-1
I am new to this whole server admin thing ...
I work for a small company, in which I am the web developer & server admin (a job I was thrown into). Please note, before taking this job I did not know anything about using SSH or Linux other than playing around with the GUI Ubuntu interface.
I taught myself the ropes, learned SSH, learned how to work almost everything in WHM. I am getting the hang of it, but still I cannot solve everything on my own.
We were having two major issues:
- PHP Mail was being compromised to send out spam.
- Account passwords were being hijacked to send out spam.
I fixed issue one by securing my scripts, since I wrote many of them myself. I also used RIPS to identify and secure my code vulnerabilities.
I am still however having issues with account passwords of legitimate users getting hijacked and being used to send out spam occasionally. For 95% of my email users it is not a big deal as we are pretty quick at finding the account sending the spam and securing it again.
However one particular user, is always in contact with a person who uses Cisco Senderbase to filter emails. When our mail volume goes up from a compromised email account, Senderbase flags our email reputation and we usually have to wait it out, as their system is completely automated.
What is the best way to secure users passwords from getting hacked or guessed?
1You can't. You can limit the number of emails sent out in a period of time, but if the password to the account is supplied, you have no way to verify if that is the account holder or somebody else. My suggestion force a password length of password complexity to prevent "brute force" attacks. Outside of that not much you can do, if you do solve it, you have the next hundred billion dollar idea – Ramhound – 2014-08-01T16:26:56.417
What do you mean when you say that email accounts of legitimate users are being used to send out spam? Keep in mind that SMTP by default does zero sender validation; I can send email
From: president@whitehouse.gov
and make it look, to the casual observer, like it really came from that address. If someone is logging into your system using a compromised account, you have a bigger problem than a few spam emails being sent out under that account, and you need to work to fix that instead (and your currently more visible problem will correct itself). – a CVn – 2014-08-01T16:29:06.650When I say legitimate emails, I am not referring to anyone being spoofed. Our mail is signed for with SPF and DKIM to sort of prevent what you are referring to. What I am talking about is when I know I set up userabc@mydomain.com and through means of a compromised password that account was used to send out hundreds of spam emails. – Dan – 2014-08-01T16:32:05.600
So your problem is that the email account passwords are routinely being compromised? Not really how to prevent sending spam. – a CVn – 2014-08-01T16:33:55.697
Yeah, I guess you could say that. – Dan – 2014-08-01T16:34:13.507
I've set up ClamAv ... it did not really seem to help. – Dan – 2014-08-01T16:34:42.000
In that case, you need to look at your password management. Start with @Ramhound's comment, and follow up by [edit]ing this question (or even posting a new one) to be about how to prevent compromising of users' passwords. However, be specific; that subject matter could very easily get closed as too broad, unless you're asking some quite specific question about it. – a CVn – 2014-08-01T16:36:55.203
Thanks Michael, I'll investigate a little bit more before updating or asking anything else. – Dan – 2014-08-01T16:38:16.233
It would also be useful if you could say what mail server you're using - sendmail, postfix, exim... I know that you can rate-limit the number of e-mails sent from Postfix using anvil, and you can have more control with policyd. You may want to take a look at them if you're using Postfix! – Valmiky Arquissandas – 2014-08-01T17:44:04.187
And are you still on the same server(s) that have been compromised? Then you have no idea what other malware may be lurking there, and all your tinkering to fix it does not help, because the attacker has left a backdoor with which he can immediately comprimise your system again. Once a server has been compromised there's generally only one thing to do: wipe it, reinstall everything, put your backed-up data back. – Jan Doggen – 2014-08-04T06:49:17.767
I'd recommend looking at a paid-for email service such as Office365 to take care of your email service, fixing a compromised email server with no experience is an uphill battle that you may lose... You will end up spending more time (time = money) and money fixing the problem (and maintaining the service) than what it would cost to employ a dedicated external service. Been there, done that, best decision ever made. – Kinnectus – 2016-01-06T21:38:13.413