Normally, checking mail may produce an SSL error for plesk mail services. All clients Outlook, Mac mail, thunderbird, show a a message for ssl certificate. How to fix it.

You would need to purchase a SSL certificate for your servers hostname and set it up so it gets used for the mail service on the server. if you try and use mail.domain.com, it’ll still give an error.

Ref: http://kb.sp.parallels.com/en/1062

Install tcpdump

$ sudo apt install tcpdump -y

List Network Interfaces

$ sudo tcpdump -D

Output

1.eth0 [Up, Running]
2.eth1 [Up, Running]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)

Capture packets from a particular ethernet interface using

$ sudo tcpdump -i eth0

You can use the -v option to increase the verbosity of the output, or -vv and -vvv to increase it even further.

$ sudo tcpdump -i eth0 -vv

If you don’t want tcpdump to endlessly output data to your terminal, you can use the -c option to specify how many packets you’d like the utility to capture. tcpdump will quit executing the command after the threshold has been reached, rather than waiting for you to interrupt. The following command will allow us to capture only the first 15 packets.

$ sudo tcpdump -c 15

If you don’t want tcpdump to perform DNS resolution on the network addresses in the output, you can use the -n option in your command. This will display all network addresses as IP addresses, rather than resolving them to domain names.

$ sudo tcpdump -n

If you would rather save the network traffic output to file, instead of having it listed on your screen, you can always redirect the tcpdump output with the usual > and >> operators.

$ sudo tcpdump > traffic.txt

Another option is to write the network capture to file. These files usually have the .pcap file extension, and can’t be read by an ordinary text editor.

$ sudo tcpdump -n -w traffic.pcap

To open the file for later analysis, use the -r option and the name of your file.

$ sudo tcpdump -r traffic.pcap

To read pcap files, you will need tcpick or tcpxtractor wireshark

Interpret tcpdump command output

Each packet that tcpdump captures is written as an individual line. One of those lines will look something like this:

23:36:59.581280 IP 143.110.237.64.22 > 70.112.179.47.53357: Flags [P.], seq 448976:449152, ack 1761, win 501, length 176

Here’s how to interpret that line of data:

    23:36:59.581280 - Timestamp of when the packet was captured.
    IP 143.110.237.64.22 - IP and port number of the source host.
    70.112.179.47.53357 - IP and port number of the destination host.
    Flags [.] - TCP flags (SYN, ACK, PSH, etc). [.] means ACK.
    ack 2915 - The acknowledgment number.
    win 63000 - The window number (bytes in receiving buffer).
    length 0 - The length of the payload data.

Specific Port

$ sudo tcpdump -i eth0 port 80

Filter records with source and destination IP

To Capture packets from a source IP you can use the following command:

$ sudo tcpdump -i eth0 src 192.168.1.1

You can monitor packets from a destination IP as well with the command below:

$ tcpdump -i eth0 dst 192.168.1.1

Mail for some reason is not delivering to outlook.com
Find your namservers.

#cat /etc/resolv.conf
nameserver 69.xx.xx.xx
nameserver 69.xx.xx.xx

– in this case the example is 69.xx.xx.xx

$ dig MX outlook.com @69.xx.xx.xx
; <<>> DiG 9.9.2-P2-RedHat-9.9.2-3.P2.el5 <<>> MX outlook.com @69.64.66.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19033 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;outlook.com. IN MX ;; Query time: 2 msec ;; SERVER: 69.64.66.11#53(69.64.66.11) ;; WHEN: Fri Jan 9 15:38:48 2015 ;; MSG SIZE rcvd: 29 [/bash] There is no result. Now Change to google nameservers. (8.8.8.8 or 8.8.4.4 ) [bash] ~]$ dig MX outlook.com @8.8.8.8 ; <<>> DiG 9.9.2-P2-RedHat-9.9.2-3.P2.el5 <<>> MX outlook.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33959 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;outlook.com. IN MX ;; ANSWER SECTION: outlook.com. 17432 IN MX 10 mx3.hotmail.com. outlook.com. 17432 IN MX 10 mx4.hotmail.com. outlook.com. 17432 IN MX 10 mx1.hotmail.com. outlook.com. 17432 IN MX 10 mx2.hotmail.com. ;; Query time: 11 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Jan 9 15:39:26 2015 ;; MSG SIZE rcvd: 128 [/bash]

Email accounts in addon domains

You can create email accounts for addon domains. To learn how to set up an email account for an addon domain, read our Email Accounts documentation.

When you remove the addon domain, is email accounts will no longer appear in the cPanel interface. However, the contents for this email account still exist in the home/username/mail directory.

If you add the domain back to the same account as the primary domain, an addon domain, or a parked domain, the email accounts will reappear in the cPanel interface.
If you move the domain to a different account, you must add the email accounts manually and move the contents of the email account manually. The email accounts must follow the same name and same domain format that they previously followed.
You can use the Email Accounts interface to add new accounts, or you can run the /scripts/addpop script to manually add new email accounts.
To move one email account under a domain, you can run the following command:


# mv /home/old_account/mail/domain_name/email_account /home/new_account/mail/domain_name/

After you run this command, the system creates the /home/new_account/mail/domain_name/ directory. To move all the email accounts under a domain, run the following command:


#mv /home/old_account/mail/domain_name /home/new_account/mail

After you move the files, run the following command to change the ownership of the new account:


# chown -R new_account:new_account /home/new_account/mail/domain_name

You can use the “show processlist” command to view currently running queries. This is useful if you are looking to see if a query is locking a table, or if you have too many open queries, or for any other number of reasons.

