Password change not working from the squirrelmail
Dear Sir/Madam:
I have configured Linux ES v.04 as mail server Sendmail as a MTA and using DOVECOT IMAP , everthing is working fine with the email clinet software ( outlook express) , installed squirrelmail for webmail this also is working fine wanted to add the password change plugin , i could able add the following plugin : change_pass-2.7-1.4.x.tar.
Change Password
ERROR:Connection refused (111)
Old Password
New Password
Verify New Password
i have also installed the poppassd-ceti-1.8.5-co4.i3
but iam not able to telnet to the mailserver for the port 106 , i get the error message unable to connect to the remote host :Connection refused.
followng is the firewall of my linux mail server
r---------------firewall--
#!/bin/sh
#-------------------------
#
#
#-------------------------
#-------------------------
#Load Mdules
modprobe ip_tables
modprobe iptable_mangle
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#-------------------------
#Interface Definitions
int_nic="eth0"
int_ip="202.144.86.74"
lan="192.168.1.0/24"
dns0="202.144.95.4"
dns1="202.144.66.6"
anywhere="0.0.0.0/0"
router_ip="202.144.86.73"
ip="192.168.1"
#-------------------------
#Clear out any existing firewall rules
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X -t nat
iptables -X -t mangle
iptables -X
#-------------------------
#Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
#Disabling IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/al
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_ec
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/a
#Kill timestamps. These have been the subject of a recent bugtraq
#thread
echo 0 > /proc/sys/net/ipv4/tcp_tim
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syn
#Kill ICMP redirects
echo 0 >/proc/sys/net/ipv4/conf/a
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dyna
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_loc
#PING OF DEATH
iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT
#SYN-FLOOD PROTECTION
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#-------------------------
#Reduce DoS'ing ability by timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin
echo 1800 > /proc/sys/net/ipv4/tcp_kee
echo 1 > /proc/sys/net/ipv4/tcp_win
echo 0 > /proc/sys/net/ipv4/tcp_sac
echo 1280 > /proc/sys/net/ipv4/tcp_max
#-------------------------
#Default POLICIES
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#LOOPBACK ALLOW TRAFFIC ON THE LOOPBACK INTERFACE
iptables -A INPUT -i lo -j ACCEPT
#ALLOW ESTABLISHED AND RELATED TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow access to SSH from outside
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 25 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 143 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere --sport 1024:65535 -d $int_ip --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $int_ip --sport 25 -d $anywhere --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $int_ip --sport 1024:65535 -d $anywhere --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere --sport 25 -d $int_ip --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#-------------------------
#Allow and Accept icmp traffic with restrictions
iptables -A INPUT -p 1 -s $lan -j ACCEPT
iptables -A INPUT -p 1 -d $int_ip --icmp-type 8 -j DROP
iptables -A INPUT -p 1 -s $anywhere -j ACCEPT
#-------------------------
#LOG RULES
iptables -A INPUT -p tcp -m state --state INVALID -j LOG
iptables -A INPUT -p icmp -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -t nat -A PREROUTING -j LOG
#iptables -t nat -A POSTROUTING -j LOG
#iptables -t nat -A OUTPUT -j LOG
#-------------------------
echo "Started Firewall."
sleep 13
following is the Ouput of IPTABLES
--------------------------
Chain INPUT (policy DROP 4197 packets, 339K bytes)
pkts bytes target prot opt in out source destination
35571 12M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2821K 689M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
377 22480 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
295 15112 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:80
9844 1618K ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:25
2849 133K ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:143
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:110
16 768 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:106
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp spt:25 dpts:1024:65535 state ESTABLISHED
0 0 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0
45 3828 DROP icmp -- * * 0.0.0.0/0 202.144.86.74 icmp type 8
45 3452 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 202.144.95.4 0.0.0.0/0 udp spt:53 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 202.144.66.6 0.0.0.0/0 udp spt:53 state RELATED,ESTABLISHED
2757 113K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
3232 139K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:106
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:106
6 316 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 757K packets, 72M bytes)
pkts bytes target prot opt in out source destination
689K 43M ACCEPT tcp -- * * 202.144.86.74 0.0.0.0/0 tcp spt:25 dpts:1024:65535 state ESTABLISHED
1749K 709M ACCEPT tcp -- * * 202.144.86.74 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
following is the Output of netstat
----------------netstat -nl-----------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 :::993 :::* LISTEN
tcp 0 0 :::143 :::* LISTEN
tcp 0 0 :::6000 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:632 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 5939 /var/run/dbus/system_bus_s
unix 2 [ ACC ] STREAM LISTENING 79796 @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 1366354 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 21836 /tmp/ssh-PybgXt5312/agent.
