安裝 DenyHosts 防止 SSH 暴力破解

實在是受不了大量外部 IP 狂駭你的 SSH 嘛？

請服用 DenyHosts ~

FreeBSD 請用 ports 安裝： /usr/ports/security/denyhosts/

Linux 請到 http://denyhosts.sourceforge.net 下載安裝

官方安裝說明：

To run denyhosts from startup, add denyhosts_enable="YES" in your /etc/rc.conf.

Configiration options can be found in /usr/local/etc/denyhosts.conf

-------------------------------------------------------------------------------

In order to proper working of denyhosts

1. edit your /etc/hosts.allow file and add:

sshd : /etc/hosts.deniedssh : deny

sshd : ALL : allow

2. issue the following command if /etc/hosts.deniedssh does not exist yet

touch /etc/hosts.deniedssh

-------------------------------------------------------------------------------

/usr/local/etc/denyhosts.conf 基本設定完成後，/usr/local/etc/rc.d/denyhosts start 即可～

如需允許特定 IP 避免被鎖住，請在 DenyHosts WORK_DIR 目錄中新增一個 allow_hosts 每行一個IP，重啓 denyhosts 後即可排除特定 IP ~

Postfix + SASL2 + TLS + dovecot + RoundCube webmail

以下為採用 本機 passwd 認證，非虛擬帳號方式

重要 conf 設定如下：

Postfix ~ Mailbox 配合 dovecot 採用 Maildir 設定

==============================================

[main.cf]

myhostname = HOST+DomainName

mydomain = DomainName

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

local_recipient_maps = unix:passwd.byname $alias_maps

mynetworks_style = host

mynetworks = 192.168.0.0/24, 127.0.0.0/8, WanFixIP

relay_domains = $mydestination

home_mailbox = Maildir/

mail_spool_directory = /var/mail

smtpd_banner = $myhostname ESMTP

# SASL 2

broken_sasl_auth_clients = yes

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $mydomain

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

# TLS

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /usr/local/etc/postfix/CA/server.key

smtpd_tls_cert_file = /usr/local/etc/postfix/CA/server.crt

smtpd_tls_CAfile = /usr/local/etc/postfix/CA/ca.crt

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

# All mail will bcc to SomeAccount for backup

always_bcc = mailbak

==============================================

[master.cf]

smtps inet n - n - - smtpd

-o smtpd_tls_wrappermode=yes

-o smtpd_sasl_auth_enable=yes

==============================================

SASL2 ~ 需自行新增 smtpd.conf 於 /usr/local/lib/sasl2/ 下

==============================================

[/usr/local/lib/sasl2/smtpd.conf]

pwcheck_method: saslauthd

mechlist: plain login crammd5 digestmd5

==============================================

dovecot ~ IMAP, IMAPs, POP3, POP3s 可執行 doveconf 參考基本設定來產生 dovecot.conf

==============================================

[dovecot.conf]

auth_default_realm =

auth_mechanisms = plain login

auth_username_format = %n

disable_plaintext_auth = no

protocols = imap pop3

ssl_cert = server.crt

ssl_key = server.key

userdb {

driver = passwd

}

passdb {

driver = passwd

}

ssl = yes

mail_location = maildir:~/Maildir

mail_privileged_group = mail

==============================================

Roundcube Webmail ~ 請先於 MySQL 建立相對的資料庫及權限，用 Broswer 開啓 installer 目錄進行安裝設定，便可產生 main.inc.php & db.inc.php

==============================================

[main.inc.php]

$rcmail_config['db_dsnw'] = 'mysql://user:password@host/database';

//其他依預設值即可

==============================================

[db.inc.php]

// IMAP

$rcmail_config['default_host'] = 'DomainName';

$rcmail_config['default_port'] = 143;

$rcmail_config['imap_auth_type'] = '';

// SMTP

$rcmail_config['smtp_server'] = 'localhost';

$rcmail_config['smtp_port'] = 25;

$rcmail_config['smtp_auth_type'] = 'LOGIN, PLAIN';

// USER INTERFACE

$rcmail_config['junk_mbox'] = 'Spam';

$rcmail_config['default_imap_folders'] = array('INBOX', 'Drafts', 'Sent', 'Spam', 'Trash');

$rcmail_config['create_default_folders'] = true;

