Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am not sure I fully understand your problem or question. Part of the disconnect is that I don't see the relationship between a VPN and a spamming issue on your SMTP server. A VPN allow remote connections to your your system and assigns a virtual network adapter on the client side a local IP address. Consequently, all traffic bound for a VPN resource is routed over this virtual tunnel. Whether or not you run an SMTP server on this same system is a different situation entirely, with one possible exception. If your SMTP server is setup to "permit my networks" without secondary authentication, then a VPN user may be able to send email through this server. Even in this case, to connect to the VPN the user will have to authenticate and you should not be having a outbound spam problem with them. If you are, I think you should address this issue directly.
If you really don't want VPN users to be able to use your SMTP server, while you can block this traffic with the firewall, the better approach would be to configure the email system to not accept these users and then use the firewall as a backup. Inbound SMTP connections will be on port 25 and your rules should do the trick, except I think you would want to put the rules in the INPUT chain rather than the FORWARD chain.
I just assumed someone could connect to the VPN and then send out spam emails but because they are connected via VPN, it would look as though the emails were coming from my server even though I don't have an smtp server on it/
Unless it's a trick question, just dropping traffic on the VPN where the destination port = 25 should suffice for the majority of spam.
However, there are other submission ports you may want to add like 465 & 587. There are probably others that are non standard. One of my clients has MTA's listening on 2525 for example.
I'd probably log - then drop - offending packets btw.
Last edited by leslie_jones; 10-24-2011 at 10:30 AM.
Unless it's a trick question, just dropping traffic on the VPN where the destination port = 25 should suffice for the majority of spam.
However, there are other submission ports you may want to add like 465 & 587. There are probably others that are non standard. One of my clients has MTA's listening on 2525 for example.
I'd probably log - then drop - offending packets btw.
How can I log and detect smtp?
I considered it but wasn't sure how to identify port 25 on the VPN.
Do I just block output or does it have tp be for the VPN network 10.8.0.0/24?
Do I just block output or does it have tp be for the VPN network 10.8.0.0/24?
Just drop the output for port 25:
Code:
iptables -A OUTPUT -p tcp --dport 25 -j DROP
Quote:
How can I log and detect smtp?
What do you mean by log and detect? If you have no SMTP servers, nothing will be sending out. If you keep port 25, and other submission ports, on your gateway output closed, then any zombie applications won't be able to spam out on those ports.
If you want to look to see if any applications are running that are listening on port 25 you can use netsat (as root: netstat -pane | grep 25)
What about smtp servers on the VPN client?
If the port is open then they can do what they want and my server will get blacklisted?
Exactly - I know where you are coming from on this and it shows you are on the ball thinking and planning for it. VPN users could use your VPN to submit large amounts of spam leaving your exit IP address blacklisted with many of the DNSBL's and providers. Worse still, your provider could even terminate your service.
What would I do? Drop 25, 465 & 587 as a starting point. Most people using VPN's to send spam will typically go direct to MX thus meaning they will have to use port 25. The more switched on spammers will often make use of bulk/compromised freemailer accounts and third party servers that use authentication - typically on one of the submission ports (587 and the non-compliant 465).
Logging dropped packets with IPTables is straightforward:
Code:
iptables -N LOGDROP
...
current rules that you have
...
iptables -A OUTPUT -p tcp --dport 25 -j LOGDROP
iptables -A OUTPUT -p tcp --dport 465 -j LOGDROP
iptables -A OUTPUT -p tcp --dport 587 -j LOGDROP
....
iptables -A LOGDROP -p tcp -m limit --limit 5/min -j LOG --log-prefix "firewall Denied TCP: " --log-level notice
iptables -A LOGDROP -p udp -m limit --limit 5/min -j LOG --log-prefix "firewall Denied UDP: " --log-level notice
iptables -A LOGDROP -p icmp -m limit --limit 5/min -j LOG --log-prefix "firewall Denied ICMP: " --log-level notice
iptables -A LOGDROP -j DROP
;Or if you want to really confuse the user trying to abuse your VPN
iptables -A LOGDROP -j REJECT --reject-with icmp-host-prohibited
....but you may also like to consider NOT dropping the packets, but instead rate limiting them so potential abusers are limited to a given number of connections to port 25 etc in a given time window. For rate control something like this (not tested on the output chain as was written for the input - may not work so apologies if this is the case):
Code:
;RATE CONTROL 25 - 10 connections per 60 seconds
iptables -A OUTPUT -p tcp -i eth0 --dport 25 -m state --state NEW -m recent --set
iptables -A OUTPUT -p tcp -i eth0 --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j LOGDROP
iptables -A OUTPUT -p tcp -i eth0 --dport 25 -j ACCEPT #Open smtp rate control should bite first
If you run Postfix anywhere you can test this with the SMTP-SOURCE program that comes with it firing off a command like this a few times:
Hopefully you can pick over the bones of this post and find something useful in it that will fit your scenario. I'm certainly no expert in any field so listen to others with better advice than me :-)
In addition to SMTP, I think I would also look at what you can do to limit abuse by port scanning script kiddies ;-) That may prove interesting to deal with!
Last edited by leslie_jones; 10-25-2011 at 12:21 AM.
An ounce of prevention is definitely worth a pound of cure, as the saying goes, however, I still question this exercise. Firstly, lets clarify what you mean by VPN and VPN user. A VPN connection is NOT the same thing as allowing someone shell access on your server. A VPN connection is really equivalent to plugging a system into your local LAN. Secondly, if you are concerned about others abusing your server in this fashion, then you need to deal with the user. The third thing you need to do is properly configure your Sendmail so that it properly authenticates clients so that this is not a problem. Your concern, which is to protect against what is considered to be an open relay is very valid but the firewall is not the proper place to address this. Lastly, after the above, then you should focus on configuring your firewall as an ADDED layer of protection against unintended actions. I re-iterate that if you are relying on a firewall to protect against errant data from within your network, you will ultimately not succeed, because they will get around it.
In regards to blocking traffic, your VPN should have a specified range of IP addresses associated with it. You could use your firewall to block traffic from this range. Similarly, you could configure your email application to not accept traffic from this range. As leslie_jones pointed out, you can block all but locahost traffic, which will also prevent you from receiving mail, if you do, though it doesn't sound like it.
An ounce of prevention is definitely worth a pound of cure, as the saying goes, however, I still question this exercise. Firstly, lets clarify what you mean by VPN and VPN user.
Sure - the phrase 'VPN' is often misused, but that's life. I think I've read numerous uses of it over the years from various vendors, mixed with further definitions held in high esteem by disciples of the 'The Church of The Sacred Plonking Socially Inept Pedantic Troll'
In this instance I understand the OP as meaning he/she provides a service for customers where for X $£ they effectively 'appear' to come from his IP. Typically used for a number of reasons - sometimes grey/nefarious, sometimes to avoid geographical restrictions, sometimes just for privacy of a kind. If my understanding of the OP's instance is incorrect then I sincerely apologise.
Perhaps that is not the classic definition of VPN/VPN user and it may confuse those with some kind of autism - but I'll leave that kind of OT garbage for those that like to fight for scraps. I'm not really interested in the politics of it, just helping to answer the question. Anything else is rather pointless, don't you think?
Last edited by leslie_jones; 10-25-2011 at 06:03 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.