NetBrix - “Where your web gets Done!”

You’ve probably already tried spamassassin and a host of other tools, which are good mind you, and still there’s spam bothering you! So whats next? How do you manage the spam situation?

Well how about a challenge-response mechanism. How about asking the sender to ensure that they sent you the message before letting the message reach your mailbox.

This is implemented beautifully by TMDA (short for Tagged Message Delivery Agent)! TMDA combines whitelists, blacklists, a challenge/response system, and special-purpose e-mail addresses called “tagged addresses” to thwart spam.

This howto is for setting up TMDA on a per user basis (not everyone would probably appreciate the interception and so better to give it only to those on your server who ask for it)! It assumes Postfix is the MTA.

• cd /usr/src

• wget http://tmda.sourceforge.net/ftp/releases/tmda-1.1.1.tgz

• tar -zxf tmda-1.1.1.tgz
• cd tmda-1.1.1
• ./compileall
• su - imtiaz
• mkdir .tmda
• cd .tmda/

• /usr/src/tmda-1.1.1/bin/tmda-keygen —> dont forget to chmod 600 your crypt_key after pasting output of this command into ~/.tmda/crypt_key)

• mkdir logs
• touch logs/debug
• touch logs/
• touch lists/confirmed
• mkdir filters
• cat > .forward

|/usr/src/tmda-1.1.1/bin/tmda-filter

• echo “from-file ~/.tmda/lists/confirmed accept” > filters/incoming

• cat > config

MAIL_TRANSFER_AGENT = "postfix"
RECIPIENT_DELIMITER = “+”
DELIVERY = “/var/spool/mail/imtiaz”
CONFIRM_APPEND = os.path.expanduser(”~/.tmda/lists/confirmed”)
LOGFILE_DEBUG = “~/.tmda/logs/debug”
LOGFILE_INCOMING = “~/.tmda/logs/incoming”
LOGFILE_OUTGOING = “~/.tmda/logs/outgoing”
FILTER_INCOMING = os.path.expanduser(”~/.tmda/filters/incoming”)
FILTER_OUTGOING = os.path.expanduser(”~/.tmda/filters/outgoing”)
ACTIONOUTGOING = “bare=append”
BARE_APPEND = os.path.expanduser(”~/.tmda/lists/confirmed”)


Once this is done send a test mail to imtiaz@domain. It should result in a automatic reply being generated asking for a confirmation from our end. Once you confirm the address becomes whitelisted and you can send without a confirmation until the user, Imtiaz, removes your id from the confirmed list.

Send a mail to imtiaz@branches.ca to see how this works

Please use this form to contact us to request a qoute for this implementation on your server. We can also do this server wide if required.

Ever wanted to extract the audio stream from a music video to make it easier to carry on your mp3 player? Well we have developed an application that allows you to do just that!

Not only can you extract the audio from the video you can also extract the optimized flv from the video and download both streams separately. Now how cool is that.

Try it out here

Let us know what you think of the application also if you’d like us to set it up for you.

This writeup illustrates how you can enable secure roaming access to an smtp server while simultaneously adding a further layer of security to your postfix mail server. Not 100% guaranteed to keep thieves at bay but very effective.

It works on the principle that if you have an account on the server you are authorized to relay from that server. So if you can authenticate your self to the pop daemon you’re allowed to send mails using the smtp server running on the same server. Otherwise not!

Assumes you’re using Dovecot for pop3/imap access and Postfix for the MTA

Download the source for pop-before-smtp

cd /home/imtiaz/src/
wget http://nchc.dl.sourceforge.net/sourceforge/popbsmtp/pop-before-smtp-1.41.tar.gz
tar -zxf pop-before-smtp-1.41.tar.gz

setup some required Perl modules

perl -MCPAN -e shell;
install Bundle::CPAN
install Time::HiRes File::Tail Net::Netmask Date::Parse DB_File

Move around the files

cd /home/imtiaz/src/pop-before-smtp-1.41
cp pop-before-smtp.init /etc/rc.d/init.d/pop-before-smtp
cp pop-before-smtp /usr/sbin/
cp pop-before-smtp-conf.pl /etc

Edit the /etc/pop-before-smtp-conf.pl file to customize it for your system.
# Set the log file we will watch for pop3d/imapd records.
$file_tail{’name’} = ‘/var/log/maillog’;

set the pattern to what you have on your system (HINT: setup dovecot to log to /var/log/maillog and then enable it)

/usr/sbin/pop-before-smtp –dumpconfig
/usr/sbin/pop-before-smtp –debug –nowrite –reprocess
chkconfig pop-before-smtp on
/etc/init.d/pop-before-smtp start

ls -l /etc/postfix/pop* —>this will show you the db being created

Add these two lines to your postfix config

check_client_access=hash:/etc/postfix/pop-before-smtp
smtpd_recipient_restrictions = permit_mynetworks,reject_non_fqdn_recipient, check_client_access hash:/etc/postfix/pop-before-smtp, reject_unauth_destination

restart postfix by running postfix reload

N’joi

If you need help setting up pop-before-smtp on your server to allow remote SMTP in a secure manner to road warriors and hosting clients please contact us.

