new iptables to block all outbound connections to 25 which are not from "mail" (exim) or "root" (manual update required)

Version 1.43


Requires optional scripts and iptables: VERSION=2 Added extra code to the iptables script to block all outbound emails on port 25, unless the uid is mail or root. "root" isn't really needed, so you can remove that line if you want to be extra secure (in case the box gets rooted) Basically, it requires all email leaving the server to be routed through exim (unless you're "root"). With this change, no User will be able to connect to port 25 on a remote box.. meaning, if an attacker going to spam from your server (using an insecure php script, usually) they'll need to spam through exim.. which has logs and limits. If you're already running the script and use our iptables script (see id=380), then to get this VERSION=2 update of the iptables script, run the following: wget -O /etc/init.d/iptables DO not run the above wget command if you're not running our iptables script. If you've made any custom changes to your iptables script, you MUST redo them! eg: if ssh is not on 22, you must re-set the port in the script. If you didn't manually install the iptables script yourself, then you're not likely using it, so if you want this change, use the id=380 guide normally (below). Related: actual iptables code used: #SMTP output, only allow mail to send remotely. $IPTABLES -A OUTPUT -m owner --uid-owner mail -p tcp --dport 25 -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner root -p tcp --dport 25 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d --dport 25 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 25 -j REJECT Feel free to remove the whole line containing "--uid-owner root" if you don't need it. I personally do a lot of debugging with telnet to port 25, hence I'm leaving it open. This script does not apply to FreeBSD. -------------- CSF Similar settings for CSF: -------------- TESTING To ensure it's working, you should be able to run these commands and get a similar block for admin, while it still works for root (note: exim sends with "mail", which doesn't have an ssh shell, hence we add root too) [root@server ~]# id uid=0(root) gid=0(root) groups=0(root) [root@server ~]# su - admin [admin@server ~]$ telnet 25 Trying telnet: connect to address Connection refused [admin@server ~]$ logout [root@server ~]# id uid=0(root) gid=0(root) groups=0(root) [root@server ~]# telnet 25 Trying Connected to Escape character is '^]'. 220 ESMTP Exim 4.86.2 Fri, 08 Apr 2016 16:06:28 -0600 QUIT 221 closing connection Connection closed by foreign host. [root@server ~]#

Interested to try DirectAdmin? Get a 30-day Free Trial!