// USER PREFERENCES

$rcmail_config['default_charset'] = 'UTF-8';

//其他依預設值即可

==============================================

/etc/rc.conf 需添加的設置如下

==============================================

# Postfix

postfix_enable="YES"

# dovecot

dovecot_enable="YES"

# Sendmail

sendmail_enable="NONE"

sendmail_submit_enable="NO"

sendmail_outbound_enable="NO"

sendmail_msp_queue_enable="NO"

# SASL2

saslauthd_enable="YES"

==============================================

Postfix + MySQL + ExtMail郵件伺服器

[轉載] http://www.bsdlover.cn/html/51/n-2951.html

一、安装
先把相应的软件安装上，最后再来分别配置。安装之前最好先用“portsnap fetch update”更新ports。
[1]. 安装cyrus-sasl2
cyrus-sasl2是为标准的SASL实现库，可以支持Courier authlib。

[root@bsd01 ~]#cd /usr/ports/security/cyrus-sasl2
[root@bsd01 cyrus-sasl2]#make install clean

然后会出现“make config”的界面，选择需要的支持即可，但是我现在是以mysql做数据库支持，所以一定要需mysql：

Options for cyrus-sasl 2.1.22_2
----------------------------------------------------------------------------
[ ] BDB Use Berkeley DB
[X] MYSQL Use MySQL
[ ] PGSQL Use PostgreSQL
[ ] SQLITE Use SQLite
[ ] DEV_URANDOM Use /dev/urandom
[ ] ALWAYSTRUE Enable the alwaystrue password verifier
[ ] KEEP_DB_OPEN Keep handle to Berkeley DB open
[X] AUTHDAEMOND Enable use of authdaemon
[X] LOGIN Enable LOGIN authentication
[X] PLAIN Enable PLAIN authentication
[X] CRAM Enable CRAM-MD5 authentication
[X] DIGEST Enable DIGEST-MD5 authentication
[X] OTP Enable OTP authentication
[X] NTLM Enable NTLM authentication

[2]. 安装courier-imap
Courier-IMAP是一个提供POP3、IMAP服务的程序，能够很方便的配置使其支持加密协议POP3s、IMAPs。并良好的支持Maildir。

[root@bsd01 cyrus-sasl2]#cd /usr/ports/mail/courier-imap
[root@bsd01 courier-imap]#make install clean

然后会出现“make config”的界面，选择需要的支持即可：

Options for courier-imap 4.4.1,2
-------------------------------------------------------------------------------
[ ] FAM Build in fam support for IDLE command
[ ] TRASHQUOTA Include deleted mails in the quota
[ ] GDBM Use gdbm db instead of system bdb
[ ] IPV6 Build with IPv6 support
[ ] AUTH_LDAP LDAP support
[X] AUTH_MYSQL MySQL support
[ ] AUTH_PGSQL PostgreSQL support
[ ] AUTH_USERDB Userdb support
[ ] AUTH_VCHKPW Vpopmail/vchkpw support

[3]. 安装postfix
postfix是一个优秀的MTA（mail transfer agent，邮件传输代理），相比sendmail在性能还是配置简便都好一些，它本身就是用来替代sendmail的，所以兼容性也很不错，大部分的sendmail的脚本都可以使用在postfix上。

[root@bsd01 courier-imap]#cd /usr/ports/mail/postfix
[root@bsd01 postfix]#make install clean

然后会出现“make config”的界面，选择我们需要的组件就可以了：

Options for postfix 2.5.5,1
--------------------------------------------------------------------------------------
[X] PCRE Perl Compatible Regular Expressions
[X] SASL2 Cyrus SASLv2 (Simple Auth. and Sec. Layer)
[ ] DOVECOT Dovecot SASL authentication method
[ ] SASLKRB If your SASL req. Kerberos select this option
[ ] SASLKRB5 If your SASL req. Kerberos5 select this option
[ ] SASLKMIT If your SASL req. MIT Kerberos5 select this option
[X] TLS Enable SSL and TLS support
[ ] BDB Berkeley DB (choose version with WITH_BDB_VER)
[X] MYSQL MySQL maps (choose version with WITH_MYSQL_VER)
[ ] PGSQL PostgreSQL maps (choose with DEFAULT_PGSQL_VER)
[ ] OPENLDAP OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)
[ ] CDB CDB maps lookups
[ ] NIS NIS maps lookups
[X] VDA VDA (Virtual Delivery Agent)
[X] TEST SMTP/LMTP test server and generator

