Facebook
Twitter
T
tmartin@
Guest
Hi all,
I'm new to Plesk and Linux so please bear with me....I recently installed Plesk in a Virtuozzo VPS using CentOS 3.3 as the OS. A few days after I installed Plesk, I was flooded with 60,000+ spam messages. Since then I've been using Google for a crash course in spam prevention. I decided to post this article for two reasons. First, I need some advice as to whether or not I've covered my bases as far as spam is concerned. I'm also a little worried about a couple of warnings chkrootkit is giving me. (see below) Lastly, I thought reading this and any followups by more experienced administrators might help someone else in my position. Here's what I've done so far.
I 'cleaned' the queue using the instructions at http://kb.swsoft.com/article_22_252_en.html. I had to download the psa-qmail and drweb-qmail rpms for my version of Plesk from atomicrocketturtle.com.
I enabled Server > mail > Maps using the following zones:
sbl-xbl.spamhaus.org;opm.blitzed.org
I set Server > mail > Relaying to 'closed'
I think requiring authorization is probably sufficient and more realistic, but I'm a little paranoid right now.
I set the remote timeout value in /var/qmail/control/timeoutremote to 40
I set the queue lifetime to 3600 seconds in the file
/var/qmail/control/queuelifetime
Running /var/qmail/bin/qmail-qstat gives:
messages in queue: 1229
messages in queue but not yet preprocessed: 0
That's much better, but I'm wondering if there's more that I can do.
Also, and perhaps more importantly, I downloaded three programs to help me in the future.
qmhandle
http://sourceforge.net/projects/qmhandle
rootkit
http://www.rootkit.nl/
chkrootkit
http://www.chkrootkit.org/
rootkit did not find anything, but I receive the following when I run chkrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
I receive the 'lkm' error everytime I run chkconfig. I googled these errors. The bindshell INFECTED (PORTS: 465) appears to be a common false positive. When I run
lsof -Pni | grep 465
I receive the following
xinetd 11433 root 17u IPv4 11424584 TCP *:465 (LISTEN)
I'm assuming this is normal, but I'm not really sure. The sites I've seen that talk about the 'lkm' warning are mixed about whether or not this is a legitimate Trojan.
Any advice on my spam prevention measures / chkrootkit errors are much appreciated.
Thanks,
Troy
I'm new to Plesk and Linux so please bear with me....I recently installed Plesk in a Virtuozzo VPS using CentOS 3.3 as the OS. A few days after I installed Plesk, I was flooded with 60,000+ spam messages. Since then I've been using Google for a crash course in spam prevention. I decided to post this article for two reasons. First, I need some advice as to whether or not I've covered my bases as far as spam is concerned. I'm also a little worried about a couple of warnings chkrootkit is giving me. (see below) Lastly, I thought reading this and any followups by more experienced administrators might help someone else in my position. Here's what I've done so far.
I 'cleaned' the queue using the instructions at http://kb.swsoft.com/article_22_252_en.html. I had to download the psa-qmail and drweb-qmail rpms for my version of Plesk from atomicrocketturtle.com.
I enabled Server > mail > Maps using the following zones:
sbl-xbl.spamhaus.org;opm.blitzed.org
I set Server > mail > Relaying to 'closed'
I think requiring authorization is probably sufficient and more realistic, but I'm a little paranoid right now.
I set the remote timeout value in /var/qmail/control/timeoutremote to 40
I set the queue lifetime to 3600 seconds in the file
/var/qmail/control/queuelifetime
Running /var/qmail/bin/qmail-qstat gives:
messages in queue: 1229
messages in queue but not yet preprocessed: 0
That's much better, but I'm wondering if there's more that I can do.
Also, and perhaps more importantly, I downloaded three programs to help me in the future.
qmhandle
http://sourceforge.net/projects/qmhandle
rootkit
http://www.rootkit.nl/
chkrootkit
http://www.chkrootkit.org/
rootkit did not find anything, but I receive the following when I run chkrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
I receive the 'lkm' error everytime I run chkconfig. I googled these errors. The bindshell INFECTED (PORTS: 465) appears to be a common false positive. When I run
lsof -Pni | grep 465
I receive the following
xinetd 11433 root 17u IPv4 11424584 TCP *:465 (LISTEN)
I'm assuming this is normal, but I'm not really sure. The sites I've seen that talk about the 'lkm' warning are mixed about whether or not this is a legitimate Trojan.
Any advice on my spam prevention measures / chkrootkit errors are much appreciated.
Thanks,
Troy
