NiyasHussain.com

In cPanel >> Mailing Lists >> Modify

Getting the follwing error
*******************************************************************************************************
Bug in Mailman version 2.1.9.cp2

We’re sorry, we hit a bug!

Please inform the webmaster for this site of this problem. Printing of traceback and other system information has been explicitly inhibited, but the webmaster can find this information in the Mailman error logs.

***********************************************************************************************************
Errors seen in error log of mailman

vi /usr/local/cpanel/3rdparty/mailman/logs/error

**********************************************************************************************************
self._parsebody(root, fp, firstbodyline)
File “/usr/local/cpanel/3rdparty/mailman/pythonlib/email/Parser.py”, line 265, in _parsebody
msg = self.parse(fp)
File “/usr/local/cpanel/3rdparty/mailman/pythonlib/email/Parser.py”, line 64, in parse
self._parsebody(root, fp, firstbodyline)
File “/usr/local/cpanel/3rdparty/mailman/pythonlib/email/Parser.py”, line 206, in _parsebody
raise Errors.BoundaryError(
BoundaryError: No terminating boundary and no trailing empty line

*********************************************************************************************************

Resolution :

/scripts/fixmailman
/usr/local/cpanel/3rdparty/bin/check_db
/usr/local/cpanel/3rdparty/bin/check_perms
/scripts/reinstallmailman
chmod 02775 -R /usr/local/cpanel/3rdparty/mailman/

Also once the problem solved by changing the list language
Problem resolution if the above fix won’t work

The latest  Mailman have some bugs. It need Python version of 2.4.6 at least. But in your centos4/RHEL4 servers the python version is  2.4.3. So for fixing the mail man issue you need to upgrade the python without  breaking  Yum and other python modules.

It is little difficult for upgrading Python in cpanel servers. Because if you  upgrade python directly , the yum package manager will not  work. So  you need to reinstall all old rpms again.

Please proceed with the following for upgrading Python

1) Download and install python 2.4.6

# cd /usr/local/src/
# wget  http://www.python.org/ftp/python/2.4.6/Python-2.4.6.tgz
# tar -xvzf Python-2.4.6.tgz
# cd Python-2.4.6/
# ./configure –prefix=/usr/local/python.2.4.6/
# make
# make install

2) Configure cpanel for latest Python as follows

# grep python /var/cpanel/cpanel.config
#python=/usr/local/bin/python2.4
python=/usr/local/python.2.4.6/bin/python2.4
3) Now reinstall Mailman
# /scripts/reinstallmailman

This will fix your issue

To block all emails sent from a specific domain:
-go to WHM/Service Configuration/Exim Configuration Editor and switch to Advanced mode
-at begin acl form put:

if $header_from: contains “@domain_name.com”
then
fail text “What message do you want.”
seen finish
endif”

#wget http://download1.parallels.com/Plesk/Plesk8.3/FedoraC7/swsoft_insler_v3.3.0_build080116.12_os_FedoraCore_7_i386

#chmod +x swsoft_installer_v3.3.0_build080116.12_os_FedoraCore_7_i386

#./swsoft_installer_v3.3.0_build080116.12_os_FedoraCore_7_i386

1)To check Max Connections
mysql> show variables like ‘%connections’;
+———————-+——-+
| Variable_name | Value |
+———————-+——-+
| max_connections | 100 |
| max_user_connections | 0 |
+———————-+——-+
2 rows in set (0.63 sec)

Also,
mysql> select user, max_connections, max_updates,max_questions from mysql.user;
+—————–+————-+—————+
| max_connections | max_updates | max_questions |
+—————–+————-+—————+
| 0 | 0 | 0 |
| 0 | 0 | 0 |
| 0 | 0 | 0 |
| 0 | 0 |

This may show something useful.

You could also setup an alert for yourself to warn you, and then find out what is really going on. Use the script below.. change the commands as required..

#!/bin/bash

ALERT_DEST=email.addr@email.add
NUM_PROCESSES=`/usr/local/mysql/bin/mysql -e “show processlist;”|wc -l`

MAX_BEFORE_ALERT=25

if [ ${NUM_PROCESSES} -gt ${MAX_BEFORE_ALERT} ]
then
echo |/usr/bin/mail -s “WARNING: MYSQL CONNECTIONS=${NUM_PROCESSES}” ${ALERT_DEST}
fi

You have to verify if the box is really compromised.

Check etc-passwd and verify the uid of the user news

#grep -i news /etc/passwd

:: Result: news:x:0:0:news:/etc/news:/bin/bash

Shows that the user news is having gid and uid 0 thus have all root privileges and has also got full shell access.

