Monthly Archives: October 2008

mod_evasive installation with apache

mod_evasive installation with apache

Mod_evasive is an apache module which provides as evasive action thereby protects the server in the case of an http ddos, Installation steps are given below

Download the latest version of mod_evasive from  Jonathan Zdziarski’s official site


extract the tar bowl and get in to installation directory

tar zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive

install mod_evasive as an apache extension, first find the location of apxs binary,if you are on a cpanel server, it should be on /usr/local/apache/bin/apxs.

/usr/local/apache/bin/apxs -cia mod_evasive20.c

once its installed, edit apache configuration file and add the following lines

<IfModule evasive20_module>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSLogDir “/usr/local/apache/logs/mod_evasive”

Make sure that evasive module is installed by checking for the following line in httpd.conf file
LoadModule evasive20_module modules/

root@server [~]# httpd -v
Server version: Apache/2.2.10 (Unix)
Server built:   Oct 16 2008 23:05:52
root@vserver[~]# cd /usr/src
root@server [/usr/src]# wget
=> `mod_evasive_1.10.1.tar.gz’
Connecting to||:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 20,454 (20K) [application/x-tar]

100%[==============================================================================================>] 20,454        –.–K/s

08:33:16 (159.92 KB/s) – `mod_evasive_1.10.1.tar.gz’ saved [20454/20454]

root@server [/usr/src]# tar -zxf mod_evasive_1.10.1.tar.gz
root@server [/usr/src]# cd mod_evasive
root@server [/usr/src/mod_evasive]# /usr/local/apache/bin/apxs -cia mod_evasive20.c
/usr/local/apache/build/libtool –silent –mode=compile gcc -prefer-pic   -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -O2 -pthread -I/usr/local/apache/include  -I/usr/local/apache/include   -I/usr/local/apache/include   -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo
/usr/local/apache/build/libtool –silent –mode=link gcc -o  -rpath /usr/local/apache/modules -module -avoid-version    mod_evasive20.lo
/usr/local/apache/build/ SH_LIBTOOL=’/usr/local/apache/build/libtool’ /usr/local/apache/modules
/usr/local/apache/build/libtool –mode=install cp /usr/local/apache/modules/
cp .libs/ /usr/local/apache/modules/
cp .libs/mod_evasive20.lai /usr/local/apache/modules/
cp .libs/mod_evasive20.a /usr/local/apache/modules/mod_evasive20.a
chmod 644 /usr/local/apache/modules/mod_evasive20.a
ranlib /usr/local/apache/modules/mod_evasive20.a
PATH=”$PATH:/sbin” ldconfig -n /usr/local/apache/modules
Libraries have been installed in:

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
- use the `-Wl,–rpath -Wl,LIBDIR’ linker flag
- have your system administrator add LIBDIR to `/etc/’

See any operating system documentation about shared libraries for
more information, such as the ld(1) and manual pages.
chmod 755 /usr/local/apache/modules/
[activating module `evasive20' in /usr/local/apache/conf/httpd.conf]
root@vps [/usr/src/mod_evasive]# vi /usr/local/apache/conf/httpd.conf
root@vps [/usr/src/mod_evasive]# /scripts/restartsrv httpd
Waiting for httpd to restart…………..finished.

root     22105  0.0  0.0  3860 1784 ?        Ss   08:41   0:00 /usr/local/apache/bin/httpd -k start -DSSL

httpd started ok

rkhunter installation/upgradation

rkhunter installation/upgradation

You might have recieved warnigs like the one shown below regarding rkhunter in your server,  the warning “This operating system is not fully supported” demands an upgradation of rkhunter.


No logfile given: using default.
Determining OS… Warning: This operating system is not fully supported!
Checking for allowed root login… Watch out Root login possible. Possible risk!
Checking for allowed protocols…   [ Warning (SSH v1 allowed) ]

I’ve given below the steps you need to take for getting rkhunter updated.well, the steps are same for new installation of rkhunter.

you can check the current rkhunter version using the following command

#/usr/local/bin/rkhunter –versioncheck [installaion path may differ, in my case,its /usr/local/bin/rkhunter]

once you run versioncheck it tells you the current version installed in your server as well as the latest update available, the latest as of now, is version 1.3.2.

-bash-3.00# /usr/local/bin/rkhunter –versioncheck
[ Rootkit Hunter version 1.3.0 ]

Checking rkhunter version…
This version  : 1.3.0
Latest version: 1.3.2
Update available

Well, lets try installing it.

