alexalmazan.com

unset parse_apache_config find_alog_hit find_host_from_headers find_maillog_entries find_user_from_messagelog;parse_apache_config() { if [ ! -f docroots.out ]; then rm -f cfgs.[0-9]*;if [ -f /hsphere/local/home/cpanel/apache/etc/httpd.conf ]; then rootcfg='/etc/httpd/conf/httpd.conf';else rootcfg='/etc/httpd/conf/httpd.conf'; fi; ilvl=0;includes=1; echo $rootcfg > cfgs.$ilvl;until [[ ! -f cfgs.$ilvl ]]; do let $(( ilvl++ )); for cfg in $(cat cfgs.$((ilvl-1))); do for inc in $(grep -i "^ *include" $cfg | awk '{print $2}' | sed -e "s/^conf/\/etc\/httpd\/conf/g"); do ls $inc >> cfgs.$ilvl;done; done; done; cat cfgs.* > httpdconfs.out; rm -f cfgs.*;for cfg in $(cat httpdconfs.out); do egrep -i "(transfer|error|custom)log" $cfg | sed -e "s/^\s//g" | grep -v "^ *#" | sed -e "s/ logs\// \/var\/log\/httpd\//g" -e "s/  */ /g" | cut -f1-2; done > logs.out; egrep "TransferLog|CustomLog" logs.out | sed -e "s/^ *//g" |cut -f2 -d" " | uniq > access_logs;grep "ErrorLog" logs.out | sed -e "s/^ *//g" |cut -f2 -d" " | uniq > error_logs;for cfg in $(cat httpdconfs.out); do egrep -i "documentroot" $cfg | grep -v "^ *#" | awk '{print $2}'| sed -e "s/\"//g"; done | uniq > docroots.out;rm -f logs.out; rm -f httpdconfs.out;else echo "Apache config already  parsed"; fi; };find_host_from_headers() { host=$(grep "^Received: .*)$" $msgfile | head -1 | sed -e "s/^.*(//g" -e "s/)$//g");echo " - connected from: $host"; unset srchpatt; };find_maillog_entries() { srchpatt="$datefromhdr.*msg $msgno"; echo "$mlfn:";zgrep -h "$srchpatt" $mlfn*; unset srchpatt; };find_user_from_messagelog() { if [[ $subjhdr != 'failure notice' ]]; then srchpatt="$datefromhdr .* smtp_auth: SMTP user.*$host";user=$(zgrep -h "$srchpatt" /var/log/messages* | sed -e "s/^.*smtp_auth: SMTP user //g" -e "s/:.*$//g");if [ -z $user ]; then echo "user not found.  searching again with truncated timestamp, may provide weird results";srchpatt="$daypatt .* smtp_auth: SMTP user.*$host";user=$(zgrep -h "$srchpatt" /var/log/messages* | sed -e "s/^.*smtp_auth: SMTP user //g" -e "s/:.*$//g"); fi;if [ -z $user ]; then user="not found"; else mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa -e "select password from domains left join mail on domains.id=mail.dom_id left join accounts on mail.account_id= accounts.id where postbox= \"true\" and mail_name=\"$user\" and domains.name=\"$domain\"\G" | grep --binary-files=text "password:" | cut -f2 -d" ";fi; echo "SMTP auth user $user";unset srchpatt; else echo "failure notice"; fi; };find_alog_hit() { echo "Searching web access_logs..."; for alog in $(cat access_logs); do zgrep "$apachefmt_date.*POST" $alog*; done; };if [ ! -d spaminfo ]; then mkdir spaminfo || (echo "Could not create work directory"; exit 1);else echo -n "" > spaminfo/report.out; fi;if [ -d /etc/psa ]; then mlfn="/usr/local/psa/var/log/maillog";echo "Found maillog: $mlfn";echo "Parsing Apache configuration file chain"; parse_apache_config;for msgfile in $(find /var/qmail/queue/mess/ -type f | head -10); do unset rcvhdr method uid date qmpid rcptlist tohdr fromhdr subjhdr bcchdr loc_datestamp srchpatt datefromhdr host user;remfile=$(echo $msgfile | sed -e "s/mess/remote/g"); rcptlist=$(sed -e "s/T/ /g" $remfile);rcvhdr=$(grep "^Received: (qmail" $msgfile);datefromhdr=$(echo $rcvhdr | sed -e "s/^.*); //g" | awk '{print $2" *"$1" "$4}');apachefmt_date=$(echo "$rcvhdr" | awk '{print $8"/"$9"/"$10":"$11}' | cut -f1-3 -d":");daypatt=$(echo $datefromhdr | cut -f1-2 -d ":");qmpid=$(echo $rcvhdr | sed -e "s/^.*qmail //g" -e "s/ invoked .*$//g");method=$(echo $rcvhdr | sed -e "s/^.*invoked //g" -e "s/).*$//g");echo $method | grep "from network" >/dev/null && (auth=);echo $method | grep "by uid" >/dev/null && (uid=$(echo $method | sed -e "s/^by uid //g"); );msgno=$(echo $msgfile | cut -f7 -d"/");tohdr=$(grep "^To: " $msgfile | cut -f2- -d" ");subjhdr=$(grep "^Subject: " $msgfile | head -1 | cut -f2- -d" ");fromhdr=$(grep "^From: " $msgfile | cut -f2- -d" ");bcchdr=$(grep -i "^bcc:" $msgfile | cut -f2- -d" ");echo "found msg: $msgno"; echo "To: $rcptlist"; echo "From: $fromhdr";echo "Timestamp: $(echo $datefromhdr | sed -e "s/\*//g")";echo "Subject: $subjhdr"; echo -n "qmail pid=$qmpid, $method";(echo $method | grep "from network" > /dev/null) && (find_host_from_headers && find_user_from_messagelog);(echo $method | grep "by uid 48" > /dev/null) && (find_alog_hit);echo; echo; echo "***"; echo; done;else mlfn="/var/log/maillog"; fi | tee -a spaminfo/report.out;unset parse_apache_config find_alog_hit find_host_from_headers find_maillog_entries find_user_from_messagelog

