Monthly Archives: September 2007

Set the localhost parameter when using PEAR::Mail

If you are using the PEAR:Mail php function to send emails from your server remember to set the localhost parameter (ie $params[“localhost”]=’yourhost.com’;). If you don’t set it then the originating server will be “localhost”. While this won’t stop the email being sent, spamassassin will mark the message as spam – not good if you want your emails to be received.

This little gotcha recently bit me. I hadn’t set the localhost parameter and only noticed when I had upgraded spamassassin and found my test emails ending up in my junk mail folder.

As for why you might want to use PEAR::Mail over the normal php mail() function the main reason is you can control which smtp server your mail is sent out over. This control is very useful if you are testing your system on one server and sending out the emails via another server.

How to stop ssh being hammered by script kiddies

If you ever look at your server logs you will see hundred (if not thousands) of attempts by the script kiddies trying to log in to ssh. On my main linux server I get around 200 attempts a day. Below is a part of a typical days pounding.

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Sep 12 11:06:14 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:14 226 portsentry[2618]: attackalert: Host 64.183.196.194 has been blocked via wrappers with string: "ALL: 64.183.196.194"
Sep 12 11:06:14 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:14 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:14 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:14 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 11:06:15 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 to TCP port: 22
Sep 12 11:06:15 226 portsentry[2618]: attackalert: Host: rrcs-64-183-196-194.sw.biz.rr.com/64.183.196.194 is already blocked Ignoring
Sep 12 12:10:30 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 to TCP port: 22
Sep 12 12:10:30 226 portsentry[2618]: attackalert: Host 125.22.246.140 has been blocked via wrappers with string: "ALL: 125.22.246.140"
Sep 12 12:10:30 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 to TCP port: 22
Sep 12 12:10:30 226 portsentry[2618]: attackalert: Host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 is already blocked Ignoring
Sep 12 12:10:30 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 to TCP port: 22
Sep 12 12:10:30 226 portsentry[2618]: attackalert: Host: dsl-TN-static-140.246.22.125.airtelbroadband.in/125.22.246.140 is already blocked Ignoring
Sep 12 16:04:44 226 portsentry[2618]: attackalert: TCP SYN/Normal scan from host: 82.138.34.109/82.138.34.109 to TCP port: 22
Sep 12 16:04:44 226 portsentry[2618]: attackalert: Host 82.138.34.109 has been blocked via wrappers with string: "ALL: 82.138.34.109"

As you can see the kiddies are trying to ssh connect on port 22. One of the simplest things you can do to improve ssh security is to move the ssh port away from the default port 22 and close port 22 (why you are are at you might as well close the telnet port 23).

To do this open the sshd_config file (I like to use nano) and change the default port from 22 to anything else that is not being used (under 1024 is a good idea). The sshd_config file is likely to be located in /etc/ssh but if not look for it by using find (ie use “find / -name ‘sshd_config’ “.

Restart sshd and log in using ssh -p [new port] user@serveraddress (eg ssh -p 999 daniel@tillett.com). This will solve most of the problems but it is a good idea to refuse all connections on port 22. I will leave how to do that for another post.

I should add this is not a substitute for security, but it does stop your logs from being filled with garbage.

Removing all files older than X days

This is just a little linux command line hack for removing all files older than X days (Substitute the X for the number of days):

find /[path]/* -mtime +X -exec rm -rf {} \;

eg “find /var/www/html/* -mtime +3 -exec rm -rf {} \;” to delete all files in the html directory older than 3 days.

Before running this you can also check what will be deleted by running the following:

find /[path]/* -mtime +X -exec ls -la {} \;