3

I host a public-facing web server running Debian Wheezy, and latest versions of Postfix, Apache, PHP, Spamassassin, ClamAV, rootkit hunter. Apache is configured with a handful of vhosts, each tied to a user and secured with suExec, and Suhosin. The websites run Wordpress and ModX and by the law of averages given the number of installations on this one server at least 20% of the websites will, at any given time, have some kind of vulnerability be it from the CMS itself or from an out-of-date plugins.

I have notifications from the excellent MX Toolbox website which monitors IP addresses against 100+ blacklists.

When I hear that my IP address has yet again been added to a given blacklist, I ssh in immediately, pause Postfix

postfix stop

wait a few seconds, view the mail queue

mailq

and from this I can tell immediately the source user/vhost of the spam because all mails come from "random-name@mywebsite.com", where "mywebsite.com" is the domain hosted on the vhost that caused the problem.

Then I run a manual malware detection scan using the excellent maldet, and the problem goes away. If I patch all known plugins and software on the site, the problem goes away for c.6 months. If I don't it comes back within about a week.

For testing purposes I have left Postfix stopped for months on end, but some trojans apparently bypass the mail server and send mail directly. (I know this from server resource monitoring, blacklist watches, and bounced spam emails coming back to my domain. Not to mention the Postfix mailq fills up with e.g. 65,000 unsent mails.)

As I care more about mail authenticity than the ability to send emails through websites I host, I've taken a number of steps, namely ensuring my SPF records for each domain do not recognise my own server as an authoritative source of mail for that domain. At the very least this means my domain names aren't being automatically blacklisted.

My question. Is there a clever way to simply block all outgoing email using IPTABLES? I don't just mean blocking mail sent using the email server Postfix, but ALL traffic that could end up with my server being blacklisted?

Until I find other ways of solving this problem I don't mind disallowing websites from sending any mails out. This is NOT ideal as I use some to generate my own business, but I can find other solutions in the meantime.

hazymat
  • 390
  • 1
  • 9
  • 16
  • 5
    As in, you don't want your server to ever send mail externally? – GregL Mar 23 '15 at 11:34
  • @GregL correct. I want a stop-gap solution that prevents mail from being sent externally whilst I work on the source(s) of the problem, mainly to uphold mail authenticity for the domain names affected. – hazymat Mar 23 '15 at 15:23
  • 1
    In that case, look at wurtel's answer. It's exactly what I was going to propose. – GregL Mar 23 '15 at 15:26

2 Answers2

7

You can block all outgoing SMTP traffic with a simple rule:

iptables -I OUTPUT -p tcp --dport 25 -j DROP

You could extend this to only drop packets sent by the www-data user which will be the user running the websites:

iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner www-data -j DROP

What will help with your main problem (the sites becoming infected in the first place) is blocking all unneeded incoming ports, and also outgoing ports such as port 80 which is often used to download extra rootkits etc. after a minimal crack in your defenses is found.

wurtel
  • 3,864
  • 12
  • 15
1

hazymat, I'm sure you don't want to hear this but...

You are the problem, not Postfix

Waiting till someone detects the SPAM is not a viable way to manage a computer system. If you owned a rifle and left it on your dront doorstep, would you wait for the police to come calling before you checked it had gone missing?

at least 20% of the websites will...have some kind of vulnerability... If I patch all known plugins and software on the site, the problem goes away

It's not as if setting up automatic patch checking and installation, and a basic IDS actually requires any ongoing commitment from you.

Yes, you should be more pro-active about managing the outgoing email traffic, but that is a refinement on top of basic security practices.

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • 1
    "A refinement on top of basic security practices". What, you mean like securing php with Suhosin, reducing the attack surface using suExec, routing all mail through spamassassin, repeatedly asking clients to keep scripts on their vhosts up-to-date (okay, some are mine not my clients but still)? **I was looking for a solution, not an accusation!** e.g. How do you set up automatic patch management with ModX, as this CMS was mentioned? What about auto-updating WP plugins? *not helpful* – hazymat Mar 23 '15 at 15:19
  • 1
    Also I'd like to add, I'm not "waiting until someone detects the SPAM". I'm employing a number of ways to find out when there has been a compromise. Blacklist watching is one of a number of tools in the kit. It's not my day job and I simply don't have time to SSH on a daily basis and spend 30 minutes sifting through logs to check whether there has been a compromise. **I did also write a cron script using inotify** that would check files in wwwroot to see if they were changed and email me accordingly. Problem: I was forced to stop Postfix to prevent further damage so I didn't get notifications! – hazymat Mar 23 '15 at 15:29