Netino

What webserver(s) you use?

To check it against PCRE, could you post just one line from your logs not being catched..?! Regards, Netino

It's a bit hard to know exactly what problem you're trying to solve. It seems like there are a lot of requests for non-existent files, is that it? But apparently you're trying to solve this through the web server itself. But seems your logs are from nginx, and your configuration is for apache. Surely, I would recommend installing ModSecurity, and a firewall like csf. But I still can't tell if this is a good solution, because I don't quite understand the problem you're having. Regards, Netino

The lastest version of ModSecurity V3 is 3.0.12. It's important doesn't confuse ModSecurity 3.0.x with OWASP ruleset core 3.0.x. Like I said, apache doesn't work fully with ModSecurity 3.0.x. This is documented in Modsecurity site (assumed by OWASP team in july, this year) But I have myself running normally apache with OWASP Ruleset core 4.7.x, since 3.x up to 4.x. Maybe LFD problem can be solved with a few adjusts in ErrorLogFormat directive, to do it work.

To use ModSecurity V3 (libmodsecurity), is needed to use the ModSecurity-apache connector. This project is under development and not production-ready. The functionality is not complete, so we cannot use use with Apache HTTP Server. There are a note in that page: "NOTE: This project is not production ready This project should be considered under development and not production ready. The functionality is not complete and so should not be used. With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x. "

Unfortunately, apache does not work with 3.0.x version. Do you use just nginx? In the same way, I have installed in cwpsrv server. I can share the (long) command sequence with you, if would be useful.

You have two blank 'content_filter' lines, and two 'smtpd_client_restrictions' lines, one with 'permit_sasl_authenticated,reject' and the other blank. But the 'smtpd_client_restrictions' lines seems to have a contradiction. The first is being overridden by the second (if it is not belonging to another section). Below are a suggestion for the configuration of the 'smtps' section. Some configurations may be identical to the submission, this is because one configuration is for sending and the other for receiving. Since we will only use service ports that require authentication, they can be identical: smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING "-o syslog_name=postfix/smtps" indicates that the activities will be available under the name “postfix/smtps” in the log file. "-o smtpd_tls_wrappermode=yes" indicates that TLS Fallback will be used for email clients that do not support STARTTLS. "-o smtpd_sasl_path=private/auth" The authentication format that will be passed to the SASL plugin. This configuration must match the socket file '/var/spool/postfix/private/auth'. "-o smtpd_client_restrictions=permit_sasl_authenticated,reject" The types of requests that will be accepted from clients. "-o milter_macro_daemon_name=ORIGINATING" The name of the email filter process macro. Check the existance of your socket file in /var/spool/postfix/private/auth. Check too if you opened the port 465 in your firewall. And check too if your certificates are valid an being pointed and used in '/etc/postfix/vmail_ssl.map' file.

Maybe you haven't enabled smtps in your system. Please, post your result from this command: grep -P "^\s*(smtps|\-o\s*(syslog_name|smtpd_tls_wrappermode|smtpd_sasl_auth_enable|smtpd_relay_restrictions|smtpd_client_restrictions|smtpd_recipient_restrictions|milter_macro_daemon_name|smtpd_sasl_type|smtpd_sasl_path|content_filter|smtpd_proxy_filter))" /etc/postfix/master.cf Regards, Netino

These lines are just to make a small correction, due to the fact that the website 'mirror.centos.org' is no longer accessible. So I suggested a fix, to change the Centos7 repository addresses to 'vault.centos.org', which is still accessible.

Before running this script, I just would run: sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* sed -i 's|#\s*baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-* Regards, Netino

Ok, thanks. I posted the problem there, but could not show the results of my screen to them, because the system seems to block the message. But I could posted the URL attack. Thanks!

Yes, completely updated. The file was saved within the cwpsrv area, with root user/group ownership. I spent ten days trying configurations with OWASP/Comodo modsecurity, and then I decided to directly test a URL used in the attack, and unbelievably, it works to execute a "ls -alF" command on the server. The only solution I found was to restrict access to the CWP admin panel by IP or authentication.

The solution is here: https://www.roundcubeforum.net/index.php?topic=29678.0 Regards, Netino

Correction: I had all of my 5 servers, geographycally in different locations(wow!), compromised, with a proof of concept. Nothing anymore. A php file was saved with root permissions. But if one file was saved, any file would be saved with root permissions. And executed...!!! (This is a large scale attack?!) But my servers wasn't really attacked, because I discovered the problem on the day after. I'm a experienced admin(first server in 1996), and could stop the attack, before the attacker come back. But I afraid many people don't know this until now. I have one solution: turn you cwpsrv server protected, or by IP restriction, or with nginx(cwpsrv) password (). The reason cannot be revealed, up to CWP Team acknowledge the problem. Create a file /usr/local/cwpsrv/conf/include/security.conf with the following content: #... satisfy any; allow 192.168.1.1/24; allow 127.0.0.1; deny all; auth_basic "Administrator’s Area"; auth_basic_user_file conf/ht_passwd; Choose yours IP adresses, and/or define additional authentication on cwpsrv. (Will be authenticated 2 times) Create a file /usr/local/cwpsrv/conf/htpasswd with your passwords: # /usr/local/apache/bin/htpasswd /usr/local/cwpsrv/conf/ht_passwd ...and restart cwp on the panel, or with the command: # /scripts/restart_cwpsrv