Go to an installation directory, preferebly /usr/src

cd /usr/local/src

get the latest version of rkhunter from,untar it and get in to the installation folder.

cd rkhunter-1.3.0

You can pass the needed options while running the installation script ./

./  –help
Rootkit Hunter installer 1.2.6
Usage: ./ <parameters>

Ordered valid parameters:
–help (-h)      : Show this help.
–examples       : Show layout examples.
–layout <value> : Choose installation template (mandatory switch).
The templates are:
- default: (FHS compliant),
- /usr,
- /usr/local,
- oldschool: previous version file locations,
- custom: supply your own prefix,
- RPM: for building RPM’s. Requires $RPM_BUILD_ROOT.
–striproot      : Strip path from custom layout (for package maintainers).
–install        : Install according to chosen layout.
–show           : Show chosen layout.
–remove         : Uninstall according to chosen layout.
–version        : Show the installer version.

not to make things complex, lets issue the following command

./ –layout default –install

rkhunter will get installed in its default location.

Inorder to get rkhunter  updated to latest verson, issue the following command

usr/local/bin/rkhunter –update

hurray, your done. Go with your first scan using the following command

/usr/local/bin/rkhunter -c –createlogfile

So,at a sigle shot, these are the steps you’ve taken.

cd /usr/src
tar -zxvf rkhunter-1.3.2.tar.gz
cd rkhunter-1.3.2
./ –layout default –install
/usr/local/bin/rkhunter –update


The complete process is given below.

-bash-3.00# /usr/local/bin/rkhunter –versioncheck
[ Rootkit Hunter version 1.3.0 ]

Checking rkhunter version…
This version  : 1.3.0
Latest version: 1.3.2
Update available

-bash-3.00# cd /usr/src
-bash-3.00# wget
[1] 31845
-bash-3.00# –07:51:44–
=> `rkhunter-1.3.2.tar.gz?modtime=1204134588′
Connecting to||:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: [following]
=> `rkhunter-1.3.2.tar.gz’
Connecting to||:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 269,563 (263K) [application/x-gzip]

100%[==============================================================================================>] 269,563        1.18M/s

07:52:09 (1.18 MB/s) – `rkhunter-1.3.2.tar.gz’ saved [269563/269563]

tar -zxvf rkhunter-1.3.2.tar.gz
[1]+  Done                    wget
-bash-3.00# cd rkhunter-1.3.2
-bash-3.00#  ./ –layout default –install
Checking system for:
Rootkit Hunter installer files: found. OK
Available file retrieval tools:
wget: found. OK
Starting installation/update

Checking PREFIX /usr/local: exists, and is writable. OK
Checking installation directories:
Directory /usr/local/share/doc/rkhunter-1.3.2: creating: OK.
Directory /usr/local/share/man/man8: exists, and is writable. OK
Directory /etc: exists, and is writable. OK
Directory /usr/local/bin: exists, and is writable. OK
Directory /usr/local/lib: exists, and is writable. OK
Directory /var/lib: exists, and is writable. OK
Directory /usr/local/lib/rkhunter/scripts: exists, and is writable. OK
Directory /var/lib/rkhunter/db: exists, and is writable. OK
Directory /var/lib/rkhunter/tmp: exists, and is writable. OK
Directory /var/lib/rkhunter/db/i18n: exists, and is writable. OK
Installing OK.
Installing OK.
Installing OK.
Installing OK.
Installing OK.
Installing OK.
Installing OK.
Installing OK.
Installing backdoorports.dat: OK.
Installing mirrors.dat: OK.
Installing os.dat: OK.
Installing programs_bad.dat: OK.
Installing programs_good.dat: OK.
Installing defaulthashes.dat: OK.
Installing md5blacklist.dat: OK.
Installing suspscan.dat: OK.
Installing rkhunter.8: OK.
Installing CHANGELOG: OK.
Installing FAQ: OK.
Installing LICENSE: OK.
Installing README: OK.
Installing WISHLIST: OK.
Installing language support files: OK.
Installing rkhunter: OK.
Installing rkhunter.conf in no-clobber mode: OK.
>>> PLEASE NOTE: inspect for update changes in /etc/rkhunter.conf.20095
>>> and apply to /etc/rkhunter.conf before running Rootkit Hunter.
Installation finished.
-bash-3.00#  /usr/local/bin/rkhunter –update
[ Rootkit Hunter version 1.3.2 ]

Checking rkhunter data files…
Checking file mirrors.dat                                  [ No update ]
Checking file programs_bad.dat                             [ No update ]
Checking file backdoorports.dat                            [ No update ]
Checking file suspscan.dat                                 [ No update ]
Checking file i18n/cn                                      [ Updated ]
Checking file i18n/en                                      [ No update ]
Checking file i18n/zh                                      [ No update ]
Checking file i18n/zh.utf8                                 [ No update ]
-bash-3.00# /usr/local/bin/rkhunter –versioncheck
[ Rootkit Hunter version 1.3.2 ]

