Preparation

Before enabling the Let's Encrypt certificate, make sure you have Apache Web Server installed on your server. If not, you can check out our Apache web server installation guide.

You also need to create a virtual host configuration file by typing this command (if you didn't do it during Apache installation):

vi /etc/httpd/conf.d/yourdomain.ltd.conf

Add these lines to the configuration file:

<VirtualHost *:80>
  ServerAdmin admin@yourdomain.ltd
  DocumentRoot "/var/www/html"
  DirectoryIndex index.html
  ServerName yourdomain.ltd
  ErrorLog "/var/log/httpd/yourdomain.ltd.error_log"
  CustomLog "/var/log/httpd/yourdomain.ltd.access_log" common
</VirtualHost>

Please note. Make sure to change the "yourdomain.ltd" to your actual domain.

After editing, you can save changes and exit.

1. Creating An Index.Html File For Testing

To create an index.html file for testing, run this command:

vi /var/www/html/index.html

Enter the text for testing in the file:

  <html>
   Page for testing purposes
  </html>

After that, you can save the file and exit.

Now you need to change the owner of the ‘/var/www/html/index.html’ file to Apache by entering this command:

chown -R apache:apache /var/www/html/index.html

This means that Apache can now read this file.

2. Install Certbot

On Centos 7 follow these steps to install Cerbot:

1. We need to add the EPEL repository before installing Certbot. Run this command:
   yum install epel-release
2. Install the Certbot:
   yum install certbot python2-certbot-apache mod_ssl

On AlmaLinux 8 follow these steps to install Cerbot:

1. Run this command to add the EPEL repository before installing Certbot:
   dnf install epel-release
2. Install the Certbot:
   dnf install certbot python3-certbot-apache

3.Set Up The SSL Certificate

To set up the SSL for domain, run this command:

certbot --apache -d yourdomain.ltd

You can install certificate for multiple domains and subdomains by following this command:

certbot --apache -d yourdomain.ltd -d www.yourdomain.ltd -d yourdomain2.ltd -d subdomain.yourdomain2.ltd

When issuing a certificate, you will need to provide an email, that you specified previously in virtual host configuration file (admin@yourdomain.ltd).
You will also need to agree to the Terms of Service (mandatory) and agree or disagree to share your email address with Electronic Frontier Foundation (optional)

Please note.

When issuing a certificate, you may receive the following error message:

Cancel the certificate issue process (enter 'c') and restart Apache service with the following command:

systemctl restart httpd

After that, try to issue the certificate again.

4.Check SSL Certificate

Enter this command to check if SSL issued successfully:

ls /etc/letsencrypt/live/yourdomain.ltd/

You should see the following output:

cert.pem chain.pem fullchain.pem privkey.pem

You can also check SSL in your browser. Open your website and click on the padlock icon in the address bar to see information about certificate.

5.Manual And Automatic Renewal

Let’s Encrypt certificates are valid for 90 days.

You can manually renew certificate with this command:

certbot renew --dry-run

If the certificate is less than 30 days away from expiration, this command will renew it.

If you want to specify auto-renewal, you can edit the crontab and create cronjob to run the above command twice a day automatically:

crontab -e

Add this line to the crontab:

 * */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

You're all set. When necessary, certbot will renew your certificates and reload Apache to pick up the changes.

Please note.

If, after activating the certificate, your site is still not available and you receive "Secure Connection Failed" error, make sure to allow traffic via HTTPS (port 443), which could be blocked in firewalld by default.

You can check if HTTPS enabled, using this command:

firewall-cmd --list-all

The output will provide you information about enabled services. In this screenshot, you can see that port 443 is enabled:

If 443 port disabled, you can enable it with firewalld or iptables.

