Fighting Spam & Malware with Virtualmin

Some Blacklists will put a rate limit, that’s true.

In my setup Fail2Ban, bans those ips avoiding more requests in the ban time specified.
Also I use postscreen that eliminates those well know bad mail servers and UCE-Protect Level 1 that get rid of most spam, leaving very little to be checked for other lists.

Regarding UCE Protect, there is a confusion caused by level 2 & 3 where almost anyone can be listed there as it list IP blocks. Those two level should not be used to remove email at Postfix as they have a lot of false positives.

However Level 1 list only specific IP addresses.

Before using UCE Protect I read even the letter from the owner and checked some complains. I had to remove UCE Protect level 2 & 3 because they do block legit email but Level 1 is working great for 6 months now. Just checked again some of the complains and several are about L2 & L3, some are listed also in other well known BL.

Are they abusive? perhaps since innocent IPs are listed in L2 & L3. They should allow free delist to IPs that don’t send spam in L2 & L3. I’ll sugest that.

Checking the logs Level 1 block a lot of spammers and haven’t got any complaint from my users about it. Also checked some blocked sites/ips manually and the block was correct.

Just tested on Rocky Linux 9 and seems to work as you said and in CentOS 7. In both SpamAssasin was installed without ClamAV. I swear it did not work when I tried, perhaps something I was doing wrong.

postcreen does not log ips in maillog. If you want to see Postfix’s blocked IPs then do not use postscreen.

I’m not using postcreen in master.cf and seems to work, is it needed in Postfix 3?

postscreen_dnsbl_threshold = 2
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1

In this case you need to use bl.spamcop.net**2 so it blocks the ip if listed, otherwise it had no effect as it will never reach threshold=2 or add another BL like b.barracudacentral.org*1

not sure what postfix you’re using, it’s logging by default in debian.
example postscreen log entry :

postfix/postscreen[781836]: CONNECT from [ip]:57432 to [ip]:25

and an example filter for fail2ban :

[Definition]

_daemon = postfix/postscreen

failregex = ^%(__prefix_line)sPREGREET .* after .* from \[<HOST>\]:.*: EHLO \S+\\r\\n
            ^%(__prefix_line)sBLACKLISTED \[<HOST>\]:.*

Please read the documentation on how to properly set up postscreen:
Turning on postscreen(8) without blocking mail

The following you are referring to is an example.

Yes you can see postscreen in the logs if it is set up correctly.

postfix/postscreen[233229]: DISCONNECT [171.22.30.119]:56744
postfix/postscreen[233229]: DNSBL rank 2 for [171.22.30.119]:56744
postfix/postscreen[233229]: PREGREET 11 after 0.11 from [171.22.30.119]:56744: EHLO User\r\n

Thanks it now logs as it should. I was missing the master.cf configuration.

so, postscreen wasn’t working at all. that’s why it didn’t log anything… if you didn’t pass anything to postscreen (master.cf part), it would just be idle - not doing anything…

Blocked emails by Black list without fail2ban rbls754×818 51.2 KB

I’d like to share this stats from one domain they may be interesting.
Screenshot shows my first 3 summaries to monitor email blocked.

Using RBL in postfix blocked 1,843 emails in a week in one domain (mydomain.com).

Top user with most spam (blocked) was sales with 430 emails. That email account is sent 5 other users so about 5 user will get all those spams plus their own if the blocking is removed.

Other two domains (more normal) have about 200 spam blocked per week but the main email accout got about 40% of them.

These results are not using fail2ban to block RBL but fail2ban was blocking unauth attempts to postifx. Also there a little filter before those servers that blocks more spam and it is not included in the report.
I will post later another stat with fail2ban blocking RBLs.

I was going to post the stats from the following weeks but let me resume what I’ve found in these weeks. Monitoring those numbers allow me to implement anti-spam and security measures that I’d like to see integrated in Virtualmin, some are quite easy to do.

• Adding reject_unknown_sender_domain in postifx reject spam from non existing domains safely but it need a resolving dns query which can be the ISP DNS or a similar to dns0.eu — El DNS público europeo que hace tu Internet más seguro

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, permit

• Virtualmin shall add an option to manage black list and as a suggestion may work with Abusix to include in Virtualmin their black list. They do offer currently free 5,000 daily queries calculated from 7 day average which will give more than that. So far I’ve seen no false positive in some weeks using their service but it shall work with Fail2ban to block those ips for some time to reduce daily queries.
  Abusix Mail Intelligence - Abusix

• Virtualmin shall add brute force protection with Fail2ban at least in pro licence to compete with other control panels in security right now it is up to the very technical user to set it up Fail2ban. It can be ever setup to report attacks automatically to blocklist.de which will help to reduce spam and hacking attempts. Abusix also has a reporting tool but I have not decided to implement it but Virtualmin may do so and help Abusix and they may do work in integrate their product with Virtualmin.

• Another useful addition to virtualmin would be the ClamAV extra signatures from Securite Info, besides using on ClamAV on servers and desktops, they are available for devices not sure if it will work with Virtualmin the way it is right now but surely it can be added so normal user can add them easily without having to go to the terminal or file manager to edit config files. Right now those extra signatures are free for one IP but does not include 0-day malware detection just a 30 day malware detection. This can help avoid ransomware and may other malwares and even spam.
  Add 4.000.000 signatures to Clamav antivirus

Hopefully some of this is useful to improve Virtualmin security and reduce spam.

I’m missing info about Spamassasin to mark spam because I’m working on it however if anyone has a good configuration that may recommend I’d love to try it.

I find the ip list from Stop Forum Spam helps prevent a lot of spam emails and posts to wordpress sites etc.

