CheckAuthLog Installation instructions: Difference between revisions

From voipsupport
Jump to navigation Jump to search
No edit summary
No edit summary
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
For V3.0.0
PREREQUISITES
PREREQUISITES
-------------
-------------
Line 14: Line 16:
1. Copy the files to a suitable directory and change permissions
1. Copy the files to a suitable directory and change permissions


e.g. tar -xvzf check_auth_log_vX.Y.tgz
<pre> tar -xvzf check_auth_log_vX.Y.tgz
cd check_auth_log_vX.Y
cd check_auth_log_vX.Y
mkdir /usr/local/bin/check_auth_log
mkdir /usr/local/bin/check_auth_log
Line 23: Line 25:
chown root:root /usr/local/bin/check_auth_log/*
chown root:root /usr/local/bin/check_auth_log/*
chmod 600 /usr/local/bin/check_auth_log/*
chmod 600 /usr/local/bin/check_auth_log/*
</pre>


2. Check that the path to php is correct at the first line of check_auth_log
2. Check that the path to php is correct at the first line of check_auth_log
Line 29: Line 32:


4. If using the email notification to blocked users, set up the template
4. If using the email notification to blocked users, set up the template
  file (see example notify.txt). The file contains headers and text of  
file (see example notify.txt). The file contains headers and text of  
  the notify message, with headers separated from the text by a blank line.
the notify message, with headers separated from the text by a blank line.
  It is useful to specify at least a Subject: header. From: and To: headers
It is useful to specify at least a Subject: header. From: and To: headers
  should not be specified as these are added by the script. Setup the  
should not be specified as these are added by the script. Setup the  
  notify_block_email_template variable to point to the template and make
notify_block_email_template variable to point to the template and make
  sure the user running check_auth_log has read permission to the file.
sure the user running check_auth_log has read permission to the file.


   notify_block_email_template = /path to template /notify.txt
   notify_block_email_template = /path to template /notify.txt


5. Depending on the blocking method you wish to use (via access files
5. Depending on the blocking method you wish to use (via access files
  mysql query or exim) follow the instructions below in one of  
mysql query or exim) follow the instructions below in one of  
  sections A, B or C
sections A, B or C


A. IF USING POSTFIX ACCESS FILES TO BLOCK USERS
A. IF USING POSTFIX ACCESS FILES TO BLOCK USERS
Line 46: Line 49:


(1) Customize variables in check_auth_log_makefile to your postfix installation
(1) Customize variables in check_auth_log_makefile to your postfix installation
and database type/databsae extension (default is hash with .db extension)
and database type/databsae extension (default is hash with .db extension)


(2) Customize path in run_check_auth_log to your script install directory
(2) Customize path in run_check_auth_log to your script install directory
Line 52: Line 55:
(3) If needed setup whitelist to exlude some senders from checks
(3) If needed setup whitelist to exlude some senders from checks


touch /etc/postfix/smtp_auth_access_whitelist
<pre> touch /etc/postfix/smtp_auth_access_whitelist
postmap /etc/postfix/smtp_auth_access_whitelist
postmap /etc/postfix/smtp_auth_access_whitelist
</pre>


If not using whitelist adjust the submission_sender_checks below so
If not using whitelist adjust the submission_sender_checks below so
Line 60: Line 64:
(4) Setup initial empty access database
(4) Setup initial empty access database


<pre>
touch /etc/postfix/smtp_auth_access
touch /etc/postfix/smtp_auth_access
postmap /etc/postfix/smtp_auth_access
postmap /etc/postfix/smtp_auth_access
</pre>


(5) Update postfix submission access restrictions
(5) Update postfix submission access restrictions


    In main.cf add a new smtpd_restriction_class. In that class the
In main.cf add a new smtpd_restriction_class. In that class the
    suggested actions are  
suggested actions are
- exclude any users needed via whitelist
* exclude any users needed via whitelist
- add check_sender_access to read the access file containing
* add check_sender_access to read the access file containing blocked senders (as written by check_auth_log script)
  blocked senders (as written by check_auth_log script)
* rest of checks normally done in smtpd_sender_restrictions on your submission service (e.g. reject unless sender is logged in as owner of email address)
- rest of checks normally done in smtpd_sender_restrictions
  on your submission service (e.g. reject unless sender is
  logged in as owner of email address)


<pre>
main.cf:
main.cf:
smtpd_restriction_classes = submission_sender_checks
smtpd_restriction_classes = submission_sender_checks
submission_sender_checks = check_sender_access hash:/etc/postfix/smtp_auth_access_whitelist,check_sender_access hash:/etc/postfix/smtp_auth_access,reject_sender_login_mismatch
submission_sender_checks = check_sender_access hash:/etc/postfix/smtp_auth_access_whitelist,check_sender_access hash:/etc/postfix/smtp_auth_access,reject_sender_login_mismatch
</pre>


In master.cf configure the smtp_sender_restrictions fro the submission service.