unix 2 [ ACC ] STREAM LISTENING 1366874 /tmp/ssh-sYJqr29059/agent.
unix 2 [ ACC ] STREAM LISTENING 1367055 /tmp/orbit-root/linc-7195-
unix 2 [ ACC ] STREAM LISTENING 79686 /tmp/ssh-OcUAN12580/agent.
unix 2 [ ACC ] STREAM LISTENING 79739 /tmp/.ICE-unix/12562
unix 2 [ ACC ] STREAM LISTENING 1367084 /tmp/orbit-root/linc-716f-
unix 2 [ ACC ] STREAM LISTENING 1367624 /tmp/.ICE-unix/29039
unix 2 [ ACC ] STREAM LISTENING 1367648 /tmp/keyring-STRI93/socket
unix 2 [ ACC ] STREAM LISTENING 1367754 /tmp/orbit-root/linc-71a8-
unix 2 [ ACC ] STREAM LISTENING 1368981 /tmp/mapping-root
unix 2 [ ACC ] STREAM LISTENING 1367803 /tmp/orbit-root/linc-71ad-
unix 2 [ ACC ] STREAM LISTENING 1368573 /tmp/orbit-root/linc-71e9-
unix 2 [ ACC ] STREAM LISTENING 1368683 /tmp/orbit-root/linc-71f3-
unix 2 [ ACC ] STREAM LISTENING 1368712 /tmp/orbit-root/linc-71ef-
unix 2 [ ACC ] STREAM LISTENING 1368745 /tmp/orbit-root/linc-71f1-
unix 2 [ ACC ] STREAM LISTENING 1368785 /tmp/orbit-root/linc-71f5-
unix 2 [ ACC ] STREAM LISTENING 1368915 /tmp/orbit-root/linc-7203-
unix 2 [ ACC ] STREAM LISTENING 1369202 /tmp/orbit-root/linc-71f9-
unix 2 [ ACC ] STREAM LISTENING 1369415 /tmp/orbit-root/linc-7226-
unix 2 [ ACC ] STREAM LISTENING 85683 /tmp/.esd/socket
unix 2 [ ACC ] STREAM LISTENING 1369618 /tmp/orbit-root/linc-722f-
unix 2 [ ACC ] STREAM LISTENING 1369705 /tmp/orbit-root/linc-7236-
unix 2 [ ACC ] STREAM LISTENING 1369740 /tmp/orbit-root/linc-723a-
unix 2 [ ACC ] STREAM LISTENING 1389438 /tmp/orbit-root/linc-76b9-
unix 2 [ ACC ] STREAM LISTENING 1389496 /tmp/orbit-root/linc-76c1-
unix 2 [ ACC ] STREAM LISTENING 1389685 /tmp/orbit-root/linc-76cc-
unix 2 [ ACC ] STREAM LISTENING 1390221 /tmp/orbit-root/linc-7702-
unix 2 [ ACC ] STREAM LISTENING 5793 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 5880 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 1366895 @/tmp/dbus-muJNh8p7iI
unix 2 [ ACC ] STREAM LISTENING 5374 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 5477 /var/run/dovecot-login/def
following is the Output 0f httpd/error_log-----------
--------------Log report of /var/log/httpd/error_log :
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
please suggest me to fix this problem so that users can change the password from the webmail
please tell me if any rule has to be added or to modify in the firewall , please also tell me after installing the poppassd-ceti-1.8.5-co4.i3
Regards
D_wathi
I have also copied the /usr/share/squirrelmail/pl
<?php
/* change_pass
*
* $Id: options.php,v 1.5 2004/07/21 14:28:46 indiri69 Exp $
*/
define('SM_PATH', '../../');
require_once (SM_PATH . 'include/validate.php');
require_once (SM_PATH . 'functions/page_header.php
require_once (SM_PATH . 'functions/imap.php');
require_once (SM_PATH . 'functions/prefs.php');
require_once (SM_PATH . 'functions/global.php');
require_once (SM_PATH . 'functions/i18n.php');
sqgetGlobalVar('plugin_cha
$messages = array();
if (isset($plugin_change_pass
sqgetGlobalVar('cp_oldpass
sqgetGlobalVar('cp_newpass
sqgetGlobalVar('cp_verify'
bindtextdomain('change_pas
textdomain('change_pass');
$messages = change_pass_check();
bindtextdomain('squirrelma
textdomain('squirrelmail')
}
displayPageHeader($color, 'None');
bindtextdomain('change_pas
textdomain('change_pass');
?>
<table width="100%" cellpadding="2" cellspacing="2" border="0">
<tr><td bgcolor="<?php echo $color[0] ?>">
<center><b><?php echo _("Change Password") ?></b></center>
</td></tr>
<tr><td>
<?php
if (count($messages)) {
foreach ($messages as $line) {