Shoutcast servers which are running on shared hosts usually get shut down quite frequently by procwatch. While it is important to stay within system limits it is also important to have those servers running till you shift to dedicated hosting
Here’s a quick and dirty shell script to monitor and restart shoutcast services. Drop it in cron to run every 15 minutes and you will never have to worry about your shoutcast going down.


#!/bin/bash
### Script to restart shoutcast server/transcoder when it’s down
### Imtiaz a Khan http://www.netbrix.net on 21 May 2007

prcs=`ps -ef | grep “sc_serv\|sc_trans” | grep -v grep > /tmp/monitor.log && cat /tmp/monitor.log | tr -s ” ” | cut -d” ” -f2,8 | grep -v grep | wc -l`
if [ ! $prcs ] || [ $prcs -lt 4 ]
then
/usr/bin/killall sc_trans_linux
/usr/bin/killall sc_serv
nohup sc_serv &
nohup sc_serv sc_serv_low.conf &
cd sc_trans_040
make_playlist
nohup sc_trans_linux &
nohup sc_trans_linux sc_trans_low.conf &

###Send out the mails to inform
echo “shoutcast services restarted at `date`”| mail -s “ALARM: shoutcast services on `hostname`” khanimtiaz@gmail.com
#echo “shoutcast services restarted at `date`”| mail -s “ALARM: shoutcast services on `hostname`” youremailid
else
echo “shoutcast services running fine on `date`”| mail -s “OK: shoutcast services on `hostname`” khanimtiaz@gmail.com
#echo “shoutcast services running fine on `date`”| mail -s “OK: shoutcast services on `hostname`” youremailid
fi

Make sure you replace the paths to the binaries and email ids. Also after a point getting a “everything OK” mail every 15 minutes gets irritating so just comment out the lines in the else portion when you’re happy with the script.

This script can be modified to monitor many other services that you’re running and facing problems with. Please Contact us for implementation on your server or for modifications.

This is a quick and dirty how to on setting up a firewall + Bruteforce detection/prevention mechanism + AntiDOS system on your dedicated Linux server.
Assumes root access

APF

APF is a policy based iptables firewall system designed for ease of use and configuration.

mkdir $HOME/src
cd $HOME/src
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.9.6-1/
./install.sh
vi /etc/apf/conf.apf
(edit the IG_TCP line and add ports you need. Also the directive to run it in demo mode)

/etc/init.d/apf start

AntiDOS

Antidos is a log parsing script made for r-fx.org’s APF (advanced policy
firewall). It’s purpose is to parse specific log formats for network attacks
against a given system; and take certain actions.

vi /etc/apf/ad/conf.antidos
(edit the config for alerts and other options)
/etc/init.d/apf restart

BFD

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans.

cd $HOME/src
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -zxf bfd-current.tar.gz
cd bfd-0.9/
./install.sh
vi /usr/local/bfd/conf.bfd
(edit alarm settings, email address etc.)

A cron job gets added to run bfd at intervals to detect and abn brute force attempts.

This is just an example of what can be done to stop hackers in there tracks. There’s a lot more which we can help you with on your servers.

Please WRITE TO US for this and other security or system administration related question/requirements/qoutes.

When you just can’t wait to share the moment

Often while travelling you come accross situations which are worthy of being shared and sometimes you wish you could do it instantly rather than wait to find a docking station. Well it’s possible.

We were recently contemplating what would be the simplest solution to do this and here’s the concoction we came up with:

1. ofcourse a mms enabled camera phone and the hosting to run your gallery
2. procmail to catch the mail and process it
3. metamail to extract the image attachments
4. mojomail to maintain a optional distribution list
5. a nifty little php script to do the gallery jhingbang

I wrote the recipe for procmail and wired it with mojomail to give it a test run. It runs real sweet! Mojomail rocks because dadamail doesn’t have a dada_send.pl or atleast it’s too damn buggy also once you get popular for good photography your fans spread the word and you need a robust list management s/w to take care of the subscriptions.

The gallery script which we wrote is pretty basic as in it takes the images from where the procmail processing dumps them, generates the thumbnails and displays them on a page as clickables. I also figured a way to add descriptions to the images extracting it from the message body. Some mobile service providers tend to add there own images to the mms well that’s easily managed, in the gallery script just suppress the operator logos.

This is work in progress and I’m looking for a demo server where I can set it all up as right now it’s on a clients server and we can’t really push traffic onto his server ! Request you to give suggestions as to how we can further improve this application.