安装过程会出现1个问题，一般默认就可以了：

Would you like me to add it [y]?y
Would you like to activate Postfix in /etc/mail/mailer.conf [n]?n

安装完之后，会提示你把启动下下面文字加入/etc/rc.conf文件：

postfix_enable="YES"
#If you not need sendmail anymore, please add in your rc.conf:
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

然后把下面的加入到/etc/periodic.conf，但是我服务器上根本没有/etc/periodic.conf文件，所以就不用管它：

#And you can disable some sendmail specific daily maintenance routines in your /etc/periodic.conf file:
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

[4]. 安装extman和extmail
其实这个去http://www.extmail.org/cgi-bin/download.cgi下载也可以。
1). 安装extman 0.2.5

[root@bsd01 postfix]#cd /usr/ports/mail/extman
[root@bsd01 extman]#make install clean

然后会弹出“make config”的选项，选择我们需要的mysql就可以了：

Options for extman 0.2.5
------------------------------------------------------------
[X] MySQL Use MySQL support
[ ] LDAP Use LDAP support

extman安装好之后，网页及配置文件位于/usr/local/www/extman目录。它还会编译其他比如p5-MIME，p5-GD，p5-DBD-mysql，gd，p5-DBI，p5-Storable这些支持组件。这就是ports的强大之处。

2). 安装extmail 1.0.5

[root@bsd01 extman]#cd ../extmail
[root@bsd01 extmail]#make install clean

这里也会弹出“make config”的选项，跟extman的一样，但是由于前面extman已经选择了支持，所以这里可以把mysql和ldap的支持去掉了。
extmail安装好之后，网页及配置文件位于/usr/local/www/extmail，另外他还会把p5-Unix-Syslog这个组件安装上。

现在我们就可以来配置了。

二、配置篇
[1]. 先来做几个基本的动作

[root@bsd02 ~]#mv /usr/sbin/sendmail /usr/sbin/sendmail.old
[root@bsd01 ~]#ln -s /usr/local/sbin/sendmail /usr/sbin
[root@bsd01 ~]#echo 'postfix: root' >> /etc/aliases
[root@bsd01 ~]#/usr/local/bin/newaliases
[root@bsd01 ~]#chown postfix:postfix /etc/opiekeys

[2]. 现在来配置courier-imap
▼先复制下配置文件：

[root@bsd01 ~]#cd /usr/local/etc/courier-imap
[root@bsd01 courier-imap]#cp imapd.cnf.dist imapd.cnf
[root@bsd01 courier-imap]#cp pop3d.cnf.dist pop3d.cnf
[root@bsd01 courier-imap]#chmod a+x /var/run/authdaemond

▼然后把courier-imap的启动加到/etc/rc.conf文件：

courier_authdaemond_enable="YES"
courier_imap_pop3d_enable="YES"
courier_imap_imapd_enable="YES"

▼启动认证服务：

[root@bsd01 courier-imap]#/usr/local/etc/rc.d/courier-authdaemond start

MySQL root 密碼忘記 !? (Windows系列)

如果你的SERVER是 Windows XP/2000/2003/NT 應該都可以使用這個方法來重置 MySQL root 的密碼

1. 停止 MySQL 服務，執行 CMD，輸入 net stop mysql

2. 進入 MySQL 安裝目錄，ex: C:\Program files\mysql\bin\

3. 進入 mysql 安全模式，也就是 mysql start 後，不需輸入密碼就能進入 mysql！ 指令如下：

mysqld -nt --skip-grant-tables

4. 再另外執行一個CMD命令窗口，輸入 mysql -u root -p，使用無密碼的方式登入 MySQL（不用輸入密碼，直接按 Enter）

5. 輸入以下指令開始修改 root 的密碼

mysql> UPDATE mysql.user SET password=PASSWORD('新密碼') WHERE User='root';

6. 重新載入 mysql 權限表

mysql> flush privileges;

7. 大功告成！

mysql> quit

如此一來，MySQL root 密碼已經重置，MySQL 重新啟動後，就可以用新密碼登入了！