To enable https service in firewalld, use this command:

firewall-cmd --permanent --add-service=https

Then reload the firewall:

firewall-cmd --reload

To enable https in iptables, use this command:

iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Then save the changes:

iptables-save

Allocating SWAP Memory

free -h

Your results will be printed in two lines: "Mem", "Swap", which will indicate, what the exact amount of RAM and SWAP memory is on the KVM server. The "Swap" line should only contain zeros. 

fallocate -l 6G /swapfile

ls -lh /swapfile

-rw-r--r-- 1 root root 6.0G Dec 5 14:32 /swapfile

chmod 600 /swapfile

ls -lh /swapfile

-rw------- 1 root root 6.0G Dec  5 14:36 /swapfile

mkswap /swapfile

swapon /swapfile

free -h

Your results will print two lines again, just this time, you will see a line "Swap" having a variable of 6 GB.

Additional Options

cp /etc/fstab /etc/fstab.old

echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

cat /proc/sys/vm/swappiness

cat /proc/sys/vm/vfs_cache_pressure

vm.swappiness=10
vm.vfs_cache_pressure=50
 

If any questions remain, please contact our customer support, we will be glad to help.

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

You can now save and exit nano (Ctrl x) and restart the SSHD service by issuing the following command:

service sshd restart

IMPORTANT: Make sure you can connect to SSH using the new port. Leave your current SSH session open and open a new session using the new port you set above. If you can connect to the new SSH session on the new port than everything is good. If you cannot, then you need to figure out why. This is why you left the original SSH session open, otherwise, you would be locked out of your server.

You may need to add the new port in your IPTables.

First, open your IPtables rules:

nano /etc/sysconfig/iptables

Next, locate the COMMIT line and add the following above it making sure to change #### to the port you set for SSH:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT

You can now save and exit nano (Ctrl x) and restart the IPtables service:

service iptables restart

You should now try to connect to SSH again. If you still cannot connect to it, it would be best to set your SSH port back to 22 and contact your service provider for help.

Use strong passwords for everything

One of the most common causes of system breach is weak passwords. For a strong password, follow a few simple guidelines:

• Minimum password length should be 10 characters
• Always use a mix of numbers, letters, uppercase, lowercase, and symbols (when allowed)
• Strong Password Example- T=ep@Uy*ST

If you need to change your root password, issue the following command and follow the prompts:

passwd

Disable Root User

It is a security risk to keep the root user enabled. Most operations and installs should not be done using root. Instead, create a regular user and if you need root privileges, use the su command.

To add a user, do the following replacing “namehere” with your desired username:

useradd namehere
passwd namehere

Now, disable root login to SSH by editing your sshd_config file:

nano /etc/ssh/sshd_config PermitRootLogin no (make sure you remove the #)

Now save and exit Nano (Ctrl x) and restart SSHd:
 

Restrict SSH access by IP using IPtables

This adds a great amount of security but make sure you have a static IP.

First, open your IPtables rules:

nano /etc/sysconfig/iptables

Locate the line containing rule with "--dport 22" fragment and add the following above it making sure to change #### to the port you set for SSH and 192.168.0.1 to your IP address:

-A INPUT -p tcp -s 192.168.0.1 --dport #### -j ACCEPT

You can now save and exit nano (Ctrl x) and restart the iptables service:

service iptables restart

Install RkHunter

Every server needs something checking for rootkits, backdoors, md5 hashes (file changes), hidden files, etc.. etc.. and RKHunter is great at this.

To install RKHunter, issue the following commands:

yum install rkhunter -y

You need to set up a daily cron so that rkhunter will check its version and update it if needed as well as run a scan. We will also be setting it so it will e-mail you the daily report.

Create and open in nano a new cron task/shell script by issuing the command below:

nano -w /etc/cron.daily/rkhunter.sh

Now add the following making sure to replace “PutYourServerNameHere” with your server's hostname and “your@email.here” with your email address:

#!/bin/sh(/usr/local/bin/rkhunter --versioncheck/usr/local/bin/rkhunter --update/usr/local/bin/rkhunter --cronjob --report-warnings-only)
/bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here

If you don’t know your server’s hostname, you can find it by typing hostname in your ssh window. You will need to exit (Ctrl x) nano first or open another session.

