5/08/2012

Microsoft Windows Server 2003 for Small Business Server Microsoft Exchange Mail Store unmounts

At 08:59hrs this morning I got a call from a customer who was unable to receive e-mail. Logging into their server I discovered that there were indeed messages stuck in the Local Delivery queue. I checked the Application event logs and found the following event log

Event Type: Error

Event Source: MSExchangeSA
Event Category: MAPI Session 
Event ID: 9175
Date: 8/05/2012
Time: 9:12:31 AM
User: N/A
Computer: ***DELETED***
Description:
The MAPI call 'OpenMsgStore' failed with the following error: 
The attempt to log on to the Microsoft Exchange Server computer has failed.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0512-00000000 


For more information, click http://www.microsoft.com/contentredirect.asp.

Further investigation led to an un-mounted mail store.It was relatively easy to re-mount the store, however the support link at http://support.microsoft.com/kb/896143 leads me to think it may not be so easy all the time. After getting the service back up and running, I re-visited the logs to find that the event started at approximately 23:22hrs last night, and was preceded by the following message;


Event Type: Error
Event Source: MSExchangeSA
Event Category: Monitoring 
Event ID: 1005
Date: 7/05/2012
Time: 11:22:24 PM
User: N/A
Computer: ***DELETED***
Description:
Unexpected error <<0xc1050000 - The attempt to log on to the Microsoft Exchange Server computer has failed. The MAPI provider failed. Microsoft Exchange Server Information Store ID no: 8004011d-0512-00000000>> occurred. 


For more information, click http://www.microsoft.com/contentredirect.asp.


The support link at http://support.microsoft.com/kb/888179 did not provide much assistance in resolving the issue permanently, but I did check the allocated space and size of the mail store and the available space on disk and they were all OK.

5/07/2012

I had to do some maintenance work on a Linux based server

I had to do some maintenance work on a Linux based server. It was mainly just archiving some files around and updating packages and configurations. However, as part of the maintenance I took the opportunity to put in some simple technical security controls in place and documented some of them here for my reference.

MySQL Database
There was a MySQL server running that was only needed for the local host, but a "netstat -ltn" indicated that it was not bound to any specific IP, i.e. listening on 0.0.0.0, so I bound it to the localhost IP of 127.0.0.1 by editing the /etc/my.cnf file using the entry bind-address=127.0.0.1

vi /etc/my.cnf
bind-address=127.0.0.1

RKHunter Rootkit Anti-malware
I installed the new version of rkhunter and modified the configuration file to suit.

yum install rkhunter
vi /etc/rkhunter.conf
PKGMGR=RPM
ENABLE_TESTS="all"
DISABLE_TESTS="none"
SCAN_MODE_DEV=THOROUGH 
rkhunter --propupd --update --check --sk -l
vi /etc/rkhunter.conf
ALLOWHIDDENDIR=
ALLOWDEVFILE=

IPTables Firewall
Strangely enough there was no firewall configured on the host, so I quickly knocked up an script and saved it. Here's a snippet of the script that simply resets the rules, sets the default policies to drop and allows all local communications. There are additional parts that allow specific traffic through, but I have not put this up here to obscure the services and IP addresses being used.

#!/bin/bash

#
# Global script variables
#

# Commands
IPTABLES=/sbin/iptables

# Network interfaces and addresses
LOOP_IFACE=lo
LAN=192.168.100.0/24
LAN_ADDR=192.168.100.201
LAN_IFACE=eth0

# Port numbers
NAMED_PORT=53
NETFLOW_PORT=9996
NTP_PORT=123
PRIV_PORTS=1:1024
SMB_PORTS=137:139
SSHD_PORT=4022
UNPRIV_PORTS=1025:65535


#
# Manage kernel parameters
#

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward


#
# Configure default table policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP


#
# Initialise tables - flush rules, remove chains, zero counts
#

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat

$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

$IPTABLES -Z


#
# Allow all local loopback traffic
#

$IPTABLES -A INPUT -i $LOOP_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOP_IFACE -j ACCEPT


#
# Allow all traffic that is part of a related or established connection in
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#
# Politely reject SMB traffic
#

$IPTABLES -A INPUT -i $LAN_IFACE -p tcp --dport $SMB_PORTS -j REJECT
$IPTABLES -A INPUT -i $LAN_IFACE -p udp --dport $SMB_PORTS -j REJECT


#
# Allow icmp pings
#

$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -d $LAN_ADDR -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $LAN_IFACE -s $LAN_ADDR -d $LAN -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT


#
# *** DELETED SERVICES SPECIFIC RULES TO IMPLEMENT SECURITY BY OBSCURITY ***
# 


#
# Debugging - log all other traffic *** DO NOT USE IN PRODUCTION ENVIRONMENT ***
#
#
#$IPTABLES -A INPUT -i $LAN_IFACE -j LOG --log-prefix "rc.firewall "
#


ClamAV Anti-virus
ClamAV is an open source anti-virus software for Linux. I installed this using the yum package manager and configured the AV to scan daily, and used freshclam to ensure that the virus definitions are updated hourly.
yum install clamav clamd clamav-db

vi /etc/cron.hourly/freshclam
#!/bin/bash
/usr/bin/freshclam --quiet -l /var/log/clamav/freshclam.log

vi /etc/cron.daily/clamscan
#!/bin/bash
/usr/bin/clamscan -r / --exclude-dir=/proc --quiet --infected --log=/var/log/clamd/clamscan

Fail2Ban Intrusion Prevention
fail2ban is an interesting intrusion prevention system that parses system logs to dynamically update firewall rules to stop potential intrusion attempts. It supports several other mechanism, but I was only interested in the firewall and SSH access


yum install fail2ban
vi /etc/ssh/sshd_config
SyslogFacility LOCAL5
LogLevel INFO

vi /etc/syslog.conf
local5.info                                     /var/log/sshd/sshd.log

vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=*DELTED*, sender=*DELETED*]
logpath  = /var/log/sshd/sshd.log
maxretry = 2


Legal notices
The client wanted some legal notices and disclaimers on the host for various reasons, one of them being to notify employees that their usage was being monitored. I stuck the disclaimer from their legal department (it looked pretty generic though) into /etc/issue and created a link from /etc/issue.net to it.