TO: Virtualmin Team

Would it be possible to have a new doc page that could suggest various config examples for hardening the various services on our servers? I know this is NOT your job… you provide a wonderful control panel and should not expected to “support the operating system as well”… but… many of us rely on your years of expertise and hope that we might be able to coax you into such a page.

Again, thank you for all you do…

Yours,
Jim

I can’t, and don’t, speak for the staff but I think the default install is their recommendation. That is what they are willing to support. ‘Works for most’ is where they need to be. If you keep everything up to date the basic system should be good to go.

Web applications like Wordpress are huge targets and become the source of most problems.

Yes, I think the same, it would be a great help even for those who paid for years gladly support, great projects like truenas, pfsense, proxmox, have a howto and documentation that I would like to have with virtualmin.

I don’t really like “howtos” for fundamental stuff, like security. I think our priority is and has been shipping a good set of tools and defaults that works for most people.

I also think that the vast majority of exploits we hear about were not because someone didn’t setup more software, but because they didn’t keep their system up to date, they ran sloppy third-party software (often WordPress plugins or other web apps with a weak security history), or used weak passwords. Daily, I see people posting about distros that have been EOL for years. That’s how you get hacked.

We currently ship the following, often pre-configured in a way that works pretty well for most web hosting users:

1. Update notifications in a very visible place. If you’re running old software, it is not because you didn’t know about it. This is the single biggest security flaw on most of our users systems.
2. Multiple layers of brute-force protection. Fail2ban configured for most of the services we manage, Webmin has brute-force protection built-in (and optional 2FA) and most of the services we configure also have brute-force protection built-in. People aren’t guessing passwords for a Virtualmin system unless the passwords are extremely weak, or shared across multiple systems.
3. Tools to enforce strong passwords. You can configure Webmin with password policy to insist on strong passwords, Ilia implemented a strength meter when creating passwords so you can see at a glance if you’re making a good password or not.
4. A firewall, made useful by Fail2ban. Firewalls in a web server have limited utility; if you don’t need a service to be available to the world, you shouldn’t run it on a public port, so a generic static firewall does little. But, a firewall that updates based on attacks is useful. And, if you customize it (we provide UI support for that), you may also improve security of some services, by providing very specific access.
5. SpamAssassin and ClamAV and greylisting. While it’s probable we need to improve the defaults here, it’s such a complicated topic and everybody has different tolerance for false positives. We mostly stick to the defaults provided by your OS package here, which is still pretty good. We provide UI support for the configurable parts of SpamAssassin, and UI to turn on or off AV and greylisting.
6. Tools to help stay on top of web application updates. When technically possible/reliable, we offer upgrades to web apps we support in the Install Scripts UI, and bulk updates are also possible. Again, old software is how you’re probably going to get hacked.

(Note that chroot jails are not on that list. They are mostly cosmetic, they are not much of a security feature, though now that jailkit uses capabilities to chroot, at least on some platforms, rather than being suexec, jails are not a notable security risk as they historically were.)

Because the most likely exploits are core things, I’m hesitant to go off into the weeds of nice stuff that may or may not be useful for everyone.

There are some things I can recommend, but can’t easily automate and I’m not the best person to document: mod_security has been very helpful for us in addressing some types of DDoS (DDoS is a particular type of security issue…data is unlikely to be compromised, but it’s still annoying and costly to experience, and we have been targeted several times through the years), tools like Cloudflare may be useful for similar reasons (but also complicated and confusing for new users who don’t understand that it’s a proxy or what that means…and Cloudflare isn’t super great about making it clear, they kind of pretend like what they do is unique magic, when it’s really the same sort of proxying and edge caching that big websites have been doing for decades).

But, I remain skeptical of complicated guides to security, and I don’t want to be someone contributing to that sort of thing. Most people can’t spend hours every week on security, so if they get distracted by side quests, they’re going to drop the ball on the obvious stuff and that’s how you get got.

I also want to note that I am not an expert on every security tool and practice in the world. I can’t write a mod_security guide because I am not a mod_security expert, and there is nothing Virtualmin-specific about turning on and configuring mod_security. If you want to use mod_security, the mod_security docs are going to be better than anything I could write! Security is a big part of my job (in every job I’ve ever held, including my other current full-time job in tech where I head up a security team as part of my duties), but security in general is not my area of expertise. I learn what I need to know for the world-facing stuff I have to maintain, as best I can.

In short: If I can automate a notable security improvement in our products that works for most people most of the time, without causing a lot of breakage, I will try to do that as my development time allows. We do have some security stuff on the road map, as we always do in every new release. I’m not going to name them, as I’d feel bad about it if it doesn’t make it in. But, if I find time for writing documentation, it’s going to be spent trying to improve our general documentation, which has been neglected for quite a while, due to lack of time and resources, and difficulty getting motivated when our docs wiki was made intolerable by spammers. Ilia is fixing our docs, though, so I’ll be able to drop in on writing docs in short bursts soon. (But, again, improving core docs will be my focus. If you want security docs, go to the source!)

@Joe very nicely said.

+1 for using mod_security by default (with safest defaults in order not to break websites),

and a suggestion for antispam system:
go for rspamd instead. might be a lot of work to replace existing amavis+SA setup, but…
rspamd integration would save you time messing around with lots of daemons/services : spamassassin, opendkim, opendmarc, amavis, postgrey, ratelimit… these are all integrated in rspamd as modules…
its also very fast in spam training, comparing to SA.
and a security point: rspamd doesn’t require a compiler installed on a production server (just like spamassassin does…).

• would also suggest postscreen+postwhite installed/activated by default, or configurable in some “email settings” option.

2c.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.