echo htmlspecialchars($line) . "<br>\n";
}
echo "</td></tr>\n";
echo "<tr><td>\n";
}
?>
<form method="post" action="<?php echo $PHP_SELF ?>">
<table align="center">
<?php
$values = array(_("Old Password") => 'cp_oldpass',
_("New Password") => 'cp_newpass',
_("Verify New Password") => 'cp_verify');
foreach($values as $key=>$value) {
?>
<tr>
<th align="right"><?php echo $key; ?></th>
<td>
<input type="password" name="<?php echo $value; ?>" size="20">
</td>
</tr>
<?php } ?>
<tr><td align="center" colspan="2">
<input type="submit" value=<?php echo _("Submit"); ?> name="plugin_change_pass">
</td></tr>
</table>
</form>
</td></tr>
</table>
</body></html>
<?php
bindtextdomain('squirrelma
textdomain('squirrelmail')
function change_pass_closeport($pop
if ($debug) {
array_push($messages, _("Closing Connection"));
}
fputs($pop_socket, "quit\r\n");
fclose($pop_socket);
}
function change_pass_readfb($pop_so
$strResp = '';
$result = '';
if (!feof($pop_socket)) {
$strResp = fgets($pop_socket, 1024);
$result = substr(trim($strResp), 0, 3); // 200, 500
if(!preg_match('/^[23]\d\d
$messages[] = "--> $strResp";
}
}
}
function change_pass_check($debug = 0) {
global $cp_oldpass, $cp_newpass, $cp_verify;
global $plugin_change_pass;
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('onetimepad
$messages = array();
$password = OneTimePadDecrypt($key, $onetimepad);
if ($cp_oldpass == '') {
$messages[] = _("You must type in your old password.");
}
if ($cp_newpass == '') {
$messages[] = _("You must type in a new password.");
}
if ($cp_verify == '') {
$messages[] = _("You must also type in your new password in the verify box.");
}
if ($cp_newpass != '' && ($cp_verify != $cp_newpass)) {
$messages[] = _("Your new password doesn't match the verify password.");
}
if ($cp_oldpass != '' && ($cp_oldpass != $password)) {
$messages[] = _("Your old password is not correct.");
}
if (count($messages)) {
$return = $messages;
} else {
$return = change_pass_go($password, $debug);
}
return $return;
}
function change_pass_go($password, $debug) {
include_once(SM_PATH . 'plugins/change_pass/setti
global $username;
global $cp_newpass, $key, $onetimepad;
sqgetGlobalVar('base_uri',
$messages = array();
if ($debug) {
$messages[] = _("Connecting to Password Server");
}
$pop_socket = fsockopen($poppass_server,
if (!$pop_socket) {
$messages[] = _("ERROR:") . "$errstr ($errno)";
return $messages;
}
change_pass_readfb($pop_so
if(!preg_match('/^2\d\d/',
change_pass_closeport($pop
return $messages;
}
fputs($pop_socket, "user $username\r\n");
change_pass_readfb($pop_so
if(!preg_match('/^[23]\d\d
change_pass_closeport($pop
return $messages;
}
fputs($pop_socket, "pass $password\r\n");
change_pass_readfb($pop_so
if(!preg_match('/^[23]\d\d
change_pass_closeport($pop
return $messages;
}
fputs($pop_socket, "newpass $cp_newpass\r\n");
change_pass_readfb($pop_so
change_pass_closeport($pop
if(!preg_match('/^2\d\d/',
return $messages;
}
$messages[] = _("Password changed successfully.");
// Write new cookies for the password
$onetimepad = OneTimePadCreate(strlen($c
$key = OneTimePadEncrypt($cp_newp
sqsession_register($onetim
setcookie('key', $key, 0, $base_uri);
return $messages;
}
?>
I have configured Linux ES v.04 as mail server Sendmail as a MTA and using DOVECOT IMAP , everthing is working fine with the email clinet software ( outlook express) , installed squirrelmail for webmail this also is working fine wanted to add the password change plugin , i could able add the following plugin : change_pass-2.7-1.4.x.tar.
