RHEL6 | High Sev
Vulnerability Title
SMTP unauthenticated 3rd-party mail relay
Vuln Description
lity is that other organizations, in an attempt to stop the flow of spam, may throw away any mail originating from your server (including legitimate mail from your users).
Following FIX Helped, take backup of file
Comment out the below entry
cd /etc/mail
[root#mail]# cat sendmail.mc | grep -v ^dnl | grep -i smart
define(SMART_HOST',relaymail.sapient.com')dnl
[root#mail]#
[root#mail]#
Below entry should be commented out
[root# mail]# cat sendmail.mc | grep -v ^dnl | grep -i mailerta
FEATURE(mailertable',hash -o /etc/mail/mailertable.db')dnl
[root#mail]# cp -p sendmail.mc sendmail.mc.bkp.date +%F
[root#mail]#
[root#mail]# m4 sendmail.mc > sendmail.cf
Add below entry in /etc/mail/mailertable to disable offsite mail relay
gmail.com smtp:[192.168.100.x]
. error:Mail to external domain is prohibited
[root# mail]#
it helped to fix.
Hopefully will help, i searched a lot and finally this worked so thought to share.
Related
I'm trying to scan the ports on the "Starting Point" CHallenge from Hackthebox.
i downloaded the .ovpn and established the vpn connnection in my Kali VM
typed in:
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
but when i try
nmap -sC -sV -p$ports 10.10.10.27
I get the error message that my port specifications are illegal.
Happy for every help i can get!
My nmap scans worked on the first try. When I restarted my machine on another day, I had the same issue.
Re-download the connection pack.
This worked for me.
I want to check how many active meetings there are on the BBB server at any one time from the command line. I have tried
$ bbb-conf --network
but not getting anywhere. I have also checked the number of active connections to port 80 and 443
$ netstat -anp | grep :443 | grep ESTABLISHED | wc -l
but I'm not sure if I can trust that figure.
I know I can use the isMeetingRunning call from the API but I'm just looking for command line.
Any ideas would be appreciated
The following bash script, which can be run from command line on the same machine as the BigBlueButton server, will process the response to the BBB API getMeetings call.
#!/bin/bash
APICallName="getMeetings"
APIQueryString=""
X=$( bbb-conf --secret | fgrep URL: )
APIEndPoint=${X##* }
Y=$( bbb-conf --secret | fgrep Secret: )
Secret=${Y##* }
S=$APICallName$APIQueryString$Secret
Checksum=$( echo -n $S | sha1sum | cut -f 1 -d ' ' )
if [[ "$APIQueryString" == "" ]]
then
URL="${APIEndPoint}api/$APICallName?checksum=$Checksum"
else
URL="${APIEndPoint}api/$APICallName?$APIQueryString&checksum=$Checksum"
fi
wget -q -O - "$URL" | grep -o '<meetingID>' | wc -w
Tested on a live BBB machine.
Note:
The APICallName and APIQueryString can be modified to provide interface to other BBB API calls. See https://docs.bigbluebutton.org/dev/api.html
The command-line sha1sum will output a different result if a newline is appended to its input. This is the reason echo -n is used instead of echo.
In the last line, the script processes the XML output from the API call in a very naïve way, simply counting the number of occurences of the <meetingID> tag. More elaborate processing would probably require parsing the XML.
i need to see only HTTP GET requests HOST once (only the webpage), only from defined source ip, not other information/data.
The first request to that url.
For example:
The first packet what goes from client to server.
GET / HTTP/1.1\r\n
What filters should i add? I have tried few, but still get too much information/data...
Is there any possibilities to look HTTPS first request packet too? To see where the client is sending the request?
If you're on a Un*x platform, you could try something like:
tshark -r file.pcap -Y 'ip.src == 1.2.3.4 and http.request.method == "GET"' -T fields -e http.request.method -e http.request.version -e http.request.uri | head -n 1
... or maybe you want to use http.request.full_uri instead of http.request.uri?
