Linux Road

SpamAssassin is an open-source e-mail spam filtering software. SpamAssassin uses various text analysis methods, Bayesian filtering, DNS blocklists, and collaborative filtering databases to prevent spam mails from reaching mailbox.

SpamAssassin is an Apache Software Foundation project and is released under the Apache License. SpamAssassin was created by Justin Mason.

Primary Features

• Header tests
• Body phrase tests.
• Bayesian filtering
• Automatic address whitelist/blacklist
• Manual address whitelist/blacklist
• Collaborative spam identification databases (DCC, Pyzor, Razor2)
• DNS Blocklists, also known as "RBLs" or "Realtime Blackhole Lists".
• Character sets and locales

SpamAssassin can be integrated with mail

Awards

SpamAssassin was awarded the Linux New Media Award 2006 as the 'Best Linux-based Anti-spam Solution'.

Download

To download SpamAssassin visit: Download Page

AutoDNS is a console application that addition, deletion and listing of secondaried domains via email. It adds appropriate entries to the BIND configuration file in order to make the configuration of secondary DNS possible.

AutoDNS is distributed according to the GNU General Public Licence and was written by Jonathan McDowell. The current stable version of AutoDNS is 1.0.0.

Download

AutoDNS can be downloaded from the following locations:

• Source tarball (ftp) (16Kb)
• Source tarball (http) (16Kb)

Visit AutoDNS homepage for more details: Homepage.

Ryan Finnie has announced the release of Finnix 101, a Debian based self-contained, bootable Linux CD distribution for system administrators. Major feature in the latest release of Finnix is the re-introduction of PowerPC support, other major features of Finnix 101 include, a new CD filesystem layout, an enclosed remastering environment, a Finnix-specific SysV-compatible RC system, and componentized Finnix RC scripts.

Finnix is a light-weight Linux distribution (latest release sized at just over 300MiB) for system administrators. Finnix doesn't come with any sound support or even a desktop, so it is very much obvious that it is focused on power users only.

Finnix 101 uses Linux 2.6.36. On the X86 CD, Hardware Detection Tool has been added to the boot menu. This allows users to view system information (processor, memory, PCI devices, etc) quickly, without booting into a full operating system.

To download Finnix 101 visit the official download page. Complete release notes are available here.

When someone from outside your network or system attempt to enter your system without permission he has to deal with your firewall first. If the firewall is not strong enough the intruder can have an easy time attacking your system. Even on home computers that are not connected to public networks can become a victim of unwanted intrusion.

Linux systems come built-in with a fine firewall with-in the Kernel. The firewall can be configured by the superuser using an interface. Two available interfaces are called ipchains and iptables. ipchains uses a stateless packet filter, meaning that package will be filtered against the set of pre-defined rules but the decision taken against the package won't be influenced by the previous packages.

While ipchains benefits from stateless model, iptables uses the stateful package model. The decisions to accept, reject, or forward a package are influenced by the previous packages in iptables. Only one of the two interfaces can be used at a time and this decision can only be made at kernel compile time.

So, if you haven't compiled your own kernel (you wouldn't have, if you are using a distribution released by someone other than you), then you would have to find out what interface the kernel of your distribution uses.

Block incoming network traffic

If you block incoming network traffic from your system the outgoing network traffic won't be affected by it. Using this method the firewall will block all traffic that is not sent by your system. You can use the following commands to block incoming network traffic:

For iptables

# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT

For ipchains

# ipchains -F input
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -p tcp --syn -j REJECT
# ipchains -A input -p udp --dport 0:1023 -j REJECT

Block outgoing network traffic

For iptables

The following commands will block all the outgoing signals from your system. This won't affect any of the incoming traffic on your network:

# iptables -F OUTPUT
# iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT

For ipchains

# ipchains -F output
# ipchains -A output -p tcp ! --syn -j ACCEPT
# ipchains -A output -j REJECT

Block all network traffic

The easiest way to block all network traffic is to stop your network device or may be a simple act of unplugging the network cable can do. But, if you want to do it using the firewall you will have to enter the following commands:

For iptables

# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECT

For ipchains

# ipchains -F
# ipchains -A input -j REJECT
# ipchains -A output -j REJECT
# ipchains -A forward -j REJECT

Linux systems vary greatly in how they operate. One system might normally run with a high CPU load, whereas another might normally run with little or no load. One computer might normally see little network traffic, whereas another might regularly transfer gigabytes of data every day. As a system administrator you should be aware how your system normally behaves.