You also need to secure the script making it usable only by root. To do this, issue the following command:

chmod 700 /etc/cron.daily/rkhunter.sh

Now test it and make sure it runs ok. To run rkhunter manually, issue the following command:

rkhunter -c -sk

That’s it. You're done and your server just became much safer!

Install CSF (Config Server Firewall)

CSF includes many different types of protection and is much more user-friendly than using IPTables directly.

If you are not sure whether you have Perl installed issue the following command:

perl -v

If perl is installed, it will return which version. If it is not installed, issue the following command to install it:
 

Now you can install CSF with the command below:

cd /usr/src
rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Make sure that you have the required iptable modules by issuing the following command:

perl /etc/csf/csftest.pl

It is possible that you will be missing some modules, but as long as the test does not return a fatal error, you should be fine. You may lose some functionality of CSF with missing modules but it will work.

When you install CSF, it automatically whitelists your IP. It also starts in test mode which means it clears the rules every 5 minutes. Make sure you leave it in test mode until you are sure your configuration is working properly. If you do lock yourself out, just wait for 5 minutes and you will be able to log in again. The stock configuration is fine for most servers though some changes should be made.

If you changed your SSH port above, you need to make sure to add it to your CSF config. To edit the csf configuration, issue the following command:

nano /etc/csf/csf.conf

The first thing to edit is the TCP ports. You can delete port 22 on inbound and outbound since SSH uses your new port which should already have been added to the end of the inbound line, if not then add it. You will also need to add it to the outbound TCP:

# Allow incoming TCP portsTCP_IN = "20,21,25,53,80,110,143,443,465,587,993,995,####"
# Allow outgoing TCP portsTCP_OUT = "20,21,22,25,53,80,110,113,443,####"

Next, locate CONNLIMIT = “”
You should limit the number of concurrent connections per IP on the most commonly attacked ports which are 21 (FTP), 80 (HTTP), and your new SSH port. This setting is only for TCP.

CONNLIMIT = "21;5,####;5,80;20"

Next, configure port flood protection located directly under CONNLIMIT. Again, you should add the most commonly attacked ports. This setting limits the number of connections allowed at one time on a specified port.

PORTFLOOD = "21;tcp;5;300,80;tcp;20;5,####;tcp;5;300"

To set the e-mail that CSF will send reports to, find X_ARF_TO = “” and add your email address:

X_ARF_TO = "your@email.here"

That’s all the configuration changes we are going to cover in this guide.

Save and exit your editor (Ctrl x) and start CSF by issuing the following command:

csf -h (shows a list of csf commands) or csf -s (starts csf)

You need to open another SSH session and try to connect to your server. If you can connect without error your configuration is good!

Now we can disable testing mode so the lfd (login failure daemon) will be able to start.

To do this, go back into your csf.conf /etc/csf/csf.conf and find TESTING = “1″ and change it to “0″ then save and exit (Ctrl x). Restart CSF with the following command:

csf -r

Now you should remove the install archive by issuing the following command:

cd ../rm -fv csf.tgz

That's it! Now your server is more secure.

Introduction

Encryption is the process of encoding files in such a way that only those who are authorized can access it. Encryption does not of itself prevent interception but denies the file content to the interceptor. In an encryption scheme, the intended files, referred to as plaintext, is encrypted using an encryption algorithm, generating ciphertext that can only be read if decrypted.

Linux distribution provides a few standard encryption/decryption tools that can prove to be handy at times. Here in this article, we have covered 3 such tools with proper standard examples, which will help you to encrypt, decrypt and password-protect your files.


1. GnuPG
 

GnuPG (GNU Privacy Guard, often called GPG) package in most of today’s Linux distributions comes by default, if in-case it’s not installed you may apt or yum it from the repository.

Ubuntu/Debian:
sudo apt-get install gnupg

CentOS/Fedora:
yum install gnupg

Encrypting

Now you can encrypt a file using GPG. As soon as you run the gpg command with option -c (encryption only with symmetric cipher) it will create a file testfile.txt.gpg.
gpg -c /path_to_the_file/testfile.txt

Note: Enter Paraphrase twice to encrypt the given file. The above encryption was done with CAST5 encryption algorithm automatically. You may specify a different algorithm optionally. To see all the encryption algorithm present you may execute:
gpg --version

Decrypting

Now, if you want to decrypt the above encrypted file, you may use the following command:
gpg /path_to_the_file/testfile.txt.gpg

Note: You need to provide the same password you gave at encryption to decrypt when prompted.