Change Password
ERROR:Connection refused (111)
Old Password
New Password
Verify New Password
i have also installed the poppassd-ceti-1.8.5-co4.i3
but iam not able to telnet to the mailserver for the port 106 , i get the error message unable to connect to the remote host :Connection refused.
followng is the firewall of my linux mail server
r---------------firewall--
#!/bin/sh
#-------------------------
#
#
#-------------------------
#-------------------------
#Load Mdules
modprobe ip_tables
modprobe iptable_mangle
modprobe iptable_filter
modprobe iptable_nat
modprobe ipt_limit
modprobe ipt_LOG
modprobe ipt_MASQUERADE
modprobe ipt_state
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#-------------------------
#Interface Definitions
int_nic="eth0"
int_ip="202.144.86.74"
lan="192.168.1.0/24"
dns0="202.144.95.4"
dns1="202.144.66.6"
anywhere="0.0.0.0/0"
router_ip="202.144.86.73"
ip="192.168.1"
#-------------------------
#Clear out any existing firewall rules
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X -t nat
iptables -X -t mangle
iptables -X
#-------------------------
#Enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
#Disabling IP Spoofing attacks
echo 2 > /proc/sys/net/ipv4/conf/al
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_ec
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/a
#Kill timestamps. These have been the subject of a recent bugtraq
#thread
echo 0 > /proc/sys/net/ipv4/tcp_tim
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syn
#Kill ICMP redirects
echo 0 >/proc/sys/net/ipv4/conf/a
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dyna
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_loc
#PING OF DEATH
iptables -A FORWARD -p icmp --icmp-type 8 -m limit --limit 3/second -j ACCEPT
#SYN-FLOOD PROTECTION
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#-------------------------
#Reduce DoS'ing ability by timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin
echo 1800 > /proc/sys/net/ipv4/tcp_kee
echo 1 > /proc/sys/net/ipv4/tcp_win
echo 0 > /proc/sys/net/ipv4/tcp_sac
echo 1280 > /proc/sys/net/ipv4/tcp_max
#-------------------------
#Default POLICIES
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#LOOPBACK ALLOW TRAFFIC ON THE LOOPBACK INTERFACE
iptables -A INPUT -i lo -j ACCEPT
#ALLOW ESTABLISHED AND RELATED TRAFFIC
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow access to SSH from outside
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 25 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 143 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 465 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere --sport 1024:65535 -d $int_ip --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $int_ip --sport 25 -d $anywhere --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $int_ip --sport 1024:65535 -d $anywhere --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $anywhere --sport 25 -d $int_ip --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
#-------------------------
#Allow and Accept icmp traffic with restrictions
iptables -A INPUT -p 1 -s $lan -j ACCEPT
iptables -A INPUT -p 1 -d $int_ip --icmp-type 8 -j DROP
iptables -A INPUT -p 1 -s $anywhere -j ACCEPT
#-------------------------
#LOG RULES
iptables -A INPUT -p tcp -m state --state INVALID -j LOG
iptables -A INPUT -p icmp -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -t nat -A PREROUTING -j LOG
#iptables -t nat -A POSTROUTING -j LOG
#iptables -t nat -A OUTPUT -j LOG
#-------------------------
echo "Started Firewall."
sleep 13
following is the Ouput of IPTABLES
--------------------------
Chain INPUT (policy DROP 4197 packets, 339K bytes)
pkts bytes target prot opt in out source destination
35571 12M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2821K 689M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
377 22480 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
295 15112 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:80
9844 1618K ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:25
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:25
2849 133K ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:143
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:143
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:465
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:110
16 768 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:106
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp spt:25 dpts:1024:65535 state ESTABLISHED
0 0 ACCEPT icmp -- * * 192.168.1.0/24 0.0.0.0/0
45 3828 DROP icmp -- * * 0.0.0.0/0 202.144.86.74 icmp type 8
45 3452 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 202.144.95.4 0.0.0.0/0 udp spt:53 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 202.144.66.6 0.0.0.0/0 udp spt:53 state RELATED,ESTABLISHED
2757 113K LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 0 level 4
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
3232 139K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:106
0 0 ACCEPT udp -- * * 0.0.0.0/0 202.144.86.74 udp dpt:106
6 316 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 3/sec burst 5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 1/sec burst 5
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 757K packets, 72M bytes)
pkts bytes target prot opt in out source destination
689K 43M ACCEPT tcp -- * * 202.144.86.74 0.0.0.0/0 tcp spt:25 dpts:1024:65535 state ESTABLISHED
1749K 709M ACCEPT tcp -- * * 202.144.86.74 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 202.144.86.74 tcp dpt:21
following is the Output of netstat
----------------netstat -nl-----------------------
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 :::993 :::* LISTEN
tcp 0 0 :::143 :::* LISTEN
tcp 0 0 :::6000 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:632 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 5939 /var/run/dbus/system_bus_s
unix 2 [ ACC ] STREAM LISTENING 79796 @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 1366354 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 21836 /tmp/ssh-PybgXt5312/agent.