Behind the scenes multi domain log rotation enabling in Plesk

[root@server1 log]# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7578332 to server version: 4.0.18-Max

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>  select a.*,b.name from log_rotation a join domains b on a.id=b.id where turned_on="true";

To install on your site an application written in Ruby:

1. On your Home page, select the domain name you need, then, under Hosting, click Setup.

2. Select the CGI and FastCGI check boxes, and click OK.

3. Connect to your FTP account, change to the httpdocs directory.

4. Upload the application files to the httpdocs/ directory.

5. Create a file with name .htaccess in this directory, open it with a text editor of your choice and add the following lines into the file:

RewriteEngine On
RewriteRule ^$ /public/index.html [L]
RewriteCond %{REQUEST_URI} !^/public
RewriteRule ^(.*)$ /public/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ public/dispatch.fcgi/$1 [QSA,L]

6. Save the file.

7. Remove the file public/.htaccess

8. Open the file public/dispatch.fcgi with a text editor and put the following lines there

#!/usr/bin/ruby

9. Save the file.

Now the web application will be accessible at the following URL: http://yourdomain.com/.

These handy bits of one line foo are straight from one of the smartest and strangest admins I have had the pleaure of meeting. He is always crafting these sort of tools for use.

Tally of who failed SMTP Auth login:

grep "smtp_auth: .* connect from" /var/log/messages | awk '{print $2"/"$1"/2007:"$3"\t"$9"\t"$10}' | sed -e "s/\[//g" -e "s/\]//g" 

And their IPs

grep "smtp_auth: SMTP connect from" /var/log/messages | awk '{print $10}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr | head -20

Tally of who succeeded SMTP Auth login:

grep "smtp_auth: smtp_auth: SMTP user " /var/log/messages | grep "logged in from " | awk '{print $2"/"$1"/2007:"$3"\t"$9"\t"$16}' | sed -e "s/\[//g" -e "s/\]//g" 

And their IPs

grep "smtp_auth: smtp_auth: SMTP user " /var/log/messages | grep "logged in from " | awk '{print $16}' | sed -e "s/\[//g" -e "s/\]//g" | sort -n | uniq -c | sort -nr | head -20

Greylisting is an alternative to the psa-spamassassin method for dealing with spam/UCE. These instructions work with Plesk 7.54 and 8.x, however there is no guarantee that this setup will keep active post updates to Plesk.

