ASSP Install On Ubuntu

Install Ubuntu Server 13.04 with openssh-server selected during setup, update & upgrade it.

Install necessary software:

$sudo apt-get install build-essential pmtools libterm-readline-perl-perl libterm-readline-gnu-perl libyaml-perl libtext-glob-perl libnumber-compare-perl libio-compress-perl libemail-mime-perl libemail-send-perl libemail-valid-perl libfile-readbackwards-perl libwww-perl libmime-types-perl libmail-dkim-perl libmail-spf-perl libmail-srs-perl libnet-cidr-lite-perl libnet-dns-perl libnet-ldap-perl libnet-smtp-server-perl libthreads-perl libthread-queue-any-perl libtie-dbi-perl libschedule-cron-perl libio-socket-ssl-perl libdbd-anydata-perl libdbd-csv-perl libdbd-ldap-perl libdbd-mock-perl libdbd-odbc-perl libdbd-mysql-perl libfile-find-rule-perl libfile-slurp-perl libfile-which-perl libfile-chmod-perl liblinux-usermod-perl libcrypt-rc4-perl libtext-pdf-perl libsmart-comments-perl libcam-pdf-perl libpdf-api2-perl imagemagick perlmagick poppler-utils xpdf libauthen-sasl-perl libnet-snmp-perl libsnmp-base libsnmp-dev libsnmp-perl snmp libsnmp-*-perl libsnmpkit-dev libregexp-optimizer-perl libnet-smtp-tls-perl liblingua-stem-snowball-perl liblingua-identify-perl unzip libberkeleydb-perl

$ sudo apt-get install tesseract-ocr tesseract-ocr-*

$ sudo apt-get install libmodule-signature-perl libtest-pod-perl libtest-pod-coverage-perl libarchive-zip-perl

$ sudo apt-get install libssl-dev

$ sudo cpan

[…]

Would you like to configure as much as possible automatically? [yes]

[…]

Would you like me to automatically choose some CPAN mirror
sites for you? (This means connecting to the Internet) [yes]

cpan> install Test::Perl::Critic

cpan> install CPAN

cpan> reload cpan

cpan> force install Mail::SPF::Query

cpan> install Net::IP::Match::Regexp Net::SenderBase Net::Syslog Thread::State Sys::MemInfo Crypt::CBC Crypt::OpenSSL::AES DBD::Log DBD::MVS_FTPSQL DBD::Multiplex DBD::Ovrimos DBD::PgPP DBD::Sprite DBD::Template DBD::mysqlPP DBIx::AnyDBD LEOCHARRE::DEBUG LEOCHARRE::CLI PDF::Burst Image::OCR::Tesseract PDF::GetImages PDF::OCR PDF::OCR2 Mail::DKIM::Verifier Convert::Scalar Unicode::GCString Sys::CpuAffinity

cpan> exit

$ sudo apt-get install clamav clamav-daemon
$ sudo freshclam
$ sudo /etc/init.d/clamav-daemon start
$ sudo apt-get install libfile-scan-perl
$ sudo cpan
cpan[1]> test File::Scan::ClamAV
cpan[1]> look File::Scan::ClamAV
root@antispam:~/.cpan/build/File-Scan-ClamAV-1.91-Ik8fWD# make install
root@antispam:~/.cpan/build/File-Scan-ClamAV-1.91-Ik8fWD# exit
cpan[1]> exit

$ wget http://kaz.dl.sourceforge.net/project/assp/ASSP%20V2%20multithreading/2.3.3%2013137/ASSP_2.3.3_13137_install.zip
$ unzip ASSP_2.3.3_13137_install.zip
$ sudo mkdir -p /usr/share/assp
$ sudo mv -f assp/* /usr/share/assp
$ rm -rf assp ASSP_2.3.3_13137_install.zip Install.txt MacOSX-launchd.txt quickstart.txt Win32-quickstart-guide.txt
$ sudo chown -R nobody:nogroup /usr/share/assp
$ sudo chmod 755 /usr/share/assp/assp.pl
$ sudo nano /etc/init.d/assp

Contents:

===
#!/bin/sh -e
# Start or stop ASSP
#
# original version by Ivo Schaap <ivo@lineau.nl> had issues on Debian4. Modified by atramos.
#
### BEGIN INIT INFO
# Provides:          ASSP (Anti-Spam SMTP Proxy)
# Required-Start:    $syslog, $local_fs
# Required-Stop:     $syslog, $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start ASSP
# Description:       Enable service provided by daemon.
### END INIT INFO

PATH=/bin:/usr/bin:/sbin:/usr/sbin

case “$1” in

start)
echo -n “Starting the Anti-Spam SMTP Proxy”
cd /usr/share/assp
perl assp.pl 2>&1 > /dev/null &
;;

stop)
echo -n “Stopping the Anti-Spam SMTP Proxy”
kill -9 ps ax | grep "perl assp.pl" | grep -v grep | awk '{ print $1 }'
;;

restart)
$0 stop || true
$0 start
;;

*)
echo “Usage: /etc/init.d/assp {start|stop|restart}”
exit 1
;;

esac

exit 0
===

$ sudo chmod 755 /etc/init.d/assp
$ sudo /usr/share/assp/assp.pl

all must be [OK]

press Ctrl+C

$ sudo update-rc.d assp defaults
$ sudo /etc/init.d/assp start

go to antispam_host:55555

login:root
pass:nospam4me

Enjoy!

Credit: vladon

Updating PXE Image for GHOST

Prerequisites

  1. A technician computer running Windows 8.1 or Windows Server 2012 R2
  2. Download and install Windows ADK for Windows 8.1
  3. Find the boot.wim for winpe-512 in C:\ProgramData\Symantec\Ghost\Template\common\winpe-512\sources.
  4. Extract the contents of boot.wim using a utility like 7zip.
  5. From the 2 directory of the extracted boot.wim, find the ghost folder and startnet.cmd from the Windows/System32 folder. Save these for use in the next section.

Build PE

  1. On your technician computer, click Start, and type deployment. Right-click Deployment and Imaging Tools Environment and then select Run as administrator.
  2. At the command prompt run the following commands to copy WinPE (x86, not amd64) and mount the boot image.
    • copype x86 C:\WinPE_x86
    • Dism /Mount-Image /ImageFile:"C:\WinPE_x86\media\sources\boot.wim" /index:1 /MountDir:"C:\WinPE_x86\mount"
  3. Using the files saved in Prereqs step 5 above, copy the following files and folders:
    1. Copy the ghost folder to C:\WinPE_x86\mount
    2. Copy startnet.cmd to C:\WinPE_x86\mount\Windows\System32, overwriting the previous file
  4. From C:\ProgramData\Symantec\Ghost\Template\common\winpe-512 on your GSS Server, copy the ghost and pxe folders to C:\WinPE_x86\media
  5. Add drivers if needed (not likely if using Windows 8.1)
    • Single Driver (recommended)
    • Dism /Add-Driver /Image:"C:\WinPE_x86\mount" /Driver:"C:\GhostDrivers\driver.inf"
    • Multiple Drivers
    • Dism /Add-Driver /Image:"C:\WinPE_x86\mount" /Driver:"C:\GhostDrivers" /Recurse
  6. Save and unmount the PE boot image
    • Dism /Unmount-Image /MountDir:"C:\WinPE_x86\mount" /commit

Copy to GSS

  1. On your GSS server, open Symantec Ghost Boot Wizard
  2. Make a copy of WinPE-512 and name it WinPEv50
  3. Select OK until WinPE is copied and then Cancel out of the Wizard.
  4. Find the folder for WinPEv50. On Vista and Server 2008 or later it will be located in C:\ProgramData\Symantec\Ghost\Template\common
  5. Delete everyhing in C:\ProgramData\Symantec\Ghost\Template\common\WinPEv50 except drivers.manifest.txtmanifest.txt, and pci.manifest.txt
  6. Copy everything from C:\WinPE_x86\media on your technician computer to C:\ProgramData\Symantec\Ghost\Template\common\WinPEv50 on your GSS server
  7. Open mainfest.txt and delete the unattend and checkDrivers steps and save (you have have to copy the file to your desktop, edit, save, then copy back to the WinPEv50 folder). The unattend step is the one that fails on Windows 8 clients and shouldn’t be needed if your network is DHCP. GSS can’t check the drivers in the PE we are creating so we also need to remove this step or tasks will fail.
  8. Select WinPEv50 as the PreOS on a test machine and test.

