Find out if your mail server is an open relay

Open relay from wikipedia:

An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users.[1][2][3] This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular due to their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.

How to easily check if your mail server is open relay:

telnet relay-test.mail-abuse.org

[terung@myvps ~]$ telnet relay-test.mail-abuse.org
Trying 168.61.4.13...
Connected to relay-test.mail-abuse.org.
Escape character is '^]'.
Connecting to x.x.x.x ...
<<< 220 myvps.mydomain.com ESMTP
>>> HELO cygnus.mail-abuse.org
<<< 250 myvps.mydomain.com
:Relay test: #Quote test
>>> mail from:
<<< 250 ok
>>> rcpt to: <"nobody@mail-abuse.org">
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 1
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 2
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #test 3
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 4
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 5
>>> mail from: <>
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 6
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 7
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 8
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 9
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 10
>>> mail from:
<<< 250 ok
>>> rcpt to: <"nobody@mail-abuse.org">
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 11
>>> mail from:
<<< 250 ok
>>> rcpt to: <"nobody%mail-abuse.org">
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 12
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 13
>>> mail from:
<<< 250 ok
>>> rcpt to: <"nobody@mail-abuse.org"@[x.x.x.x]>
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 14
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 15
>>> mail from:
<<< 250 ok
>>> rcpt to: <@:nobody@mail-abuse.org>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 16
>>> mail from:
<<< 250 ok
>>> rcpt to: <@[x.x.x.x]:nobody@mail-abuse.org>
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #Test 17
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #test 18
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 we don't relay (#5.7.1)
>>> rset
<<< 250 flushed
:Relay test: #test 19
>>> mail from:
<<< 250 ok
>>> rcpt to:
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>>> rset
<<< 250 flushed
>>> QUIT
<<< 221 myvps.mydomain.com
Tested host banner: 220 myvps.mydomain.com ESMTP
System appeared to reject relay attempts
Connection closed by foreign host.
[terung@myvps ~]$

fail2ban: drop the banhammer on those bruteforcer bots from China

Get fail2ban source from http://www.fail2ban.org/wiki/index.php/Downloads.

# tar -xjvf fail2ban-0.8.4.tar.bz2
# cd fail2ban-0.8.4
# python setup.py install

Autostart in RedHat,CentOS,Fedora
# cp files/redhat-initd /etc/init.d/fail2ban
# chkconfig –-add fail2ban
# chkconfig fail2ban on
# service fail2ban start

Copy default conf to jail.local which will override jail.conf, the default conf
# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

##########sampleconf##########
[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
ignoreip = 203.82.1.1/24 x.x.x.x

# "bantime" is the number of seconds that a host is banned.
bantime = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=yourmail@mail.com, sender=fail2ban@web.com]
logpath = /var/log/secure
maxretry = 3

[proftpd-iptables]

enabled = true
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD, dest=yourmail@mail.com sender=fail2ban@web.com]
logpath = /var/log/secure
maxretry = 6

# This jail forces the backend to "polling".
#####endsample####
#replace the logpath with the proper path for other distro

# /etc/init.d/fail2ban restart
or,
# service fail2ban restart

And check your iptables:
# iptables -L

If you want to unblock someone just do:
# iptables -D fail2ban-ssh 1

Show failed SSH logins by date:
# cat /var/log/secure | grep ‘Failed password’ | sort | uniq -c

#testing ssh filter
/usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

If your fail2ban seem to not updating the iptables, please check the fail2ban log. If you received below error, you might have old version of iptables and you need to tweak the fail2ban iptables action config.

fail2ban.action [32091]: ERROR iptables -w -N f2b- iptables -w -I INPUT -p tcp -m multiport --dports 0:65535 -j f2b- -- stderr: "iptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\niptables v1.4.7: option -w' requires an argument\nTryiptables -h' or 'iptables --help' for more information.\n"

reference: https://serverfault.com/questions/730675/fail2ban-action-error-iptables-w-n-f2b-jail-name

Open this config file /etc/fail2ban/action.d/iptables-common.conf , and comment this line:

lockingopt = -w

also changed this line:

 #iptables = iptables to iptables = iptables


extra reading: http://www.fail2ban.org/wiki/index.php/Main_Page

my xorg.conf for fglrx proprietary driver

I've link how to install ati proprietary driver in the old post. This is my config file after successfully install the driver.

file: /etc/X11/xorg.conf

####Begin

Section "ServerLayout"
Identifier "aticonfig Layout"
Screen 0 "aticonfig-Screen[0]-0" 0 0
EndSection

Section "Files"
EndSection

Section "Module"
EndSection

Section "Monitor"
Identifier "aticonfig-Monitor[0]-0"
Option "VendorName" "ATI Proprietary Driver"
Option "ModelName" "Generic Autodetecting Monitor"
Option "DPMS" "true"
EndSection

