Everything is quite self explanatory. Probably the only thing to mention is that UPD length includes header and data and that UDP offers no confirmation that the data has reached it’s detination. The header is fixed length.
The IP version (4 for IPv4).
The IP header length in 32 bit words/4 bytes (octets). The minimum is 5 x 32 bit words, so 20 bytes. With options it can get to 60 bytes long.
This explains the total length of the IP datagram (header + data). As this is a 16 bit field, it can describe up to 64KB (2^16 = 65536) MTU.
All the fragments of a datagram have the same identification number.
Bit 1: reserved
Bit 2: DF (do not fragment)
Bit 3: more fragments (all fragments except the last one have this bit set).
This describes the offset of the current fragment within the original datagram. As all fragments have to be integer of 8 bit and there are 13 bits in the fragment offset field, it results the maximum datagram size: 8 x 2^13 = 2^16 bytes = 64KB.
This represents the maximum number of hops (usually routers) that a package can transit.
This specifies the layer 4 protocol that will process the IP datagram.
It represents the offset of the first byte of the segment in relation to the first segment. It’s used to keep track of all segments (and retransmit if required).
If the ACK flag is set (see below), the acknowledgement number contains the sequence number of the next segment it expects. This is a type of forward acknowledgement .
This specifies the number of rows in the header. In other words, this lets you know where the header ends and actual data (TCP payload) begins.
URG: set if the Urgent Pointer is used.
ACK: set if the Acknowledgement number is valid and should be considered.
PSH: set to push the data as it comes without waiting for the buffer to get full.
RST: used to forcefully reset a connection that can’t continue due to unexpected reasons.
SYN: used to initiate a connection.
FIN: this is set when there is no more data to send. It’s used to end cleanly a connection.
It is a 16 bit field and it notifies to the sender the quantity of data the receiver will accept without sending a confirmation. TCP window demonstration.
This relies (is validated by) on the URG flag above and it contains the sequence number of the first non-urgent segment after the urgent data has been sent.
For fixing the “T=remote_smtp defer” error message from exim you may need to repair the Exim databases.
First off confirm this is a problem. Query the exim mail queue:
#exim -bp
Pick up a message ID (let’s say 1PVKjs-0008FT-4S) and view it’s log:
#exim -Mvl 1PVKjs-0008FT-4S
If it says something like remote_smtp defer than you may need to repair the exim databases.
/usr/sbin/exim_tidydb -t 1d /var/spool/exim “db”
Replace “db” by the name of the specific dbs on your system. At this time our cPanel servers have these: ratelimit, retry, wait-dk_remote_smtp and wait-remote_smtp. So in a nutshell:
/usr/sbin/exim_tidydb -t 1h /var/spool/exim ratelimit
/usr/sbin/exim_tidydb -t 1h /var/spool/exim retry
/usr/sbin/exim_tidydb -t 1h /var/spool/exim wait-dk_remote_smtp
/usr/sbin/exim_tidydb -t 1h /var/spool/exim wait-remote_smtp
You may want to increase the time: instead of 1h (one hour) you may set 1d (one day) or whatever and you may want to redirect the output to /dev/null (add /dev/null to the end of the above rows).
Alternatively you may want to update exim and courier:
/scripts/courierup — force
/scripts/eximup –force
This is used for port scanning, OS figerprinting etc. A well secured server
-sS = TCP Syn scan – many servers don’t log this
-sT = TCP connect scan – always logged
-sX = Xmas-tree scan
-sF = Fin scan
-sN = null scan mode
-sP = ping scanning
-sU = UDP scan
-sI = zombie scan
-sA = ack scan
-sW = window scan
-sL = list scan
-PT = tcp ping to determine which host are up
-O = identifiies OS, uptime and TCP Sequence Prediction (-sS -v)
-sR = rpc scan
-D = decoy scan
-sV = Scan Version
-iR = scans random IP
Example: nmap -sS -p 80 -iR 3 -P0 -> scans until it finds 3 webservers using random IP destinations
-PP = uses ICMP timestamp request to see if the host is up (instead of echo-request)
-oN log_file = saves in log_file
-v, -vv = verbose level
-T {paranoid | sneaky | polite | normal | aggressive | insane}
– paranoid = 5 minutes between packets
– sneaky = 15 seconds
– polite = 0.4 sec
– aggressive & insane = max speed
–scan_delay milliseconds = same as -T, exact values possible
-f <–mtu val> = fragments packages
–data-length <8-1457>
–spoof-mac
nmap 192.168.0.1 –spoof-mac A1:b2:c3:d4:e5:f6
The install proccess is pretty straightforward. However if you want to use PAM you need to add to the configure script the –with-pam option. Also you may need to “yum install pam-devel”. Also you may need to enter into /etc/pam.d a file called dovecot for instance (if this is the user under which dovecot will run) with these contents:
auth required pam_unix.so nullok
account required pam_unix.so
The configuration file is a bit more complicated.