unix 2 [ ACC ] STREAM LISTENING 1366874 /tmp/ssh-sYJqr29059/agent.
unix 2 [ ACC ] STREAM LISTENING 1367055 /tmp/orbit-root/linc-7195-
unix 2 [ ACC ] STREAM LISTENING 79686 /tmp/ssh-OcUAN12580/agent.
unix 2 [ ACC ] STREAM LISTENING 79739 /tmp/.ICE-unix/12562
unix 2 [ ACC ] STREAM LISTENING 1367084 /tmp/orbit-root/linc-716f-
unix 2 [ ACC ] STREAM LISTENING 1367624 /tmp/.ICE-unix/29039
unix 2 [ ACC ] STREAM LISTENING 1367648 /tmp/keyring-STRI93/socket
unix 2 [ ACC ] STREAM LISTENING 1367754 /tmp/orbit-root/linc-71a8-
unix 2 [ ACC ] STREAM LISTENING 1368981 /tmp/mapping-root
unix 2 [ ACC ] STREAM LISTENING 1367803 /tmp/orbit-root/linc-71ad-
unix 2 [ ACC ] STREAM LISTENING 1368573 /tmp/orbit-root/linc-71e9-
unix 2 [ ACC ] STREAM LISTENING 1368683 /tmp/orbit-root/linc-71f3-
unix 2 [ ACC ] STREAM LISTENING 1368712 /tmp/orbit-root/linc-71ef-
unix 2 [ ACC ] STREAM LISTENING 1368745 /tmp/orbit-root/linc-71f1-
unix 2 [ ACC ] STREAM LISTENING 1368785 /tmp/orbit-root/linc-71f5-
unix 2 [ ACC ] STREAM LISTENING 1368915 /tmp/orbit-root/linc-7203-
unix 2 [ ACC ] STREAM LISTENING 1369202 /tmp/orbit-root/linc-71f9-
unix 2 [ ACC ] STREAM LISTENING 1369415 /tmp/orbit-root/linc-7226-
unix 2 [ ACC ] STREAM LISTENING 85683 /tmp/.esd/socket
unix 2 [ ACC ] STREAM LISTENING 1369618 /tmp/orbit-root/linc-722f-
unix 2 [ ACC ] STREAM LISTENING 1369705 /tmp/orbit-root/linc-7236-
unix 2 [ ACC ] STREAM LISTENING 1369740 /tmp/orbit-root/linc-723a-
unix 2 [ ACC ] STREAM LISTENING 1389438 /tmp/orbit-root/linc-76b9-
unix 2 [ ACC ] STREAM LISTENING 1389496 /tmp/orbit-root/linc-76c1-
unix 2 [ ACC ] STREAM LISTENING 1389685 /tmp/orbit-root/linc-76cc-
unix 2 [ ACC ] STREAM LISTENING 1390221 /tmp/orbit-root/linc-7702-
unix 2 [ ACC ] STREAM LISTENING 5793 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 5880 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 1366895 @/tmp/dbus-muJNh8p7iI
unix 2 [ ACC ] STREAM LISTENING 5374 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 5477 /var/run/dovecot-login/def
following is the Output 0f httpd/error_log-----------
--------------Log report of /var/log/httpd/error_log :
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
[client 202.144.86.75] PHP Warning: fsockopen(): unable to connect to
localhost:106 in /usr/share/squirrelmail/pl
on line 140, referer:
http://mail.scriptacomsystems.com/webmail/plugins/change_pass/options.php
please suggest me to fix this problem so that users can change the password from the webmail
please tell me if any rule has to be added or to modify in the firewall , please also tell me after installing the poppassd-ceti-1.8.5-co4.i3
Regards
D_wathi
I have also copied the /usr/share/squirrelmail/pl
<?php
/* change_pass
*
* $Id: options.php,v 1.5 2004/07/21 14:28:46 indiri69 Exp $
*/
define('SM_PATH', '../../');
require_once (SM_PATH . 'include/validate.php');
require_once (SM_PATH . 'functions/page_header.php
require_once (SM_PATH . 'functions/imap.php');
require_once (SM_PATH . 'functions/prefs.php');
require_once (SM_PATH . 'functions/global.php');
require_once (SM_PATH . 'functions/i18n.php');
sqgetGlobalVar('plugin_cha
$messages = array();
if (isset($plugin_change_pass
sqgetGlobalVar('cp_oldpass