Checking rkhunter version…
This version  : 1.3.2
Latest version: 1.3.2

Yahoo/hotmail blocks on mails

Yahoo/hotmail blocks on mails

Issues in sending mails yahoo/hotmail/gmail

Ckeck below some steps that need to be taken to bypass issues when sending
mails to yahoo/hotmail

make sure that you have

  • disabled openrelay
  • set spf record
  • Set up DomainKeys
  • set rDNS for mail servers IP and the domain is resolving to rght IP


mail server which does not verify that it is authorised to send a mail from
an addredd a user is trieng to send rom.
Ie a third party can send a mail through your mailserver ithout
autherisation. Spammers usually make use of open relayed servers to dump
bulk of emails. so the memory/cpu of the server will be exploited by third
Also this causes the mail server/IP to b blacklisted by a lot of
Ie your IP will be added by organisations like DNSBL and the mails sent by
the users of server will be rejected.

exim configuration to block this

ACL – Access control list

Its good to go through acl configurationsfor better security

Access Control Lists (ACLs) are defined in a separate section of the run time
configuration file, headed by “begin acl”. Each ACL definition starts with
a name, terminated by a colon.
check the format below.A sample configuration

begin acl

accept   hosts =

Relay Configuration Options


set local_domains to the domains hosted in the server
local_domains  = /etc/localdomains will do ( by default )

relay_domains_include_local_mx ( this is another option, but the above
explained one is preferable


The control of hosts that can relay can be set by setting following options


Over 50 parameteres like this need to be checked.You can find the details

Following command could be used for fixing openrelay in cpanel servers.


finally you could check if openrelay is enabled through the following link

Using DNSB and RBL Configuration Options in EXIM


# Add a warning header if the sending host is in these
# DNSBLs but acccept the message (or rather leave it for
# later ACLs to accept/deny
warn message = X-blacklisted-at: $dnslist_domain
dnslists = : \

# Reject messages from senders listed in these DNSBLs
deny dnslists =

RBL usage

# reject messages whose sending host is in MAPS/RBL & MAP/DUL
# add warning to messages whose sending host is in RSS
rbl_domains = : \ : \
# check all hosts other than those on internal network
rbl_hosts = !
# but allow mail to [email protected] even from rejected host
recipients_reject_except = [email protected]
# change some logging actions (collect more data)
rbl_log_headers  # log headers of accepted RBLed messages
rbl_log_rcpt_count # log recipient info of accepted RBLed messages

set spf record

In the envelope, first there is the “HELO” identity, which names the mail
server (MTA) that is sending the message. The “MAIL FROM” identity is the
e-mail address that is responsible for sending the message and where delivery
errors (bounces) will eventually be reported. And the “RCPT TO” identity is
the message’s recipient address

SPF authenticates the envelope HELO and MAIL FROM identities by comparing the
sending mail server’s IP address to the list of authorized sending IP
addresses published by the sender domain’s owner in a “v=spf1″ DNS record.
SPF has succeeded several older envelope sender authentication protocols.
Currently SPF is the only widely deployed envelope authentication protocol.

sample SPF record below <-|  TXT  “v=spf1 mx -all”

parts of the SPF record given below

v=spf1    ———     SPF version 1
mx          ———-  the incoming mail servers (MXes) of the domain are
authorized to also send mail for ————        the machine is authorized,
too         ———- everything considered legitimate by
is legitimate for, too
-al ——— all other machines are not authorized


DomainKeys is an e-mail authentication system designed to verify the DNS
domain of an e-mail sender and the message integrity.

How it works:

DomainKeys adds a header named “DomainKey-Signature” that contains a digital
signature of the contents of the mail message. The default parameters for the
authentication mechanism are to use SHA-1 as the cryptographic hash and RSA
as the public key encryption scheme, and encode the encrypted hash using

The receiving SMTP server then uses the name of the domain from which the
mail originated, the string _domainkey, and a selector from the header to
perform a DNS lookup. The returned data includes the domain’s public key.
The receiver can then decrypt the hash value in the header field and at the
same time recalculate the hash value for the mail body that was received,
from the point immediately following the “DomainKey-Signature:” header. If
the two values match, this cryptographically proves that the mail originated
at the purported domain and has not been tampered with in transit.