Section "Device"
Identifier "Mobility Radeon HD 3400 Series"
Driver "fglrx"
Option "DynamicClocks" "on"
Option "mtrr" "on"
Option "DesktopSetup" "Single"
Option "ScreenOverlap" "0"
Option "VideoOverlay" "on"
Option "OpenGLOverlay" "off"
Option "Stereo" "off"
Option "StereoSyncEnable" "1"
Option "FSAAEnable" "no"
Option "FSAAScale" "1"
Option "FSAADisableGamma" "no"
Option "FSAACustomizeMSPos" "no"
Option "UseFastTLS" "0"
Option "BlockSignalsOnLock" "on"
Option "XAANoOffscreenPixmaps"
Option "AccelMethod" "XAA"
BusID "PCI:1:0:0"
EndSection

Section "Screen"
Identifier "aticonfig-Screen[0]-0"
Device "aticonfig-Device[0]-0"
Monitor "aticonfig-Monitor[0]-0"
DefaultDepth 24
SubSection "Display"
Viewport 0 0
Depth 24
EndSubSection
EndSection

########End

iptables sample ideal for vps

file path: /etc/sysconfig/iptables

This is a sample that you can use for your web hosting/vps. It's pretty basic, really. Kindly uncomment entries that you think you'll need. Make sure you backup your old config in-case a fuck up happens. Else, proceed with caution and have fun!

#######iptables begin
# Generated by iptables-save v1.3.5 on Mon Mar 8 15:30:21 2010
*mangle
:PREROUTING ACCEPT [53641:56160765]
:INPUT ACCEPT [53641:56160765]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [44557:9348034]
:POSTROUTING ACCEPT [44557:9348034]
COMMIT
# Completed on Mon Mar 8 15:30:21 2010
# Generated by iptables-save v1.3.5 on Mon Mar 8 15:30:21 2010
*filter
:INPUT DROP [57:3312]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
-A INPUT -j VZ_INPUT
-A FORWARD -j VZ_FORWARD
-A OUTPUT -j VZ_OUTPUT
### allow incoming icmp
-A VZ_INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A VZ_INPUT -p icmp -s 0/0 -d -j DROP
#
# Drop stealth scans
-A VZ_INPUT -i -s -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
-A VZ_INPUT -i -s -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN
-A VZ_INPUT -i -s -p tcp -m tcp --tcp-flags SYN,RST SYN,RST
-A VZ_INPUT -i -s -p tcp -m tcp --tcp-flags FIN,RST FIN,RST
-A VZ_INPUT -i -s -p tcp -m tcp --tcp-flags ACK,FIN FIN
-A VZ_INPUT -i -s -p tcp -m tcp --tcp-flags ACK,URG URG
#
-A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_INPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT
#########################################################
# Drop all incoming malformed XMAS packets
-A VZ_INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all incoming malformed NULL packets
-A VZ_INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Bad incoming source ip address 0.0.0.0/8
-A VZ_INPUT -s 0.0.0.0/8 -j DROP
#if you're using local communication, comment this.
#i'm not sure if it will disturb it, but just in case..
# Bad incoming source ip address 127.0.0.0/8
#-A VZ_INPUT -s 127.0.0.0/8 -j DROP
# Bad incoming source ip address 10.0.0.0/8
-A VZ_INPUT -s 10.0.0.0/8 -j DROP
# Bad incoming source ip address 172.16.0.0/12
-A VZ_INPUT -s 172.16.0.0/12 -j DROP
# Bad incoming source ip address 192.168.0.0/16
-A VZ_INPUT -s 192.168.0.0/16 -j DROP
# Bad incoming source ip address 224.0.0.0/3
-A VZ_INPUT -s 224.0.0.0/3 -j DROP
#######################################################
#allow outgoing icmp
-A VZ_OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
-A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A VZ_OUTPUT -p tcp -j ACCEPT
-A VZ_OUTPUT -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -j ACCEPT
-A VZ_OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p udp -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 20:21 -j ACCEPT
-A VZ_OUTPUT -p tcp -m tcp --sport 32768:65535 -j ACCEPT
COMMIT
# Completed on Mon Mar 8 15:30:21 2010
# Generated by iptables-save v1.3.5 on Mon Mar 8 15:30:21 2010
*nat
:PREROUTING ACCEPT [6142:368537]
:POSTROUTING ACCEPT [315:20384]
:OUTPUT ACCEPT [315:20384]
COMMIT
# Completed on Mon Mar 8 15:30:21 2010
####iptables-end#

That's all. Restart iptables after editing.

/etc/init.d/iptables restart

Sources:

http://www.homepage.montana.edu/~unixuser/031705/iptables.fedora.html
http://bash.cyberciti.biz/security/linux-virtuozzo-vps-firewall-script-2/
http://forums.vpslink.com/linux/865-iptables-error-weird-character-interface-venet0-0-a.html