedicated server or virtual private server.

Please note that intrusions into servers via a phpMyAdmin attack vector are very common, if you care to have a look at your webserver logfile, you will inevitably find a lot of random accesses to /phpmyadmin in several variations, and hopefully they are all followed by denied or unauthorised response codes from your webserver. phpMyAdmin is not the only way to break in of course, but an outdated or open phpMyAdmin version on a server is like a red cloth for a bull…

phpMyAdmin is not being updated that frequently, but if a security issue arises, you should be fast to close that door – consider going for the managed option with your contract, it will take this load off your shoulders and give you peace of mind as such options typically cover security updates.