Issues

Any changes have to be done manually. They cannot be made using the Ghost Boot Wizard.

Bonus Extra

You can use the boot.wim from C:\WinPE_x86\media\sources to create a boot image in WDS.

Source Article

Block IP Using IPTABLES

To block a single host, or a range of hosts from accessing a server you can use the following command(s):

## iptables -I INPUT -s 1.2.3.4 -j DROP
## iptables -I INPUT -s 1.2.0.0/16 -j DROP

Those are temporary rules and if the server is rebooted they will not be present.

OpenSSL – Private Keys & Certificate Request

Private Keys:

HOWTO keys

1. Introduction

Keys are the basis of public key algorithms and PKI. Keys usually
come in pairs, with one half being the public key and the other half
being the private key. With OpenSSL, the private key contains the
public key information as well, so a public key doesn’t need to be
generated separately.

Public keys come in several flavors, using different cryptographic
algorithms. The most popular ones associated with certificates are
RSA and DSA, and this HOWTO will show how to generate each of them.
2. To generate a RSA key

A RSA key can be used both for encryption and for signing.

Generating a key for the RSA algorithm is quite easy, all you have to
do is the following:

openssl genrsa -des3 -out privkey.pem 2048

With this variant, you will be prompted for a protecting password. If
you don’t want your key to be protected by a password, remove the flag
‘-des3’ from the command line above.

NOTE: if you intend to use the key together with a server
certificate, it may be a good thing to avoid protecting it
with a password, since that would mean someone would have to
type in the password every time the server needs to access
the key.

The number 2048 is the size of the key, in bits. Today, 2048 or
higher is recommended for RSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.
3. To generate a DSA key

A DSA key can be used for signing only. This is important to keep
in mind to know what kind of purposes a certificate request with a
DSA key can really be used for.

Generating a key for the DSA algorithm is a two-step process. First,
you have to generate parameters from which to generate the key:

openssl dsaparam -out dsaparam.pem 2048

The number 2048 is the size of the key, in bits. Today, 2048 or
higher is recommended for DSA keys, as fewer amount of bits is
consider insecure or to be insecure pretty soon.

When that is done, you can generate a key using the parameters in
question (actually, several keys can be generated from the same
parameters):

openssl gendsa -des3 -out privkey.pem dsaparam.pem

With this variant, you will be prompted for a protecting password. If
you don’t want your key to be protected by a password, remove the flag
‘-des3’ from the command line above.

NOTE: if you intend to use the key together with a server
certificate, it may be a good thing to avoid protecting it
with a password, since that would mean someone would have to
type in the password every time the server needs to access
the key.


Richard Levitte


 

Certificates

HOWTO certificates

1. Introduction

How you handle certificates depend a great deal on what your role is.
Your role can be one or several of:

– User of some client software
– User of some server software
– Certificate authority

This file is for users who wish to get a certificate of their own.
Certificate authorities should read ca.txt.

In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. The name is openssl.cnf, and
is better described in another HOWTO <config.txt?>. If you want to
use a different configuration file, use the argument ‘-config {file}’
with the command shown below.
2. Relationship with keys

Certificates are related to public key cryptography by containing a
public key. To be useful, there must be a corresponding private key
somewhere. With OpenSSL, public keys are easily derived from private
keys, so before you create a certificate or a certificate request, you
need to create a private key.

Private keys are generated with ‘openssl genrsa’ if you want a RSA
private key, or ‘openssl gendsa’ if you want a DSA private key.
Further information on how to create private keys can be found in
another HOWTO <keys.txt?>. The rest of this text assumes you have
a private key in the file privkey.pem.
3. Creating a certificate request

To create a certificate, you need to start with a certificate
request (or, as some certificate authorities like to put
it, “certificate signing request”, since that’s exactly what they do,
they sign it and give you the result back, thus making it authentic
according to their policies). A certificate request can then be sent
to a certificate authority to get it signed into a certificate, or if
you have your own certificate authority, you may sign it yourself, or
if you need a self-signed certificate (because you just want a test
certificate or because you are setting up your own CA).