This service works with Dreamhost post the horrible Debian update as well

It works for Bluehost servers post recent updates.

Ok we’ve been getting a few requests for setting up servers for youtube clones. The back and forth on mail is kinda “not happening” so I’ve written a quick list of what we “need” to get it all rolling and fast!

Here’s the list:

• I need the ssh details of the server. Usually if you came to this page you already tried a bit of poking around so you know what ssh is.
• I also need to know if you already have a you tube clone script setup (try Social Media, vshare or clipshare). If you do I’ll need to know so that I can test using that script. For an additional negotiable amount, usually $25 but may vary upon complexity, I can help you setup your youtube clone.
• I also need to pay bills (occasional trip to the Bahamas and the weekend parties at the Tiki bar…. Hilton is just so pretentiously expensive), so I charge for this service. USD 50 is what I expect and I can send you my paypal details if you’re interested and are able to paypal.
• Since a few people ripped us off we need the payment before we start the work
• Depending on how your server is setup it takes about 24 hours to set it all up. I can throw in the test application if you’re looking for a script as well please let me know upfront so that I can let you know any reasonable additional charges involved for this script .

So there you are now ping me when you’re ready…. mail me through the Contact Form

Here’s a List of scripts we have successfully setup on shared as well as dedicated hosting

• PHPmotion
• HWDVideoShare component for Joomla
• Achtube component for Joomla
• Clipshare (all versions)
• Vshare
• videoshare(agriya)
• Rayzz
• social media
• OSTube
• PHPFox
• other custom made scripts for various sites which want to be left anonymous(probably haven’t discovered the magic of reciprocal link exchanges yet )

Keep forgetting how to setup Yum successfully on godaddy servers Here’s sthe sticky just in case I need it again!!!


rpm -Uvh ftp://fr2.rpmfind.net/linux/fedora/core/updates/4/i386/libxml2-python-2.6.20-1.FC4.i386.rpm
rpm -Uvh ftp://fr2.rpmfind.net/linux/fedora/core/4/i386/os/Fedora/RPMS/python-elementtree-1.2.6-4.i386.rpm
rpm -Uvh ftp://fr2.rpmfind.net/linux/fedora/core/4/i386/os/Fedora/RPMS/python-sqlite-1.1.6-1.i386.rpm
rpm -Uvh ftp://fr2.rpmfind.net/linux/fedora/core/updates/4/i386/rpm-python-4.4.1-23.i386.rpm
rpm -Uvh ftp://ftp.univie.ac.at/systems/linux/fedora/4/i386/os/Fedora/RPMS/python-urlgrabber-2.9.6-1.noarch.rpm
rpm -Uvh ftp://fr2.rpmfind.net/linux/fedora/core/updates/4/i386/yum-2.4.1-1.fc4.noarch.rpm
yum update yum

Proftpd with Mysql backend -command list

This is a quick and dirty proftpd+mysql setup Howto. It lets you setup a ProFTPd server with a MySQL backend so you can manage ftp users on a server from a database.

• wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0a.tar.gz
• tar -zxf proftpd-1.3.0a.tar.gz
• cd proftpd-1.3.0a
• make dist clean
• ./configure –with-modules=mod_sql:mod_sql_mysql:mod_quotatab:mod_quotatab_sql –with-includes=/usr/include/mysql –with-libraries=/usr/lib/mysql
• make
• make install
• ln -s /usr/local/sbin/proftpd /usr/sbin/proftpd
• groupadd nogroup
• groupadd -g 5500 ftpgroup
• adduser -u 5500 -s /bin/false -d /bin/null -c “proftpd user” -g ftpgroup ftpuser
• mysql -u root -p

create database ftpdb;
grant select, insert, update on ftpdb.* to proftpd@localhost identified by ‘password’;

use ftpdb;

#
# Table structure for table `ftpgroup`
#

CREATE TABLE ftpgroup (
groupname varchar(16) NOT NULL default ‘’,
gid smallint(6) NOT NULL default ‘5500′,
members varchar(16) NOT NULL default ‘’,
KEY groupname (groupname)
) TYPE=MyISAM COMMENT=’ProFTP group table’;

#
# Dumping data for table `ftpgroup`
#

INSERT INTO `ftpgroup` VALUES (’ftpgroup’, 5500, ‘ftpuser’);
INSERT INTO `ftpgroup` VALUES (’ftpgroup’, 5500, ‘ftpguest’);

# ——————————————————–

#
# Table structure for table `ftpquotalimits`
#

CREATE TABLE ftpquotalimits (
name varchar(30) default NULL,
quota_type enum(’user’,'group’,'class’,'all’) NOT NULL default ‘user’,
per_session enum(’false’,'true’) NOT NULL default ‘false’,
limit_type enum(’soft’,'hard’) NOT NULL default ’soft’,
bytes_in_avail int(10) unsigned NOT NULL default ‘0′,
bytes_out_avail int(10) unsigned NOT NULL default ‘0′,
bytes_xfer_avail int(10) unsigned NOT NULL default ‘0′,
files_in_avail int(10) unsigned NOT NULL default ‘0′,
files_out_avail int(10) unsigned NOT NULL default ‘0′,
files_xfer_avail int(10) unsigned NOT NULL default ‘0′
) TYPE=MyISAM;