    In master.cf configure the smtp_sender_restrictions fro the submission
<pre>
    service.
 
master.cf;
master.cf;
submission inet n      -      n      -      -      smtpd
submission inet n      -      n      -      -      smtpd
Line 87: Line 91:
         -o smtpd_sender_restrictions=submission_sender_checks
         -o smtpd_sender_restrictions=submission_sender_checks
...  
...  
</pre>


(6). reload postfix
(6) reload postfix


<pre>
postfix reload
postfix reload
 
</pre>


B. IF USING MYSQL TO BLOCK USERS
B. IF USING MYSQL TO BLOCK USERS
--------------------------------
--------------------------------


(1) Customize variables in check_auth_log.conf to your mysql hostname
(1) Customize variables in check_auth_log.conf to your mysql hostname database and query for blocking/unblocking users
database and query for blocking/unblocking users


sql_connect: mysql://username:password@hostname:port/database
<pre>
         sql_block: update mailbox set active=0 where username='%u'
sql_connect =  "mysql://username:password@hostname:port/database"
         sql_unblock: update mailbox set active=1 where username='%u'
         sql_block = "update mailbox set active=0 where username='%u'"
         sql_unblock = "update mailbox set active=1 where username='%u'"
</pre>


C. IF USING EXIM TO BLOCK USERS
C. IF USING EXIM TO BLOCK USERS
Line 110: Line 117:
Example
Example


<pre>
exim_blcok_file = /tmp/blocklist
exim_blcok_file = /tmp/blocklist
exim_temp_file = /tmp/blocklist.out
exim_temp_file = /tmp/blocklist.out
</pre>


(2) In your exim configuration, setup so that those senders cannot send email.
(2) In your exim configuration, setup so that those senders cannot send email.


Example
Example:


<pre>
acl_check_sender:
acl_check_sender:
         deny    senders = /etc/blocklist
         deny    senders = /etc/blocklist
         accept
         accept
 
</pre>


POST-INSTALL
POST-INSTALL
Line 127: Line 137:
1. If upgrading from a previous version find the database files, e.g
1. If upgrading from a previous version find the database files, e.g


<pre>
ls -la /tmp/.check_auth_log*
ls -la /tmp/.check_auth_log*
</pre>


and remove them, for example
and remove them, for example
<pre>
rm /tmp/.check_auth_log_cache
rm /tmp/.check_auth_log_cache
rm /tmp/.check_auth_log_db
rm /tmp/.check_auth_log_db
</pre>


(this will also cancel previously logged authentications from the internal
(this will also cancel previously logged authentications from the internal
Line 138: Line 152:
2. do a test run
2. do a test run


/path-to-script/check_auth_log
<pre> /path-to-script/check_auth_log
</pre>


then check that the database and cache files have been created in the  
then check that the database and cache files have been created in the  
configured locations, for example  
configured locations, for example  
/tmp/.check_auth_log_cache
 
<pre> /tmp/.check_auth_log_cache
/tmp/.check_auth_log_db
/tmp/.check_auth_log_db
</pre>


if there are sasl authentication sessions in the log file you should
if there are sasl authentication sessions in the log file you should
also get an output from:
also get an output from:
/path-to-script/check_auth_log -x
 
<pre> /path-to-script/check_auth_log -x
</pre>


Check that blocking is set up correctly, so that if number of  
Check that blocking is set up correctly, so that if number of  
Line 156: Line 175:


e.g. (if using access files)
e.g. (if using access files)
<pre>
*/5 * * * *    root /usr/local/bin/check_auth_log/run_check_auth_log
*/5 * * * *    root /usr/local/bin/check_auth_log/run_check_auth_log
</pre>


or (if using mysql)
or (if using mysql)
<pre>
*/5 * * * *    root /usr/local/bin/check_auth_log/check_auth_log
*/5 * * * *    root /usr/local/bin/check_auth_log/check_auth_log
</pre>

Latest revision as of 20:34, 7 December 2016

For V3.0.0

PREREQUISITES


  • Postfix
  • PHP5 with DBA support (php5-dba)
  • Oracle Berkley DB 4 or 5
  • Optionally mysql and PHP mysql extension (php5-mysql) if using mysql queries to block users instead of postfix access files