More information about GNU Privacy Guard on official site:
https://www.gnupg.org


2. Zip
 

It is one of the most famous archive formats and it is so much famous that we generally call archive files as zip files in day-to-day communication. It uses pkzip stream cipher algorithm.

If you have not installed zip you can do it with apt or yum.

Ubuntu/Debian:
sudo apt-get install zip

CentOS/Fedora:
yum install zip

Encrypting

Create an encrypted zip file using zip:
zip --password mypassword testarchive.zip testfile.txt

Or if you want to add more files into zip archive:
zip --password mypassword testarchive.zip testfile.txt testfile1.txt testfile2.txt
 

You need to provide the same password you provided at encryption.


3. OpenSSL
 

By default OpenSSL is installed in all our templates, however, if you have removed it you can install it with apt-get or yum.

Ubuntu/Debian:
sudo apt-get install openssl

CentOS/Fedora:
yum install openssl

Encrypting
openssl enc -aes-256-cbc -in /path_to_the_file/testfile.txt -out /path_to_the_file/testfile.dat

Explanation of each option used in the above command.

enc encryption
-aes-256-cbc the algorithm to be used.
-in full path of a file to be encrypted.
-out the full path where it will be decrypted.

Decrypting

Decrypt a file using OpenSSL:
openssl enc -aes-256-cbc -d -in /path_to_the_file/testfile.dat > /path_to_the_file/testfile2.txt

Introduction

SPF (Sender Policy Framework) is a DNS text entry which shows a list of servers that should be considered allowed to send mail for a specific domain. Incidentally, the fact that SPF is a DNS entry can also considered a way to enforce the fact that the list is authoritative for the domain, since the owners/administrators are the only people allowed to add/change that main domain zone.

• upon receipt, the HELO message and the sender address are fetched by the receiving mail server
• the receiving mail server runs a TXT DNS query against the claimed domain SPF entry
• the SPF entry data is then used to verify the sender server
• in case the check fails a rejection message is given to the sender server

DKIM (DomainKeys Identified Mail) should be instead considered a method to verify that the messages' content are trustworthy, meaning that they weren't changed from the moment the a message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. Once again the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct, while on the sender side the server will sign the entitled mail messages with the corresponding private key.

• when sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the "From:" header is included in its "signing table". If not the process stops here
• a new header, called "DKIM-Signature", is added to the mail message by using the private part of the key on the message content
• from here on the message *main* content cannot be modified otherwise the DKIM header won't match anymore
• upon reception, the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field
• the DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy

Setting Up SPF

SPF requires only that you add a TXT record to your DNS zone for the domain. How that happens depends on the tools provided by your domain registrar, or the tools you set up yourself should you manage your own nameservers. If using a registrar's web interface to make DNS changes, you may or may not have the option to enter a subdomain for the record. If you do, then leave that field blank.

This generic SPF TXT record authorizes mail originating from mail servers for your domain that is identified by MX records and all other servers associated with your domain that have A records:

"v=spf1 a mx -all"

Note that the double quotes are a necessary part of the SPF TXT record. Much more complicated records than this are possible, as outlined in the SPF documentation.