The certificate request is created like this:

openssl req -new -key privkey.pem -out cert.csr

Now, cert.csr can be sent to the certificate authority, if they can
handle files in PEM format. If not, use the extra argument ‘-outform’
followed by the keyword for the format to use (see another HOWTO
<formats.txt?>). In some cases, that isn’t sufficient and you will
have to be more creative.

When the certificate authority has then done the checks the need to
do (and probably gotten payment from you), they will hand over your
new certificate to you.

Section 5 will tell you more on how to handle the certificate you
received.
4. Creating a self-signed test certificate

If you don’t want to deal with another certificate authority, or just
want to create a test certificate for yourself. This is similar to
creating a certificate request, but creates a certificate instead of
a certificate request. This is NOT the recommended way to create a
CA certificate, see ca.txt.

openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095

5. What to do with the certificate

If you created everything yourself, or if the certificate authority
was kind enough, your certificate is a raw DER thing in PEM format.
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else. Depending on your
applications, this may be perfectly OK, it all depends on what they
know how to decode. If not, There are a number of OpenSSL tools to
convert between some (most?) formats.

So, depending on your application, you may have to convert your
certificate and your key to various formats, most often also putting
them together into one file. The ways to do this is described in
another HOWTO <formats.txt?>, I will just mention the simplest case.
In the case of a raw DER thing in PEM format, and assuming that’s all
right for yor applications, simply concatenating the certificate and
the key into a new file and using that one should be enough. With
some applications, you don’t even have to do that.
By now, you have your cetificate and your private key and can start
using the software that depend on it.


Richard Levitte


Testing a Connection

openssl s_client -connect <u>www.paypal.com</u>:443

Cannot FAX or Dial Out with NeoPost over Cisco SPA112

A few weeks ago at work we upgraded our phone system to an Asterisk based VoIP PBX. We utilized a Cisco SPA112 to provide analog connectivity for our fax machine and the NeoPost postage meter. While receiving faxes was all well and good we realized that we could not send them out nor could our postage meter dial up to the post office to purchase postage. This was due to the dial tone going to fast-busy too quickly before either device started to dial the destination number. To extend this time, there are a few values you will need to change in your SPA configuration.

Login to your SPA112 and go to the Voice tab

The default call tones allow for only 10 seconds to start dialing. Update the following tones to allow for 30 seconds:

Dial Tone: 350@-19,440@-19;30(*/0/1+2)
Second Dial Tone: 420@-19,520@-19;30(*/0/1+2)
Outside Dial Tone: 420@-19;30(*/0/1)
MWI Dial Tone: 350@-19,440@-19;2(.1/.1/1+2);30(*/0/1+2)
Cfwd Dial Tone: 350@-19,440@-19;2(.2/.2/1+2);30(*/0/1+2)

Then go to the Control Timers Values section.
Set your Interdigit Long Timer and Interdigit Short Timer to 10 seconds.

This should give your analog devices ample time to begin the dial out process.

hMailServer Anti Spam Settings

Update: 12/19/2015

While the below settings work well for the built in hMailServer anti spam, I have since moved to ASSP on a separate server for spam filtering.  It is by far the most effective solution I have ever used and I highly recommend it!  As a basis for comparison, when I was using the below setup I would routinely get 5+ spam emails a day slip through the filter.  Now that I have ASSP well tuned and up and running for 6 months I may get 1 spam per week that slipped through.


 

Antispam->General
Spam Mark Threshold = 6
Spam Delete Threshold = 9
Max Message Size to Scan = 1024
All tickboxes selected.