One method of detecting intruders is to be aware of normal operations of your system and then detecting any deviations from that standard. Even simple signs like higher-than-normal system load, unusual files or changes to configuration files can indicate an intrusion. Looking for odd system behaviors can help you find intruders in the system. Even if the odd behavior is not due to a system intrusion, still it points to a problem that needs fixing.

Unusual Load Averages

A load average is a measure of the demand for CPU time placed on the system by all the programs it runs. Load average can be checked with uptime or top. Many GUI environments now also provide load average meters. Check if the load average changes from its usual range, if it does it might be an indication that a cracker could have broken into the system and is using some CPU-intensive programs or is causing the programs to crash. But, there may also be a possibility that legitimate users are demanding more CPU time for normal reasons or the CPU-intensive programs are crashing for other reasons.

Unusual Network Traffic

Similar to load averages, a system normally sees a certain range of network traffic. One possible cause of changes in network traffic patterns can be an intrusion. A cracker might be using your system as a node in a distributed denial-of-service (DDoS) attack, for instance, chewing up your network bandwidth. On the other hand, you could be seeing an innocent spike in demand for a server's services, or a user could be downloading unusually large files for legitimate reasons. One way to monitor network traffic is to watch the activity LEDs on a NIC, hubs, switches, telephone modems, and broadband modems. Typing ifconfig eth0 (or a similar command for an interface other than eth0) produces a measure of transmitted (TX) and received (RX) packets.

Strange Running Processes

Process monitoring tools (such as ps or top) show the currently running processes. If you see a process that you are not familiar with, take it as a sign of problems or it may be some user running a harmless process. So, you should make sure that you spend enough time with the processes to determine what processes are normal for your system.

Odd Program Crashes

Programs crash, even on Linux. After you have spend sometime with Linux you would be able to notice which programs crash on your system and which don't. If another program starts crashing, it could be that an intruder has changed a configuration file, support libraries, or even the program executable file itself, thereby causing the crashes. Alternatively, it could be that a routine system upgrade or an error on your part caused these problems. Program crashes can also be early signs of deteriorating hardware, such as RAM or a hard disk starting to go bad.

Changes in Program Behavior

n most cases, programs should behave in a very predictable manner. For instance, if your bash shell presents a plain dollar sign ($) prompt today, it should do the same tomorrow unless you change the configuration file. If a program's behavior changes suddenly and without your having updated it or changed its configuration file, an intruder might have fumbled a takeover by inadvertently altering a configuration file detail or by changing a program file. On the other hand, you might have forgotten a legitimate upgrade or change, or the program might be responding to some other change in the system that you don't realize is related. If you share administrative responsibility for the system, perhaps another administrator has made a change.

Peculiar Log Entries

All Linux systems maintain log files, most of which reside in /var/log and its subdirectories. These log files may contain clues concerning an attempted or successful intrusion, such as repeated login failures or reports of unusual server stop/start cycles. Crackers often try to cover their tracks by editing or deleting log files, so even missing log files or gaps in log files can be signs of trouble.

Filled Filesystems

If you notice that a filesystem has filled up, you should investigate the matter. Even if it's due to innocent causes, such as increased user demand for storage space, you must correct the problem. Sometimes an intruder might inadvertently or intentionally fill a filesystem. One type of DoS attack involves causing your system to create huge log files, filling your log file partition. Such attacks aren't intrusions per se, but they do require your attention.

Complaints from Other System Administrators

If you notice unfamiliar usernames in ps or top listings or in /etc/passwd or other system configuration files, investigate immediately. Some servers require special accounts to operate correctly, but for the most part, if an account wasn't present when you installed the system and wasn't added by you or another authorized administrator, it's suspect. Make a backup of /etc/passwd right after you install the system, and keep it for reference.

Strange Running Processes

In many ways the worst-case scenario is receiving a complaint from another system administrator. You might receive a phone call or e-mail complaining of suspicious access attempts from your computer. Another common complaint concerns spam originating from your system. Sometimes these complaints are signs of an intrusion; the intruder is using your system to attack others. Other times these complaints indicate that you have a local user who's a "bad apple" and is attacking others. Sometimes (particularly with spam and e-mail worms) the complaint is spurious; it's easy to forge e-mail headers to indicate a false return address, and a spammer may be attacking you indirectly in this way.

All of the about events demand that you do further investigation of the problem. But looking for above suspicious events you can see if your system is vulnerable or not.