Setting Up DKIM

Setting up DKIM is a little more involved than SPF, but still not too challenging if you are already running a Postfix mail server on Ubuntu. First, install the necessary packages:

apt-get install opendkim opendkim-tools -y

Open /etc/opendkim.conf:

nano /etc/opendkim.conf

Add the following:

Domain    your_domain
KeyFile   /etc/postfix/dkim.key
Selector  dkim
SOCKET    inet:8891@localhost

Open /etc/default/opendkim:

nano /etc/default/opendkim

Add the following:

SOCKET="inet:8891@localhost"

Configure postfix to use this milter:

nano /etc/postfix/main.cf

Make sure that these two lines are present in the Postfix config file and are not commented out:

milter_protocol = 2
milter_default_action = accept

It is likely that a filter (SpamAssasin, Clamav etc.) is already used by Postfix; if the following parameters are present, just append the opendkim milter to them (milters are separated by a comma), the port number should be the same as in opendkim.conf:

smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:8891
non_smtpd_milters = unix:/spamass/spamass.sock, inet:localhost:8891

If the parameters are missing, define them as follows:

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Generating the Public and Private Keys

Now you can generate a private key for signing outgoing mail. Note that in the following command, "dkim" is the value given to Selector in /etc/opendkim.conf. This can be any simple string, provided you are consistent about replacing "dkim" with your desired value everywhere in this recipe. Run the following command to generate the key and associated materials in the form of two files, dkim.private, and dkim.txt. The former is the RSA private key, while the latter contains the entry you will have to place into your DNS records.

opendkim-genkey -t -s dkim -d your_domain

Move the key into place, but don't forget to take a copy and keep that copy backed up somewhere safe:

mv dkim.private /etc/postfix/dkim.key

You'll need to restart Postfix and OpenDKIM services to pick up the configuration changes so that outgoing mail is signed using DKIM:

service opendkim start
service postfix restart

Adding the Public Key to The Domain's DNS Records

Next up is the DNS record setup. How you do this is again completely dependent on how you manage DNS or how it is managed for you - everyone's tools are different. Note that some registrars do not let you create raw TXT records with specific subdomains, which will prevent you from creating DKIM TXT records. If this is the case, then you will have to transfer your domain to a real registrar that lets you play with all the toys. Or you can simply use our DNS management system!

You can find information about your public key in dkim.txt file:

cat dkim.txt

Here is how it looks on our DNS management system:
 

Sharing a DKIM Key for Multiple Domains

If you are serving multiple domains from the same mail server, then the contents of /etc/opendkim.conf:

nano /etc/opendkim.conf

Instead of:

Domain    your_domain
KeyFile   /etc/postfix/dkim.key
Selector  dkim
SOCKET    inet:8891@localhost

Should be:

Domain    *
KeyFile   /etc/postfix/dkim.key
Selector  dkim
SOCKET    inet:8891@localhost

Testing

First of all, give the DNS changes a chance to propagate before using it. Decent testing service is Mail Tester.

1. Installation of Lynis

mkdir /usr/local/lynis

cd /usr/local/lynis
 

Preliminary Requirements:

• CentOS 7, Fedora 23, Ubuntu 16.04 or Debian 8 OS installed.

Installation Of ConfigServer Security & Firewall

For CentOS / Fedora firstly you need to install required for CSF Perl packages:

yum install perl-libwww-perl.noarch perl-Time-HiRes perl-core zip unzip bind-utils -y

apt-get install e2fsprogs dnsutils libwww-perl -y

wget http://download.configserver.com/csf.tgz

tar xzf csf.tgz

Then we need to run CSF installation script:

cd csf

sh install.sh

After installation run the test in order to make sure that all required iptables modules are installed on your VPS:

perl /usr/local/csf/bin/csftest.pl

If all required iptables modules are installed you will receive such result:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server 

After checking iptables modules we need to enable CSF. For this reason, you may open and edit configuration file:

vi /etc/csf/csf.conf

You need to change "TESTING" value to the zero:

TESTING = "0"

RESTRICT_SYSLOG = "3"

csf -r

echo '#!/bin/sh' > /usr/sbin/sendmail
chmod +x /usr/sbin/sendmail

csf -r

Enable ConfigServer Security & Firewall Web UI

yum install perl-IO-Socket-INET6 perl-Socket6 -y

For Debian / Ubuntu execute:

apt-get install libio-socket-ssl-perl libcrypt-ssleay-perl libnet-libidn-perl libio-socket-inet6-perl libsocket6-perl libwww-perl -y