INSTALL


1. Copy the files to a suitable directory and change permissions

	tar -xvzf check_auth_log_vX.Y.tgz
	cd check_auth_log_vX.Y
	mkdir /usr/local/bin/check_auth_log
	cp check_auth_log /usr/local/bin/check_auth_log
	cp run_check_auth_log /usr/local/bin/check_auth_log
	cp check_auth_log_makefile /usr/local/bin/check_auth_log
	cp check_auth_log.conf.sample /etc/check_auth_log.conf
	chown root:root /usr/local/bin/check_auth_log/*
	chmod 600 /usr/local/bin/check_auth_log/*

2. Check that the path to php is correct at the first line of check_auth_log

3. Customize configuration variables in /etc/check_auth_log.conf

4. If using the email notification to blocked users, set up the template file (see example notify.txt). The file contains headers and text of the notify message, with headers separated from the text by a blank line. It is useful to specify at least a Subject: header. From: and To: headers should not be specified as these are added by the script. Setup the notify_block_email_template variable to point to the template and make sure the user running check_auth_log has read permission to the file.

  notify_block_email_template = /path to template /notify.txt

5. Depending on the blocking method you wish to use (via access files mysql query or exim) follow the instructions below in one of sections A, B or C

A. IF USING POSTFIX ACCESS FILES TO BLOCK USERS


(1) Customize variables in check_auth_log_makefile to your postfix installation and database type/databsae extension (default is hash with .db extension)

(2) Customize path in run_check_auth_log to your script install directory

(3) If needed setup whitelist to exlude some senders from checks

	touch /etc/postfix/smtp_auth_access_whitelist
	postmap /etc/postfix/smtp_auth_access_whitelist

If not using whitelist adjust the submission_sender_checks below so as not to list the whitelist.

(4) Setup initial empty access database

	touch /etc/postfix/smtp_auth_access
	postmap /etc/postfix/smtp_auth_access

(5) Update postfix submission access restrictions

In main.cf add a new smtpd_restriction_class. In that class the suggested actions are

  • exclude any users needed via whitelist
  • add check_sender_access to read the access file containing blocked senders (as written by check_auth_log script)
  • rest of checks normally done in smtpd_sender_restrictions on your submission service (e.g. reject unless sender is logged in as owner of email address)
main.cf:
smtpd_restriction_classes = submission_sender_checks
submission_sender_checks = check_sender_access hash:/etc/postfix/smtp_auth_access_whitelist,check_sender_access hash:/etc/postfix/smtp_auth_access,reject_sender_login_mismatch

In master.cf configure the smtp_sender_restrictions fro the submission service.

master.cf;
submission inet n      -       n       -       -       smtpd
...
        -o smtpd_sender_restrictions=submission_sender_checks
... 

(6) reload postfix

	postfix reload

B. IF USING MYSQL TO BLOCK USERS


(1) Customize variables in check_auth_log.conf to your mysql hostname database and query for blocking/unblocking users

	sql_connect =   "mysql://username:password@hostname:port/database"
        sql_block =	"update mailbox set active=0 where username='%u'"
        sql_unblock =	"update mailbox set active=1 where username='%u'"

C. IF USING EXIM TO BLOCK USERS


(1) Customize variables in check_auth_log_makefile to your exim installation

Example

	exim_blcok_file = /tmp/blocklist
	exim_temp_file = /tmp/blocklist.out

(2) In your exim configuration, setup so that those senders cannot send email.

Example:

acl_check_sender:
        deny    senders = /etc/blocklist
        accept

POST-INSTALL


1. If upgrading from a previous version find the database files, e.g

	ls -la /tmp/.check_auth_log*

and remove them, for example

	rm /tmp/.check_auth_log_cache
	rm /tmp/.check_auth_log_db

(this will also cancel previously logged authentications from the internal database)

2. do a test run

	/path-to-script/check_auth_log

then check that the database and cache files have been created in the configured locations, for example

	/tmp/.check_auth_log_cache
	/tmp/.check_auth_log_db

if there are sasl authentication sessions in the log file you should also get an output from:

	/path-to-script/check_auth_log -x

Check that blocking is set up correctly, so that if number of authentications is exceeded then user is effectively blocked by chosen method (recommended to use a test account for this).

3. Schedule in cron

e.g. (if using access files)

*/5 * * * *     root /usr/local/bin/check_auth_log/run_check_auth_log

or (if using mysql)

*/5 * * * *     root /usr/local/bin/check_auth_log/check_auth_log