How can I alert the development team to a very, very serious security flaw, where it is possible to execute arbitrary commands with root user permission?! I tried to contact support, and they simply disregarded my message saying that I don't have a support "contract". My server was compromised, and I have the URL to replay the attack. Regards, Netino

I had the same internal server error and was unable to resolve the issue until now. Apparently it's something related to the ICU library, which should be >=4.2. Among some installations, I have an old CWP installation and it may be that some necessary libraries are missing over time. I disabled WAF and the problem persists. So I decided to follow the workaround pointed out here: https://www.roundcubeforum.net/index.php?topic=29678.0 At least now I can use roundcube. EDIT: Strangely, I checked the problem was my old CWP installation hadn't the directory '/usr/local/cwp/php71/php.d', because I was being deleted it in the first step "To remove INTL". So, I execute the same steps, without removing it, and the problem was solved without the above workaround. Regards, Netino

You can define outgoing limit too, limiting the authenticated user limit: user: limit per authenticated user (useful for outbound limits)

There are some examples here: https://rspamd.com/doc/modules/ratelimit.html You can define any arbitrary limit to your server. # local.d/ratelimit.conf rates { # Selector based ratelimit some_limit = { selector = 'user.lower'; # You can define more than one bucket, however, you need to use array syntax only bucket = [ { burst = 100; rate = "10 / 1min"; }, { burst = 10; rate = "100 / 1min"; }] } # Predefined ratelimit to = { bucket = { burst = 100; rate = 0.01666666666666666666; # leak 1 message per minute } } # or define it with selector other_limit_alt = { selector = 'rcpts:addr.take_n(5)'; bucket = { burst = 100; rate = "1 / 1m"; # leak 1 message per minute } } } As that page mentions, "In Rspamd, the fundamental concept of ratelimiting is known as the leaked bucket principle. This approach can be illustrated as a bucket with a limited capacity and a small hole at the bottom. As messages are received, they accumulate in the bucket and are gradually released through the hole, without any delay but instead are counted. Once the bucket’s capacity has been reached, a temporary rejection is triggered, unless the remaining space is adequate for additional messages to be accepted. Since the messages are continuously leaking, the bucket’s capacity is eventually restored, enabling the processing of new messages after a certain amount of time."

I appreciate the deference, and the memory, thank you! But to be able to carry out a successful installation, it is necessary to know your email server, in detail how it works: its security, its blocks, its permissions, its redirects, your politics in DKIM, SPF, DMARC, ARC, ..., the problems of your users, and this takes time. And unfortunately I can't help you with this installation, due to a matter of time. I don't have time this month, and I surely won't have time next month either. May be in another, too. Maybe on the CWP Forum itself, or even on the Rspamd forum, you can find someone who can help you.

I think the easiest way for you would be to install Comodo WAF (web application firewall), via ModSecurity. Access the CWP Panel -> Security -> ModSecurity. In Profile, choose Comodo WAF, and in Engine, choose to process the rules. Comodo's WAF rules are recommended to use as they are much simpler and easier to deal with.

By using Rspamd, you are actually replacing spamassassin. So, it is completely unnecessary to use it. IN the case of Opendkim, you are disabling it, but you are not stopping using Opendkim's entire DKIM framework. you use the same files in Rspamd. So, when any changes occur via the CWP panel, Rspamd recognizes them and uses them. Which Sandeep "line" are you referring to? Rspamd consumes much less resources than spamassassin, being much more configurable. You can even use spamassassin rules in Rspamd. Yes, Rspamd allows monitor outgoing mails, but this can also be done by postfix. With Rspamd you assign a score, and you can limit the sending of email messages that are above this limit. Or a combination of rules, or any other rule you set. Of course, if you can pay, and tools are offered to let you know what is happening with your mail messages, yes, is very good, and it would be easier. The point is that most paid antispam gateways offer a standard service. And if you yourself want to know what you want to do, or need to be done, setting up your own antispam server is better. In terms of effectiveness and efficiency, the difference precision between a paid server and a Rspamd is negligible. A well configured Rspamd server can learn very well from theis artificial intelligence algorith (Rspamd Neural Networks), or bayesian score, and there would be no qualitative difference between them. We are potentially talking about numbers on the order of 10^e-4 difference. But for you to make a good configuration it may take some time, on the order of a few months, for you to reach an optimal level. Maybe we didn't have the spamtrap network that paid companies have, and that could make a difference. The use of anti-spam blacklists is not recommended. But you can use the postfix postscreen tool, and make a reputation server, based on a mix score of antispam blacklists. And, yes, as more processing capacity, better to use more resources in Rspamd, and this cost money, anyway.