On a Linux Plesk server the MySQL password is stored in /etc/psa/.psa.shadow. You would view the current query list with this command:


# mysql -uadmin -p`cat /etc/psa/.psa.shadow` -e 'show processlist' 

The output will be truncated so that everything fits onto one line. If you need to view the entire query you need to run “show full processlist.”


# mysql -uadmin -p`cat /etc/psa/.psa.shadow` -e 'show full processlist'

If you are not running Plesk, and have cPanel/WHM, by default there is no password set for user root:


# mysql -uroot -e 'show processlist'

Monit is not available from the system base repositories, you need to add and enable third party epel repository to install monit package under your RHEL/CentOS systems.


# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# sudo rpm -Uvh epel-release-6*.rpm

Install Monit

# yum install monit

Monit has it’s web interface that runs on port 2812 using web server. To enable web interface you need to make changes in monit configuration file.


# nano /etc/monit.conf

Uuncomment the following section and add the IP address or domain name of your server, allow anyone to connect and change monit user and password or you can use default ones.


 set httpd port 2812 and
     use address localhost  # only accept connection from localhost
     allow localhost        # allow localhost to connect to the server and
     allow admin:monit      # require user 'admin' with password 'monit'
     allow @monit           # allow users of group 'monit' to connect (rw)
     allow @users readonly  # allow users of group 'users' to connect readonly

Restart Monit

# /etc/init.d/monit start

Add Monit to start at boot

# chkconfig monit on

in /etc/monit.d

Add httpd

# nano /etc/monit.d/httpd
check process httpd with pidfile /var/run/httpd/httpd.pid
start program = /etc/init.d/httpd start
stop  program = /etc/init.d/httpd stop
if failed host 127.0.0.1 port 80
protocol http then restart
if 5 restarts within 5 cycles then timeout
#Use for specific host
#if failed host domain.com port 80 protocol HTTP
#    then restart
#if totalmem > 75% for 2 cycles then restart

Add mysql

#nano /etc/monit.d/mysql
check process mysqld with pidfile /var/run/mysqld/mysqld.pid
start program = "/etc/init.d/mysqldd start"
stop  program = "/etc/init.d/mysqld stop"
if failed host 127.0.0.1 port 3306 then restart
if 5 restarts within 5 cycles then timeout

Nginx

check process nginx with pidfile /var/run/nginx.pid
start program = "/etc/init.d/nginx start"
stop program = "/etc/init.d/nginx stop"

Check the syntax

# monit -t

Restart monit

# service monit restart

You can verify that monit service is started by checking log file.


# tail -f /var/log/monit
[BDT Apr  3 03:06:04] info     : Starting monit HTTP server at [localhost:2812]
[BDT Apr  3 03:06:04] info     : monit HTTP server started
[BDT Apr  3 03:06:04] info     : 'tecmint.com' Monit started
[BDT Apr  3 03:06:04] error    : 'nginx' process is not running
[BDT Apr  3 03:06:04] info     : 'nginx' trying to restart
[BDT Apr  3 03:06:04] info     : 'nginx' start: /etc/init.d/nginx

For abuse issues that involve your server host sending emails with complaints that your server is conducting network scanning.

What is Network Scanning?

Network scanning is a process of identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. It laymans terms, if your hosting provider has sent you an email then your system is compromised and has a script on it that is scanning other systems.

The tool that can detect outgoing portscans is tcpdump.

Install tcdump:

yum install tcpdump -y

Run

# tcpdump -i eth0 -w dump 

and then, with a lot of calm, read the dump details matching the packets sent in those dates.

Ask your users for their IPs also, if static.

Look to /var/log/auth.log and last -100 to see if someone abused your system, check for suspicious cron jobs, look into the /root directory if something strange appeared. In these cases a tool that hashize the system files (like tripwire) would be important.

It is recommended that a virus or rootkit tool be used to scan the websites on the server for any shell scripts or exploits that may have allowed for outbound SSH attacks.

We have an article on installing and using ClamAV ( http://geekdecoder.com/clamav-on-centos-6/ ).

For plesk – I would recommend running on /var/www/vhosts (e.g. clamscan -ir /var/www/vhosts/ –log=/root/clamscan-01.07.2015.txt).
For cpanel – I would recommend running on /home (e.g. clamscan -ir /home –log=/root/clamscan-01.07.2015.txt).

Rkhunter is another scanning tool that may identify any uploaded malicious files ( http://www.tecmint.com/install-linux-rkhunter-rootkit-hunter-in-rhel-centos-and-fedora/ ).

Once any found shells are removed, if it were within /var/www/vhosts for plesk or /home for cpanel, it’s likely that the exploit was through one of the sites. If the file was found within a site’s document root, I would update any licensed or open source software to remove potential vulnerabilities.

Also, to disable any outgoing SSH usage if the scans were ssh scans(and if you do not use SSH from the server, it resolves the symptom immediately), a firewall rule can be added (iptables -I OUTPUT -p tcp –dport 22 -j DROP).