In order to enable Web UI you need to edit the configuration file:

vi /etc/csf/csf.conf

You need to modify following values:

# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "7777"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = "111.111.111.111"

# This should be a secure, hard to guess username
# 
# This must be changed from the default
UI_USER = "username"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus 
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "password"

• UI - should be "1" for enabled Web UI;
• UI_PORT - port for accessing CSF firewall via the browser;
• UI_IP - your server's IP address. Leave it blank to bind to all IP addresses on the server (e.g. if you have additional IPs);
• UI_USER - username for accessing CSF firewall via the browser;
• UI_PASS - password for accessing CSF firewall via the browser.

echo "your_public_ip_address" >>  /etc/csf/ui/ui.allow

Finally restart lfd (Login Failure Daemon) daemon, which uses CSF Web UI:

service lfd restart

Note: use HTTPS to access Web UI.

DoS / DDoS Attacks Prevention With ConfigServer Security & Firewall

It is possible to configure ConfigServer Security & Firewall to prevent VPS from small and limited DDoS attacks. In order to enable it, you need to edit /etc/csf/csf.conf file. If you have enabled Web UI, you could edit configuration file via it - just go to the "ConfigServer Firewall" and select "Firewall Configuration". In another case you need to edit /etc/csf/csf.conf via SSH:

vi /etc/csf/csf.conf

First of all you need to set up total number of connections allowed from single host:

CT_LIMIT = "20"

Set connection tracking interval (in seconds):

CT_INTERVAL = "30"

Enable email alerts sending for each blocked IP address:

CT_EMAIL_ALERT =1

Enable permanent IP addresses blocking ("1" to enabled, "0" for disabled):

CT_PERMANENT = 1

If you did not enable permanent IP addresses blocking, you could set interval (in seconds) within which IP will remained blocked:

CT_BLOCK_TIME = 1800

If you would like to enable it only for specific ports, you need to provide it in CT_PORTS. If you keep it empty, all ports would be checking:

CT_PORTS = "22,23,80,443"

After it, you need to restart CSF service and lfd daemon. If you have performed changes via Web UI, just press the button "Restart csf+lfd'. Else execute the following command via SSH:

csf -r && service lfd restart

ENABLED=1
CRON=1

Now create a variable named SAHOME with the Spamassassin home directory:

SAHOME="/var/log/spamassassin/"

Find and change the OPTIONS variable to:

OPTIONS="--create-prefs --max-children 2 --username spamd \
-H ${SAHOME} -s ${SAHOME}spamd.log"

After setting up is complete we can start the Spamassassin daemon by using the following code:

service spamassassin start


Configuring Postfix
SpamAssassin is set up, however, emails are still not going through it. To enabling that, open Postfix config file:

nano /etc/postfix/master.cf

Find the line:

smtp inet n - - - - smtpd

And add the following to the end of the line:

-o content_filter=spamassassin

Now, Postfix will pipe the mail through SpamAssassin.

To setup after-queue content filter add the following line to the end of the file

spamassassin unix -     n       n       -       -       pipe
        user=spamd argv=/usr/bin/spamc -f -e  
        /usr/sbin/sendmail -oi -f ${sender} ${recipient}

For the changes to take effect restart postfix:

service postfix restart


Configuration

To get the maximum use of SpamAssassin you have to create rules. Open the SpamAssassin default rules file using:

nano /etc/spamassassin/local.cf

To activate a rules uncomment line by removing the # symbol in the beginning of the line. Some line we recommend to uncomment:

rewrite_header Subject *****SPAM***** - To add a spam header to spam mail.

required_score 5.0 - Spamassassin gives a score to each mail after running different tests on it. This line marks the mail as spam if the score is more than the value specified in the rule.

use_bayes 1 - To use Bayes theorem to check mails.

bayes_auto_learn 1 - To enable Bayes auto-learning.

After adding the above details, save the file and restart spam assassin.

service spamassassin restart


Testing

To see if SpamAssassin is working, you can check the SpamAssassin log file using:

nano /var/log/spamassassin/spamd.log

or send the email from an external server and check the mail headers.