Check the /tmp directory for any suspicious files

#ls -al /etc/tmp

Check the process tree and find if there are any suspicious process

#ps aux –forest

Check for any established connections

#netstat -plan

You will get the description of FIN_WAIT2 & TIME_WAIT in the man page of netstat. Type ‘man netstat’ in the shell. You can minimize those FIN_WAIT2 & TIME_WAIT states by doing the below things :-

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Put following in /etc/sysctl.conf
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

Then execute the command :-
# /sbin/sysctl -p

Using IPtables
==============

You can also execute the following commands to minimize the syn attack in the future :-
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

service iptables save
service iptables restart

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection

iptables -N syn_flood
iptables -A INPUT -p tcp –syn -j syn_flood
iptables -A syn_flood -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

#Limiting the incoming icmp ping request:

iptables -A INPUT -p icmp -m limit –limit  1/s –limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:

iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 600 –hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 22 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

=================================

the following command should aid you in isolating which
site was responsible for this injection:

find /usr/local/apache/domlogs/ -exec egrep -H ‘(wget|curl|lynx|wget)%20′ {} \;

========================================================

A quick and usefull command for checking if a server is under ddos is:

####  netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

####  netstat -anp | grep SYN | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

####  netstat -anp | grep FIN | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server.

=========================================================

to kill perl processess;-

ps auxww | grep perl | awk ‘{print $2}’ | xargs kill -9

It is  working for me [ some times]. also you can modify the command with the most used attacking words like wget, etc

find /usr/local/apache/domlogs/ -exec egrep -H ‘(wget|curl|lynx|wget)%20′ {} \;

If the main shared IP is null routed, another IP should be added to the server and it should be made as the main shared IP. For that we need to
1. Edit zone files to reflect the new IP for the domains hosted in the old main shared IP
2. Edit httpd.conf and replace old IP with new one

Editing the zone files
@@@@@@@@@@@@@@@@@@@@@@@

Step 1
======
Finding the list of zone files which are needed to be edited. It can be found out from the same servers /var/named

script to list zone files
————————–

##################################
#!/bin/bash
cd /var/named
ls -l|awk ‘{print $9}’ > zones
##################################

Now the file “zones” will contain all the zone file list.

Step 2
======

scp the file “zone” to the dns server (if your DNS server is not the same server) and put it in the /var/named folder

Step 3
======

Now we need to take each domain from the file /var/named/zones which we put earlier and replace old IP with new IP

Script for that
—————

###################################
#!/bin/bash
for i in `cat /var/named/zones`
do
perl -pi -e ’s/<old_ip_address>/<new_ip_address>/’ $i
done
####################################

then reload the named   BEWARE !!!!!! DONT RESTART ONLY RELOAD

/etc/init.d/named reload

Editing httpd.conf
@@@@@@@@@@@@@@@@@@

Now we have to make similar change on the servers httpd.conf so that all the entries of the <old IP> should be replaced with the <new IP>, that can be accomplished by a simple one liner perl script

#############################################################################

perl -pi -e ’s/<old_ip_address>/<new_ip_address>/’ /etc/httpd/conf/httpd.conf

#############################################################################S

After that restart apache

/etc/init.d/httpd restart

Now it will take a few hours for DNS propagation…….thats all the issue is fixed…..  

Hello,

Quite few times your server’s main/shared IP address may get black listed by most of RBLs due to x reasons.
In such situations, it would be very difficult to receive/send some important emails due to this black list.
In such situation a quick solution is to route the emails through a secondary IP address on the same server which is not black listed under those RBLs.

The mail server on cpanel i.e exim allows you to change the default IP address used by the mail server so that you would be able to route all emails through this new secondary IP address.

Here are the step by step instructions for you to configure your exim mail server to use new IP address.

Step 1 : Shutdown the exim service.
# service exim stop or /etc/init.d/exim stop

Step 2 : Edit your exim configuration file.
# vi /etc/exim.conf

Step 3: go to “remote_smtp” section under “TRANSPORTS CONFIGURATION”.
By default it would look like below:

Quote:
remote_smtp:
driver = smtp
interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{}}}{}}
helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_ho stname}}
Step 4 : Remove or comment line containing “interface” and “helo_data” and add new “interface” to match with that of your new IP address. It should look like as follows:
Quote:
remote_smtp:
driver = smtp
interface = 12.12.12.12 # Your IP address.
Step 5 : Save your changes and exit out from your exim configuration file.

Note : Dont forget to set read only attributes on exim configuration file, so that it wont get reset to default automatically.

You can do it using following command:
# chattr +aui /etc/exim.conf

Step 6 : start exim service on your server.
# service exim restart or /etc/init.d/exim restart

Step 7 : Make sure to set reverse DNS for this new IP address to point a valid FQDN.

Step 8 : Try sending a test email and you will find that, it was sent using this new IP address configured under your exim configuration.

You can verify it by checking the header of new email under exim’s log file i.e /var/log/exim_mainlog