Knowledgebase
Knowledgebase:
How to secure your VPS/Dedicated Server against Spammers
Posted by Darin S on 14 October 2015 11:23 PM

General Operating System Maintenance:

  1. Ensure all of your Operating System and Control Panel updates are run. Spammers can and do take advantage of exploits in the operating system.

On CentOS/RHEL based systems:  yum –y update

On Debian/Ubuntu based systems:  apt-get update

For cPanel systems:  /scripts/upcp

For Plesk systems: 

Get the link for your OS from http://sp.parallels.com/download/plesk/.

wget link_from_above

chmod +x parallels_products_installer_file_name

./parallels_products_installer_file_name

  1. Keep system software current. Running older versions of PHP put your system at risk for vulnerabilities.  Even minor updates (for instance from 5.6.1 to 5.6.3) can be critical to securing your server.

 

For CentOS/RHEL Based:  yum update php* if php was installed with repos.

 

For cPanel systems:  /scripts/easyapache can be run.  This will update the version of Apache as well as PHP.  The latest version will be available after the /scripts/upcp is run.

 

For Plesk systems:  plesk sbin autoinstaller --select-product-id plesk --select-release-current  --install-component php5.6

 

If php was manually built, the latest version can be downloaded at http://php.net/downloads.php.

 

  1. Run a firewall! Firewalls such as csf (it is free!) can auto ban IP’s that are guessing passwords on your systems and restrict them from accessing the server.

 

To install CSF, do the following: 

cd /usr/src

rm -fv csf.tgz

wget https://download.configserver.com/csf.tgz

tar -xzf csf.tgz

cd csf

sh install.sh

 

  1. Update all commercial CMS scripts/plugins/themes when new updates are available.
  2. Enforce the use of strong passwords, change default passwords and remove accounts that are not needed or no longer in use.

Email Service Specific Items to consider:

  1. Limit the amount of email being sent hourly. If an account normally sends 200 emails on average an hour, limit the account to 225 an hour for “extras” and discard the rest.

For cPanel based systems:   Within WHM, it can be set in Main >> Server Configuration >> Tweak Settings.

  1. Secure the mail sending service and disallow being an open relay. A simple test can be run at http://mxtoolbox.com/diagnostic.aspx.  An open relay will allow your server to send third party email messages.  The use is not by a local user, but by a remote user without authority to use the resources.
  2. Setup the server to use SMTP authentication. This will ensure that only authorized users can send mail from your server.

For cPanel based systems:  /usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd

 

For Plesk based systems:  In “Mail Server Settings” make sure that authorization is required and SMTP are both checked

 

For Debian Based:

Generate an Exim SSL certificate:  /usr/share/doc/exim4-base/examples/exim-gencert

Edit /etc/exim4/exim4.conf.template

      Uncomment the plan_server, driver, etc area

Edit/Create /etc/exim4/exim4.conf.localmacros

Add the line MAIN_TLS_ENABLE = true

Setup users and passwords, create /etc/exim4/passwd

Copy output from htpasswd -nd usernameforsmtp

Run update-exim4.conf and then /etc/init.d/exim4 restart

  1. Limit the number of connections to the SMTP server.

 

Using CSF (firewall), you can use the connlimit to limit the number of connections per IP and specific ports.  This will be in the /etc/csf/csf.conf, CONNLIMIT= can be adjusted not only for SMTP, but other services as well.

 

  1. Setup reverse DNS for the server IP and force the use of DKIM and SPF for all domains on the server.

rDNS can be set within the portal.

SPF can be generated with an SPF wizard, a free and easy one to use is http://www.spfwizard.net/.

DKIM can be generated with a DKIM generator.  https://luxsci.com/extranet/dkim.html can generate the information/keys for you.  You will have the option of not having all emails signed, all messages will be signed or all messages without signature can be considered spam and deleted.

  1. Force the use of encryption on POP3 and IMAP authentication. Can be accomplished at the same time SMTP authentication is configured, it is configured in the same place.
  2. Scan outbound mail for spam – Spam Assassin can be used to scan outbound email. Use a value that is reasonable and won’t block your legitimate mail, but will block mail that can potentially be spammy in nature.

For cPanel based systems:  Service Configuration – Exim Configuration.  The option “Scan outgoing messages for spam and reject based on defined SpamAssassin® score (Minimum: 0.1; Maximum: 99.9)” offers the most flexibility.

For other systems:  SpamAssassin is controlled through the local.cf configuration file.  /etc/mail/spamassassin/local.cf.

  1. Blackhole non-delivery addresses. Sending NDR’s could result in backscatter.  Similar results can be seen when using Boxtrapper.

Comments (0)