Sample dovecot.conf file:
base_dir = /var/run/dovecot/
disable_plaintext_auth = no
log_path = /var/log/dovecot
passdb {
driver = pam
}
protocols = imap pop3
service auth {
user = dovecot
}
service imap-login {
process_limit = 128
process_min_avail = 3
service_count = 1
user = dovecot
}
service pop3-login {
process_limit = 128
process_min_avail = 3
service_count = 1
user = dovecot
}
ssl = no
userdb {
driver = passwd
}
protocol lda {
postmaster_address = [email protected]
}
After getting the tarball from postfix.org and untaring you first need to run make (there is no ./configure available in this one). You might hit an error that sounds like:
No <db.h> include file found.
Install the appropriate db*-devel package first.
In this case (at least on CentOS 5) install db4 and db4-devel using yum
yum install db4
yum install db4-devel
After that run make and add 2 system users: postfix and postdrop.
make
useradd -s /bin/false postfix
useradd -s /bin/false postdrop
You will have to provide a number of paths (if you want them different from defaults. These are the main defaults:
/etc/postfix # config dir
/usr/sbin/ #administrative binaries
/usr/libexec/postfix #postfix daemon
/var/lib/postfix #cache and other random data
/usr/bin/mailq #Sendmail compatible mail queue listing command
/usr/bin/newaliases #Postfix newaliases command
/var/spool/postfix #Postfix queue directory
/usr/sbin/sendmail #Sendmail compatible mail posting interface
iptables [-t table] command [match] [target/jump]
-t table: the default is for filter table; otherwise you must use the -t flag;
command must come first or right after the table specification; it is used to insert, add or delete a rule;
iptables -m tos -h
This lists the TOS match types.
-A, –append appends the rule to the end of a chain
iptables -A rule_to_append
-D, –delete (deletes a rule)
iptables -D exact_rule_to_delete
iptables -D ‘chain’ number
-R, –replace (replaces a rule)
-I, –insert (inserts a new rule at the specified position in the chain)
iptables -I INPUT 1 –dport 80 -j ACCEPT
The above will insert the rule in the INPUT chain on the first position.
-L (lists the rules in a chain)
iptables -L [chain]
You can specify no chain in which case all the rules will be listed.
-F, –flush
iptables -F [chain]
This deletes all rules (from the specified chain if you specify one).
-Z, –zero
iptables -Z [chain]
This will reset all counters for the specified chain.
-N, –new-chain
iptables -N ‘custom_chain’
This will create a new (custom) chain.
-X, –delete-chain
The chain to be deteleted must be empty.
-P, –policy
iptables -P chain target
target can be DROP or ACCEPT.
-E, –rename-chain
iptables -E old_chain new_name
iptables options
-v, –verbose
This can be used with list, insert, append, delete, replace. Used with list, this lists the interface address, TOS and masks. Used along with the -x option it will also lists the exact counters for packets and bytes. Used with insert, append, delete or replace it will output detailed information on how the rules was interpreted and if it was accepted.
-x, –exact
See above. Only relevant to list.
-n, –numeric
This will output numeric values. Only relevant to list. IPs and port numbers will be listed istead of the host, network or application names (which is the default).
–line-numbers
This is only relevant to list. It displays the rule number.
-c, –set-counters
This is relevant to insert, append and replace. It initialises the counters for a rule.
–set-counter 20 4000
This would be used to set the counters to 20 packets and 4000 bytes.
–modprobe
This is relevant to all commands and it’s used to tell iptables which module to use when probing for modules or adding them to the kernel.
iptables-save -c -t > file
-c flag does not reset the packet and byte counters
-t can be used to specify a specific table to be saved
cat text_file > iptables-restore -c -n
-c flag keeps the packet and byte counters from the file
-n does not overwrite the current rules from iptables (the default is to flush all rules previous to import)
– nmap
– nessus
/proc/sys/net/ipv4/ip_forward
Set to 1 for IP forwarding (routing).
/proc/sys/net/ipv4/ip_dynaddr
Set to 1 for dynamic IPs.
/proc/sys/net/ipv4/netfilter
Netfilter modules
/lib/modules/kernel_version/kernel/net/ipv4/netfilter/
The lowercase modules are for maches and the uppercase ones are for targets.
Conntrack table: /proc/net/ip_conntrack
Named hashlimit hashes: /proc/net/ipt_hashlimit/
Conntrack helper modules
ip_conntrack_ftp
ip_conntrack_irc
#probably a bad idea on production non-irc servers will all the kids planting irc bots where ever they can
ip_conntrack_tftp
#the helper module for trivial FTP – probably not needed
ip_conntrack_amanda
Note that if you also use NAT you need to also load the helper modules for NAT (they should be starting with ip_nat_):
ip_nat_ftp
ip_nat_irc