There are three primary advantages of this system for e-mail recipients:

* It allows the originating domain of an e-mail to be positively
identified, allowing domain-based blacklists and whitelists to be more
effective. This is also likely to make phishing attacks easier to detect.
* It allows forged e-mail messages to be discarded on sight, either by
end-user e-mail software (mail user agents), or by ISPs’ mail transfer
* It allows abusive domain owners to be tracked more easily.

There are some incentives for mail senders to authenticate outgoing e-mail:

* It allows a great reduction in abuse desk work for DomainKeys-enabled
domains if e-mail receivers use the DomainKeys system to automatically drop
forged e-mail messages claiming to be from that domain.
* The domain owner can then focus their abuse team energies on their own
users who actually are abusing their use of that domain.


In order for DomainKeys to work, one must complete two steps: set up the MTA
with the private key, and publish a DNS record that will hold the public key.

For step one of this, you would use the ‘MTA’ tab in the DKeyEvent setup app;
you would select the options for signing, and then create a selector for your
domain, and generate a private key for it. Let’s say you create a selector
called ‘mail1′.

For step two, you can use the ‘Domain’ tab to generate the DNS entry for the
selector you created in step one; you would select the domain, the selector,
the options you want, and the program will give you a text string like
this: “k=rsa; t=y; p=MHww…IDAQAB”. Now, you will need to create a new IN
TXT record in your domain’s DNS to publish this information. This new TXT
record must be called selector._domainkey, and its value should be the string
generated by the DKeyEvent setup. So in the example above, if your domain
was, say,, the complete DNS record would be: and this would have the value “k=rsa; t=y;

Installation of DomainKeys (cPanel Server):

1> For a specific user:
# Run the script

/usr/local/cpanel/bin/domain_keys_installer username

Where username is the cPanel user.

If you get an error similar to “Domain keys are not installed on this
machine.” you either are not running the latest release or current version of
cPanel or you have not converted yet to maildir. Maildir conversion is
required before you install DomainKeys.

2> For all the current cPanel users on the Server:

# Run the script

for i in
`ls /var/cpanel/users` ;do /usr/local/cpanel/bin/domain_keys_installer
$i ;done

3> For all the newly creating users on the Server: ( Not yet Tested )

Edit /scripts/postwwwacct and adding:

my %OPTS = @ARGV;
my $user = $OPTS{’user’};
/usr/local/cpanel/bin/domain_keys_installer $user

if any mail is sent to a local user from the mail server(or any
aplication/web application) itself, it is left untouched by the domain

For more details about Domain Keys, please refer the following link

Bypassing yahoo’s graylisting policy

yahoo greylists almost all the mailservers.
Graylisting is yahoos policy where they temporary blocks mails.
you get something like “temperorily differed” when you try sending mail
once an IP is graylisted graylisting stays for some time
say 30 mins.If you retry within this ime yahoo acepts the mail.After  30 mins
this IP will be removed from the greylist.Again when you try mail It’l be
bloked.They consider that spammers dont ‘retry’ which is why they use
greylisting methord.


You can set Number of minutes between mail server queue runs (default is
60).: in WHM -> Server Configuration -> Tweak Settings and scrolling down to
the Mail section.

have a look at following link


check below HOTMAIL staff’s reply :D

Hotmail bases its spam rating not just on the content of a message but also
on the reputation of the sending IP address. Also based on the reputation,
Hotmail limits the number of e-mail messages a particular IP can send within
a time period. Your IP has repeatedly exceeded our daily/hourly limit
thresholds. This does negatively impact the reputation of the IP and can
eventually lead to a block as the above mentioned.

By examining your SMTP logs you will be able to determine when your volume
exceeds the limit. We highly recommend reducing the volume below that limit,
to help improving the reputation of your IP address. As your reputation
improves so will the throttling limit. After some time you will be able to
gradually increase the volume that you are sending to Hotmail servers.

We reviewed your SPF record and note that it terminates with ?all. To
maximize deliverability we recommend changing it to -all.

You may also wish to reference RFC 4406, “Sender ID: Authenticating E-Mail”,
which defines the Sender ID specification. It is available at:

We recommend using the hard fail (-all) closing mechanisms for reliability
and security reasons.  The soft fail should be used when you having IP’s
that are coming in through an Open DNS.

If all sending IP’s that you will use are included in the SPF record it is
best to use a hard fail (-all) because it is more secure and will help lower
the spam weight of your mail.

Please do not forget to add your new SPF as a TXT entry into your public DNS
records, if you do not have access to the DNS consult with your hosting
company or ISP.

Once you update your domains with valid SPF records you will not need to
notify us when you make this or any revision to your SPF record since we will
automatically pull the current record from the DNS daily.  Thanks again for
your support in improving online trust and confidence and if you have any
questions or comments please feel free to contact us directly.