Conclusion

Using SpamAssassin, it is very easy to protect your mailbox from spammers. The best thing about SpamAssassin is that we can create rules by ourselves and manage it.

CentOS 6 64-Bit

CentOS 7 64-Bit

Debian 7 64-Bit

Debian 8 64-Bit

Ubuntu 12.04 64-Bit

Ubuntu 14.04 64-Bit

Ubuntu 15.04 64-Bit

Ubuntu 16.04 64-Bit

OpenSuse 13.1 64-Bit

3. Restart VPS 

Have any difficulties following these instructions? Got additional questions about making standard OpenVZ OS image minimal? Let us know! Our customer support team is ready to help 24/7.

iptables -F

Note. If you want to flush a single Chain, specific rules. You can use this:

sudo iptables -F INPUT

Next commands are used to check current rules that are active within your server:

iptables -L

iptables -S

Note. You can add specific words, like INPUT, FORWARD OR OUTPUT. For example:

iptables -L INPUT

This will let you specify the rules by their purpose (Chains).

Note. You can also add "-v" to your command (iptables -L -v), this will let you check the packets and their size matched with each rule.

Now we can continue with more specific rules to make some simple rules. Usually, a Firewall is used to block something first, and only then to allow something. So here are some rules which help you to block the connections.

In order to block a connection from the specific IP address you can use this:

iptables -A INPUT -s 1.1.1.1 -j DROP 

iptables -A OUTPUT -s 1.1.1.1 -j DROP

iptables -A INPUT -s 1.1.1.1 -j REJECT

Note. REJECT is used to give a response that the connection is not blocked and sends a message "connection refused".

If you want to block a specific port, for example, SMTP port 25, you can use this:

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -I OUTPUT -p tcp --dport 25 -j DROP

Allow Incoming SSH connection only from a specific IP:

iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

This actually allows only specific IP to connect to the server using 22 port. Also, every time it happens, it establishes a status, which will be used in the second rule to allow the same IP the outgoing traffic.

Following sets of rules are for HTTP and HTTPS connections:

iptables -A INPUT -i venet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

The first set of rules allows HTTP and the second set of rules allows HTTPS connection using the default ports 80 and 443

Next rules allow outside users to ping to your server:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

The same applies to block it:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

To allow loopback access to your server, for example using localhost:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allowing MySQL connection from specific IP address:

iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing POP3 or IMAP traffic:

iptables -A INPUT -i venet0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

Also, this can be applied for POP3/IMAP using a secure connection:

iptables -A INPUT -i venet0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Note. When you describe network interface in the rules, for example, venet0, do not forget to change it, if your server uses different network interfaces, for example, eth0 or other.

One last use of iptables  is that it can be used to prevent the DDoS as well, by limiting the connections per minute:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT

More details about this one:

-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only a maximum of 10 connections per minute.
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

You can change the details based on your requirements, to prevent some attacks.

iptables -A INPUT -s xx.xx.xx.xx -j DROP

How do you block an IP from a specific port?

iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport PORT -j DROP

How do you allow access to an IP?

iptables -A INPUT -s xx.xx.xx.xx -j ACCEPT

How do you allow access to an IP to a specific port using iptables?

iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport PORT -j ACCEPT

(Again, xx.xx.xx.xx is the remote IP address and PORT is the port number you wish to allow/deny access to.)

How do you block a scanner on a server for example "blablabla.at.ISC.SANS" using iptables?

iptables -I INPUT -p tcp --dport 80 -m string --algo bm \
--string 'GET /blablabla.at.ISC.SANS.' -j DROP

More information can be found in our article about the most common iptables rules:
https://www.lcwhost.org/topic/21-basic-and-most-common-iptables-rules/

nano /etc/httpd/conf/httpd.conf
 

</IfModule>
KeepAlive Off
<IfModule prefork.c>
   StartServers        32
   MinSpareServers     16
   MaxSpareServers     64
   MaxClients         128
</IfModule>

After modification, do not forget to restart apache server:

service httpd restart