It seems like a good configuration, except for the parameter: tmp_table_size = 64MB This resource is used per connection, so it should be calculated as follows: tmp_table_size = [total memory available] / max_connections For a server with 4Gb total memory, with max_connections = 200, it should be something around: tmp_table_size = 20.5Mb Or, reduce max_connections to a more realistic number, compatible with the user's needs. All of the following parameters must be considered per connection: sort_buffer_size read_buffer_size read_rnd_buffer_size join_buffer_size thread_stack binlog_cache_size tmp_table_size The following parameters make up the base memory consumed by mariadb, which is consumed only once: key_buffer_size query_cache_size innodb_buffer_pool_size innodb_additional_mem_pool_size innodb_log_buffer_size You can use the following script to calculate the total memory to be consumed by mariadb/mysql, included per connection: #!/bin/sh # you might want to add some user authentication here mysql -e "show variables; show status" | awk ' { VAR[$1]=$2 } END { MAX_CONN = VAR["max_connections"] MAX_USED_CONN = VAR["Max_used_connections"] BASE_MEM=VAR["key_buffer_size"] + VAR["query_cache_size"] + VAR["innodb_buffer_pool_size"] + VAR["innodb_additional_mem_pool_size"] + VAR["innodb_log_buffer_size"] MEM_PER_CONN=VAR["read_buffer_size"] + VAR["read_rnd_buffer_size"] + VAR["sort_buffer_size"] + VAR["join_buffer_size"] + VAR["binlog_cache_size"] + VAR["thread_stack"] + VAR["tmp_table_size"] MEM_TOTAL_MIN=BASE_MEM + MEM_PER_CONN*MAX_USED_CONN MEM_TOTAL_MAX=BASE_MEM + MEM_PER_CONN*MAX_CONN printf "+------------------------------------------+--------------------+\n" printf "| %40s | %15.3f MB |\n", "key_buffer_size", VAR["key_buffer_size"]/1048576 printf "| %40s | %15.3f MB |\n", "query_cache_size", VAR["query_cache_size"]/1048576 printf "| %40s | %15.3f MB |\n", "innodb_buffer_pool_size", VAR["innodb_buffer_pool_size"]/1048576 printf "| %40s | %15.3f MB |\n", "innodb_additional_mem_pool_size", VAR["innodb_additional_mem_pool_size"]/1048576 printf "| %40s | %15.3f MB |\n", "innodb_log_buffer_size", VAR["innodb_log_buffer_size"]/1048576 printf "+------------------------------------------+--------------------+\n" printf "| %40s | %15.3f MB |\n", "BASE MEMORY", BASE_MEM/1048576 printf "+------------------------------------------+--------------------+\n" printf "| %40s | %15.3f MB |\n", "sort_buffer_size", VAR["sort_buffer_size"]/1048576 printf "| %40s | %15.3f MB |\n", "read_buffer_size", VAR["read_buffer_size"]/1048576 printf "| %40s | %15.3f MB |\n", "read_rnd_buffer_size", VAR["read_rnd_buffer_size"]/1048576 printf "| %40s | %15.3f MB |\n", "join_buffer_size", VAR["join_buffer_size"]/1048576 printf "| %40s | %15.3f MB |\n", "thread_stack", VAR["thread_stack"]/1048576 printf "| %40s | %15.3f MB |\n", "binlog_cache_size", VAR["binlog_cache_size"]/1048576 printf "| %40s | %15.3f MB |\n", "tmp_table_size", VAR["tmp_table_size"]/1048576 printf "+------------------------------------------+--------------------+\n" printf "| %40s | %15.3f MB |\n", "MEMORY PER CONNECTION", MEM_PER_CONN/1048576 printf "+------------------------------------------+--------------------+\n" printf "| %40s | %18d |\n", "Max_used_connections", MAX_USED_CONN printf "| %40s | %18d |\n", "max_connections", MAX_CONN printf "+------------------------------------------+--------------------+\n" printf "| %40s | %15.3f MB |\n", "TOTAL (MIN)", MEM_TOTAL_MIN/1048576 printf "| %40s | %15.3f MB |\n", "TOTAL (MAX)", MEM_TOTAL_MAX/1048576 printf "+------------------------------------------+--------------------+\n" }' Note that the 'Max_used_connections' parameter gives a realistic number for the total number of connections since the last start of the mariadb server, and can be used to adjust the 'max_connections' parameter. Regards, Netino

You may not be able to use the PHP selector, it was not still working with Almalinux 9. Regards, Netino

Hi, I was the one who posted that tutorial. Thank you for reading it. Yes, the steps are updated. The longest steps are those for configuring Rspamd itself. It fits almost like a glove with CWP, only a few adaptations are needed, such as disabling spamassassin, and opendkim, but still offering complete integration with the opendkim installation, using it. With Rspamd there is the additional advantage that you can use it as an antispam gateway, and an message antivirus gateway for all your servers (if you have more than just one), just by changing a single line in postfix (in /etc/postfix/main.cf): smtpd_milters = inet:Your-Server-IP:11332 (of course you can use autossh as a secure bridge between one server and another) Regards, Netino