I helped them out with that and quickly stopped the spamming. Personally I think a rebuild is in order as I don't trust any machine that shows any signs of compromise. So in preparation for when they do decide to rebuild I wrote up a quick little guide to run Sendmail 8.12+ in a Chrooted environment and to restrict relaying. They will still need to further configure Sendmail but this will help protect the server and other running services by confining the attacker so that they are only able to access the resources within the jail and not further compromise the system.
As the installation of Sendmail in question being used is only to relay mail from the webserver we can chroot Sendmail within a jail.
First we need to specify a root directory for the chroot jail and create the Directory Structure.
/chroot/sendmail
Create the following directories under the above directory:
/dev
/etc
/ect/mail
/lib
/lib/tls
/tmp/
/usr
/usr/bin
/usr/sbin
/usr/lib
/usr/lib/sasl2
/var
/var/run
/var/spool
/var/spool/mqueue
If you have not already done so add a user for Sendmail to run as and add the user to the mail group.
# useradd –u 501 –g mail –s /sbin/nologin –d /dev/null sendmail
This adds the user called sendmail. In the sendmail.mc file you need to enable the RunAsUser setting and change it to the new user.
define(‘confRUN_AS_USER`,`sendmail`) - Recreate the sendmail.cf file to enable this.
Next you need to populate the directories with the files required. Into the /chroot/sendmail/etc directory copy the following
Aliases
Aliases.db
Passwd
Group
Resolv.conf
Host.conf
Nsswitch.conf
Services
Hosts
Localtime
Edit the passwd and group files to contain only the users and groups required to run Sendmail.
Next copy the entire contents of the /etc/mail directory and all subdirectories into /chroot/sendmail/etc/ . This contains all your Sendmail configuration files.
Next you need to populate the /chroot/sendmail/dev directory. You will need to create the following devices, null and random, to allow Sendmail to function correctly.
# mknod /chroot/sendmail/dev/null c 1 3
# mknod /chroot/senmail/dev/random c 1 8
Both devices should be owned by root and should have the following permissions:
Null – 0666
Random – 0644
Next place a copy of the sendmail binary into /chroot/sendmail/usr/bin. Create symbolic links to this binary for the mailq and newaliases commands.
# ln –s /chroot/sendmail/usr/sbin/sendmail /chroot/sendmail/usr/bin/mailq
# ln –s /chroot/sendmail/usr/sbin/sendmail /chroot/sendmial/usr/sbin/newaliases
Sendmail will need various libraries in order to run in the chroot jail.
Run the following command:
# ldd /usr/sbin/sendmail
Record the list of binaries and copy them to their locations in the chroot jail.
NOTE: any libraries located in /usr/kerberos/lib should be copied to /chroot/sendmail/usr/lib. This is so that Sendmail can find them.
Sendmail will require the following additional libraries. These are usually located in /lib.
Libnss_dns.so.2
Libresolv.so.2
Libnss_files.so.2
Copy these to /chroot/sendmail/lib.
If you are using SASL then you need to copy all the files in the /usr/lib/sasl2 directory to /chroot/senmail/usr/lib/sals2.
Next we need to check the permissions and ownerships are correct. The /chroot/senmail/var/spool/mqueue directory needs to be owned by the user specified in the RunAsUser option.
# chown sendmail /chroot/senmail/var/spool/mqueue
# chmod 0700 /chroot/senmail/var/spool/mqueue
All files and databases must be readable by the sendmail user. Ensure that there are no group writable files in the chroot jail.
# chmod –R go-w /chroot/sendmail
# chmod 0400 /chroot/sendmail/etc/mail/*.cf
To start the chrooted sendmail run the following:
# chroot /chroot/sendmail /usr/sbin/sendmail –bd –q15m
We now want to restrict relaying in order to prevent the mail server being used as a spam relay.
Check the sendmail.cf file for the following:
FR-o /etc/mail/relay-domains (note this may need to be changed if you intend to use a chroot jail for sendmail)
This listing forces Sendmail to only accept relaying from the domains listed. The relay-domains file can contain hosts, domains, IP addresses and subnets.
Adding the following settings to the sendmail.mc file further modifies the behavior of the relay-domains file.
FEATURE(relay_hosts_only) - This allows relaying for only hosts listed in the relay-domains file.
Relaying can also be specified by using an access database file. Make sure the access db feature is enabled by checking for the following line in sendmail.mc:
FEATURE(`access_db’,`hash –T [TMPF]
If access.db is not present add it and recreate sendmail.cf. The access database is located in the /etc/mail directory. Create the file using the makemap command. It takes input from a text file.
# makemap hash access.db '<' access (remove the ' from around the 'less than' sign)
The text file format is as follows:
[ip address] RELAY
[domain name] RELAY
There are different possible responses you can have. RELAY, REJECT, DISCARD and 554 [message].
Cheers,
Dean
No comments:
Post a Comment