Blocking PHP mailer spam using iptables
I host a public-facing web server running Debian Wheezy, and latest versions of Postfix, Apache, PHP, Spamassassin, ClamAV, rootkit hunter. Apache is configured with a handful of vhosts, each tied to a user and secured with suExec, and Suhosin. The websites run Wordpress and ModX and by the law of averages given the number of installations on this one server at least 20% of the websites will, at any given time, have some kind of vulnerability be it from the CMS itself or from an out-of-date plugins.
I have notifications from the excellent MX Toolbox website which monitors IP addresses against 100+ blacklists.
When I hear that my IP address has yet again been added to a given blacklist, I ssh in immediately, pause Postfix
postfix stop
wait a few seconds, view the mail queue
mailq
and from this I can tell immediately the source user/vhost of the spam because all mails come from "[email protected]", where "mywebsite.com" is the domain hosted on the vhost that caused the problem.
Then I run a manual malware detection scan using the excellent maldet, and the problem goes away. If I patch all known plugins and software on the site, the problem goes away for c.6 months. If I don't it comes back within about a week.
For testing purposes I have left Postfix stopped for months on end, but some trojans apparently bypass the mail server and send mail directly. (I know this from server resource monitoring, blacklist watches, and bounced spam emails coming back to my domain. Not to mention the Postfix mailq fills up with e.g. 65,000 unsent mails.)
As I care more about mail authenticity than the ability to send emails through websites I host, I've taken a number of steps, namely ensuring my SPF records for each domain do not recognise my own server as an authoritative source of mail for that domain. At the very least this means my domain names aren't being automatically blacklisted.
My question. Is there a clever way to simply block all outgoing email using IPTABLES? I don't just mean blocking mail sent using the email server Postfix, but ALL traffic that could end up with my server being blacklisted?
Until I find other ways of solving this problem I don't mind disallowing websites from sending any mails out. This is NOT ideal as I use some to generate my own business, but I can find other solutions in the meantime.
You can block all outgoing SMTP traffic with a simple rule:
iptables -I OUTPUT -p tcp --dport 25 -j DROP
You could extend this to only drop packets sent by the www-data
user which will be the user running the websites:
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner www-data -j DROP
What will help with your main problem (the sites becoming infected in the first place) is blocking all unneeded incoming ports, and also outgoing ports such as port 80 which is often used to download extra rootkits etc. after a minimal crack in your defenses is found.
hazymat, I'm sure you don't want to hear this but...
You are the problem, not Postfix
Waiting till someone detects the SPAM is not a viable way to manage a computer system. If you owned a rifle and left it on your dront doorstep, would you wait for the police to come calling before you checked it had gone missing?
at least 20% of the websites will...have some kind of vulnerability... If I patch all known plugins and software on the site, the problem goes away
It's not as if setting up automatic patch checking and installation, and a basic IDS actually requires any ongoing commitment from you.
Yes, you should be more pro-active about managing the outgoing email traffic, but that is a refinement on top of basic security practices.