Obtain the sources

wget http://carbonblock.net/files/qmail-...greylist.tar.gz

The source contains patches by SW Soft, please do not distribute.

tar xvfz qmail-1.03-psa-greylist.tar.gz
cd qmail-1.03

Edit local_scan.c and change values as appropriate.

#define MYSQLHOST "localhost" 
#define MYSQLUSER "greylist" 
#define MYSQLPASS "rdePmee7" 
#define MYSQLDB "qmail" 
#define BLOCK_EXPIRE 2 /* minutes until email is accepted */
#define RECORD_EXPIRE 1480 /* minutes until record expires */
#define RECORD_EXPIRE_GOOD 36 /* days until record expires after accepting email */

Setup MySQL

mysql -u admin -p`cat /etc/psa/.psa.shadow`

mysql>CREATE DATABASE qmail;
mysql>GRANT ALL ON qmail.* TO 'greylist'@'localhost' IDENTIFIED BY 'rdePmee7';
mysql>FLUSH PRIVILEGES;

Table structure for table `relaytofrom`

CREATE TABLE relaytofrom (
id bigint(20) NOT NULL auto_increment,
relay_ip varchar(16) default NULL,
mail_from varchar(255) default NULL,
rcpt_to varchar(255) default NULL,
block_expires datetime NOT NULL default '0000-00-00 00:00:00',
record_expires datetime NOT NULL default '0000-00-00 00:00:00',
blocked_count bigint(20) NOT NULL default '0',
passed_count bigint(20) NOT NULL default '0',
aborted_count bigint(20) NOT NULL default '0',
origin_type enum('MANUAL','AUTO') NOT NULL default 'MANUAL',
create_time datetime NOT NULL default '0000-00-00 00:00:00',
last_update timestamp(14) NOT NULL,
PRIMARY KEY (id),
KEY relay_ip (relay_ip),
KEY mail_from (mail_from(20)),
KEY rcpt_to (rcpt_to(20))
) TYPE=MyISAM;

Edit conf-ld and change it to:

cc -s -lssl

Next

make
/etc/init.d/qmail stop
/etc/init.d/xinetd stop
mkdir /home/user/ticket-#/BACKUP
cp /var/qmail/bin/qmail-smtpd /home/user/ticket-#/BACKUP

(this backups the base qmail binary, only do this on first install)

cp qmail-envelope-scanner /var/qmail/bin/.
cp -f qmail-smtpd /var/qmail/bin/.
chown root.qmail /var/qmail/bin/qmail-envelope-scanner
chown root.qmail /var/qmail/bin/qmail-smtpd

Next

/etc/init.d/qmail start
/etc/init.d/xinetd start

Create a quick perl script to clean up the database and place in /etc/cron.daily named greylist.clean:

#!/usr/bin/perl
use strict;
use warnings;

use constant DBD => 'DBI:mysql:qmail:localhost:3306';
use constant DBUSER => 'greylist';
use constant DBPASS => 'rdePmee7';

use DBI;

system ("cat /dev/null > /tmp/greylist_dbg.txt");

my $dbh = DBI->connect(DBD,DBUSER,DBPASS) or die "can't connect to db ", $DBI::errstr, ":$!";

$dbh->do("DELETE FROM relaytofrom WHERE record_expires < NOW() - INTERVAL 1 HOUR AND origin_type = 'AUTO'");
$dbh->do("OPTIMIZE TABLE relaytofrom");

$dbh->disconnect;

exit;