If you're on Windows, you may need to install Cygwin coreutils in order to use head, and you may have to quote things a bit differently, e.g.:
tshark -r file.pcap -Y "ip.src == 1.2.3.4 and http.request.method == \"GET\"" -T fields -e http.request.method -e http.request.version -e http.request.uri | head -n 1
For https, you'll need to decrypt the SSL. You can read how to do that on the Wireshark SSL wiki page.
In my office firewall I use a command like this:
$ sudo tcpdump -v -s 1500 -i eth0 port 25 | grep 'smtp: S'
to monitor LAN clients sending mail (I need to early detect any possible spammer bot from some client, we have very looooose security policies, here... :-().
So far, so good: I have a continuous output as soon any client sends an email.
But, if I add some filter to get a cleaner output, something like this:
$ sudo tcpdump -v -s 1500 -i eth0 port 25 | grep 'smtp: S' | perl -pe 's/(.*?\)) (.*?)\.\d+ \>(.*)/$2/'
(here I intend to get only source ip/name), I do not get any output until tcpdump output is more than (bash?) buffer size... (or at least I suppose so...).
Nothing changes using 'sed' instead of 'perl'...
Any hint to get a continuous output of filtered data?
Put stdbuf before the first command:
sudo stdbuf -o0 tcpdump ...
But, if I add some filter to get a cleaner output, something like
this:
Use the --line-buffered option for grep:
--line-buffered
Use line buffering on output. This can cause a performance
penalty.
try maybe a sed --unbuffered (or -u sometimes like on AIX) to have a stram version (not waiting the EOF)
PHP's mail function seems to deliver mail on a clean system, with no apparent configuration done by the administrator or webmaster (no SMTP configuration in php.ini, etc.). How does the mail function deliver mail to a remote server?
On *nix it invokes the sendmail binary, which then uses the mail configuration to route the email. On Windows, it sends to a SMTP server. In both cases the sysadmin sets up the mail system.
You can detect how it works as below.
First method
$ ltrace php -r "mail('tester#127.0.0.1', 'Test', 'Hello world');" 2>&1 | grep sendmail
memcpy(0x095ea168, "sendmail_from", 14) = 0x095ea168
memcpy(0x095ea1e0, "sendmail_path", 14) = 0x095ea1e0
popen("/usr/sbin/sendmail -t -i ", "w") = 0x0977c7c0
From the results of the above command can be seen that the popen() function opens the process of /usr/sbin/sendmail -t -i.
$ ls -l /usr/sbin/sendmail
... /usr/sbin/sendmail -> exim4
So sendmail is the symbolic link to exim4 and hence sendmail -t -i invokes exim4 -t -i.
And in the manual page of exim4 you can read about these options -t -i:
$ man exim4 | grep ' -t -i'
-ti This option is exactly equivalent to -t -i. It is provided for compatibility with Sendmail.
Second method
Install snoopy and run:
# grep snoopy /var/log/auth.log | tail
... php -r mail('tester#127.0.0.1', 'Test', 'Hello world');
... /usr/sbin/sendmail -t -i
... /usr/sbin/exim4 -Mc 1YxxYn-0006a7-Nw
... /usr/sbin/exim4 -t -oem -oi -f <> -E1YxxYn-0006a7-Nw
... /usr/sbin/exim4 -Mc 1YxxYn-0006aB-Oj
The results of the above command show the sequence of the commands which were performed.
mail() uses sendmail, that uses DNS to find MX record of target domain and delivers there directly. thats it.
and since destination server probably does not know your ip address, especially if it is NATed it may be marked as spam.
you can modify your config to use different (legit ad known) smtp server to act as intermediary.
It's really not that reliable, actually, unless the underlying sendmail or something is properly configured.
Amazon SES has better servers than whatever server you're using and gets mail there more times than with mail().
The real reason you shouldn't use mail() is because your server's IP address is probably completely unknown to mail services such as GMail, Yahoo, etc, and there is a higher chance it will get marked as spam. Why does it get marked as spam? Because mail() is very easy and simple to exploit for spam purposes.