Antispam->Spam Tests
Use SPF = 3
Check host in HELO = 2
Check DNS MX = 2
Verify DKIM = 5

Antispam->Tarpitting
Count 0
Delay 15

Antispam->DNS Blacklists
zen.spamhaus.org | 127.0.0.* | Server rejected by http://www.spamhaus.org/zen/ | Score = 5 | (Old Settings 127.0.0.2-8|127.0.0.10-11)
psbl.surriel.com | 127.0.0.* | Server rejected by surriel.com | Score = 1
b.barracudacentral.org | 127.0.0.* | Server rejected by barracuda | Score = 4
bl.spamcop.net | 127.0.0.* | Server rejected by SpamCop.net | Score = 4
dnsbl.sorbs.net | 127.0.0.* | Server rejected by Sorbs.net | Score = 1

Antispam->SURBL Servers
multi.surbl.org | Rejected by SURBL | Score = 4

Antispam->Greylisting
Minutes to Defer = 1
Days to remove unused = 1
Days to remove used = 72
Tick Bypass on SPF

WordPress Force Login WP-Cron & BackWPup Not Working

When using the Force Login plugin for wordpress by Kevin Vess, you will notice that WP-Cron and external links to launch backups for BackWPup no longer work.

The developer wrote some fixes for this thankfully, however it can be confusing for non technical people if you have no programming experience.

To enable XMLRPC, edit wp-force-login.php in the plugin directory, and replace the second function in the file from the one on his GitHub.

For my particular use case, I needed to be able to call a backup job for BackWPup from one of my other servers with CURL.  I used his fix for WP-Cron, but edited it to not require authentication from my home server’s public IP address.  There was also a small syntax error that needed correcting.  Again, we will be replacing the second function in the plugin.

Original Plugin file:

< ?php
/*
Plugin Name: Force Login
Plugin URI: http://vess.me/
Description: Easily hide your WordPress site from public viewing by requiring visitors to log in first. Activate to turn on.
Version: 2.1
Author: Kevin Vess
Author URI: http://vess.me/
License: GPLv2 or later
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

function v_getUrl() {
  $url  = isset( $_SERVER['HTTPS'] ) &amp;&amp; 'on' === $_SERVER['HTTPS'] ? 'https' : 'http';
  $url .= '://' . $_SERVER['SERVER_NAME'];
  $url .= in_array( $_SERVER['SERVER_PORT'], array('80', '443') ) ? '' : ':' . $_SERVER['SERVER_PORT'];
  $url .= $_SERVER['REQUEST_URI'];
  return $url;
}
function v_forcelogin() {
  $url = v_getUrl();
  if( !is_user_logged_in() &amp;&amp; preg_replace('/\?.*/', '', $url) != preg_replace('/\?.*/', '', wp_login_url()) ) {
    wp_safe_redirect( wp_login_url( $url ), 302 ); exit();
  }
}
add_action('init', 'v_forcelogin');

Edited plugin to allow WP-Cron to function (Link Here):

< ?php
/*
Plugin Name: Force Login
Plugin URI: http://vess.me/
Description: Easily hide your WordPress site from public viewing by requiring visitors to log in first. Activate to turn on.
Version: 2.1
Author: Kevin Vess
Author URI: http://vess.me/
License: GPLv2 or later
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

function v_getUrl() {
  $url  = isset( $_SERVER['HTTPS'] ) &amp;&amp; 'on' === $_SERVER['HTTPS'] ? 'https' : 'http';
  $url .= '://' . $_SERVER['SERVER_NAME'];
  $url .= in_array( $_SERVER['SERVER_PORT'], array('80', '443') ) ? '' : ':' . $_SERVER['SERVER_PORT'];
  $url .= $_SERVER['REQUEST_URI'];
  return $url;
}
function v_forcelogin() {
  $url = v_getUrl();
  if( !is_user_logged_in() &amp;&amp; preg_replace('/\?.*/', '', $url) != preg_replace('/\?.*/', '', wp_login_url()) ) {
    if( $_SERVER['REMOTE_ADDR'] != 'xxx.xxx.xxx.xxx' ) {
      wp_safe_redirect( wp_login_url( $url ), 302 ); exit();
    }
  }
}
add_action('init', 'v_forcelogin');

Make sure that you wrap the IP address from which you need to connect without authentication is wrapped in apostrophies EX:

 != '127.0.0.1'