#
# Table structure for table `ftpquotatallies`
#

CREATE TABLE `ftpquotatallies` (
`name` varchar(30) NOT NULL default ‘’,
`quota_type` enum(’user’,'group’,'class’,'all’) NOT NULL default ‘user’,
`bytes_in_used` float NOT NULL default ‘0′,
`bytes_out_used` float NOT NULL default ‘0′,
`bytes_xfer_used` float NOT NULL default ‘0′,
`files_in_used` int(10) unsigned NOT NULL default ‘0′,
`files_out_used` int(10) unsigned NOT NULL default ‘0′,
`files_xfer_used` int(10) unsigned NOT NULL default ‘0′
) TYPE=MyISAM;

# ——————————————————–

#
# Table structure for table `ftpuser`
#

CREATE TABLE ftpuser (
id int(10) unsigned NOT NULL auto_increment,
userid varchar(32) NOT NULL default ‘’,
passwd varchar(32) NOT NULL default ‘’,
uid smallint(6) NOT NULL default ‘5500′,
gid smallint(6) NOT NULL default ‘5500′,
homedir varchar(255) NOT NULL default ‘’,
shell varchar(16) NOT NULL default ‘/sbin/nologin’,
count int(11) NOT NULL default ‘0′,
accessed datetime NOT NULL default ‘0000-00-00 00:00:00′,
modified datetime NOT NULL default ‘0000-00-00 00:00:00′,
PRIMARY KEY (id),
UNIQUE KEY userid (userid)
) TYPE=MyISAM COMMENT=’ProFTP user table’;

INSERT INTO `ftpuser` VALUES (1, ‘testaccount’, ‘ftppasswd’, 5500, 5500, ‘/home/testdomain.com’, ‘/sbin/nologin’,0,'’,'’);

exit;

DefaultRoot ~

# Normally, we want files to be overwriteable.

AllowOverwrite on

# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes Plaintext Crypt
#SQLAuthenticate users* groups*
AuthOrder mod_sql.c mod_auth_unix.c

# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo ftpdb@localhost proftpd PASSWORD

# Here we tell ProFTPd the names of the database columns in the “usertable”
# we want it to interact with. Match the names with those in the db
SQLUserInfo ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the “grouptable”
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID 500

# create a user’s home directory on demand if it doesn’t exist
SQLHomedirOnDemand on

# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE “count=count+1, accessed=now() WHERE userid=’%u’” ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog STOR,DELE modified
SQLNamedQuery modified UPDATE “modified=now() WHERE userid=’%u’” ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT “name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_avail, files_xfer_avail FROM ftpquotalimits WHERE name = ‘%{0}’ AND quota_type = ‘%{1}’”

SQLNamedQuery get-quota-tally SELECT “name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ftpquotatallies WHERE name = ‘%{0}’ AND quota_type = ‘%{1}’”

SQLNamedQuery update-quota-tally UPDATE “bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = ‘%{6}’ AND quota_type = ‘%{7}’” ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT “%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}” ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

RootLogin off
RequireValidShell off

Now if you add users to the ftpusers table you should be able to login with those credentials without having to do anything else.

Please feel free to contact me if you run into a problem while setting this up.

Recently I came up with the need to test multiple ftp accounts on a server. The server has been setup using proftpd, with mysql as the backend for the authentication and qoutas.

Anyways so here is the small script which I put together. It does not use the db but can be easily modified to use the db and run tests on multiple accounts. Place this script on the host where you want to test and call it through an http call in a webbrowser.

< ?php
//initialize the variables which we’ll use for the login test
$userid=$_GET[’uid’];
$password=$_GET[’pass’];

//this too can be a query string variable if you want to test the ftp accounts on a different server
$ftp_server = “localhost”;
$conn_id = ftp_connect($ftp_server) or die(”Couldn’t connect to $ftp_server”);

// Open a session to an external ftp site
$login_result = ftp_login ($conn_id, $userid, $password);

// Check open
if ((!$conn_id) || (!$login_result)) {
echo “Ftp-connect failed!”; die;
} else {
echo “Connected.”;
}

//most important clean up after you’re done!
ftp_close()

?>

The utility of this extremely simple script is more evident when you consider a PHP hosting setup where you dont really want to use a ftp client to test. There just calling the script with the variables pulled from a db is enough to test the validity of credentials.

This is a part of the proftpd+mysql writeup which I’ll post pretty soon