sqgetGlobalVar('cp_newpass
sqgetGlobalVar('cp_verify'
bindtextdomain('change_pas
textdomain('change_pass');
$messages = change_pass_check();
bindtextdomain('squirrelma
textdomain('squirrelmail')
}
displayPageHeader($color, 'None');
bindtextdomain('change_pas
textdomain('change_pass');
?>
<table width="100%" cellpadding="2" cellspacing="2" border="0">
<tr><td bgcolor="<?php echo $color[0] ?>">
<center><b><?php echo _("Change Password") ?></b></center>
</td></tr>
<tr><td>
<?php
if (count($messages)) {
foreach ($messages as $line) {
echo htmlspecialchars($line) . "<br>\n";
}
echo "</td></tr>\n";
echo "<tr><td>\n";
}
?>
<form method="post" action="<?php echo $PHP_SELF ?>">
<table align="center">
<?php
$values = array(_("Old Password") => 'cp_oldpass',
_("New Password") => 'cp_newpass',
_("Verify New Password") => 'cp_verify');
foreach($values as $key=>$value) {
?>
<tr>
<th align="right"><?php echo $key; ?></th>
<td>
<input type="password" name="<?php echo $value; ?>" size="20">
</td>
</tr>
<?php } ?>
<tr><td align="center" colspan="2">
<input type="submit" value=<?php echo _("Submit"); ?> name="plugin_change_pass">
</td></tr>
</table>
</form>
</td></tr>
</table>
</body></html>
<?php
bindtextdomain('squirrelma
textdomain('squirrelmail')
function change_pass_closeport($pop
if ($debug) {
array_push($messages, _("Closing Connection"));
}
fputs($pop_socket, "quit\r\n");
fclose($pop_socket);
}
function change_pass_readfb($pop_so
$strResp = '';
$result = '';
if (!feof($pop_socket)) {
$strResp = fgets($pop_socket, 1024);
$result = substr(trim($strResp), 0, 3); // 200, 500
if(!preg_match('/^[23]\d\d
$messages[] = "--> $strResp";
}
}
}
function change_pass_check($debug = 0) {
global $cp_oldpass, $cp_newpass, $cp_verify;
global $plugin_change_pass;
sqgetGlobalVar('key', $key, SQ_COOKIE);
sqgetGlobalVar('onetimepad
$messages = array();
$password = OneTimePadDecrypt($key, $onetimepad);
if ($cp_oldpass == '') {
$messages[] = _("You must type in your old password.");
}
if ($cp_newpass == '') {
$messages[] = _("You must type in a new password.");
}
if ($cp_verify == '') {
$messages[] = _("You must also type in your new password in the verify box.");
}
if ($cp_newpass != '' && ($cp_verify != $cp_newpass)) {
$messages[] = _("Your new password doesn't match the verify password.");
}
if ($cp_oldpass != '' && ($cp_oldpass != $password)) {
$messages[] = _("Your old password is not correct.");
}
if (count($messages)) {
$return = $messages;
} else {
$return = change_pass_go($password, $debug);
}
return $return;
}
function change_pass_go($password, $debug) {
include_once(SM_PATH . 'plugins/change_pass/setti
global $username;
global $cp_newpass, $key, $onetimepad;
sqgetGlobalVar('base_uri',
$messages = array();
if ($debug) {
$messages[] = _("Connecting to Password Server");
}
$pop_socket = fsockopen($poppass_server,
if (!$pop_socket) {
$messages[] = _("ERROR:") . "$errstr ($errno)";
return $messages;
}
change_pass_readfb($pop_so
if(!preg_match('/^2\d\d/',
change_pass_closeport($pop
return $messages;
}
fputs($pop_socket, "user $username\r\n");
change_pass_readfb($pop_so
if(!preg_match('/^[23]\d\d
change_pass_closeport($pop
return $messages;
}
fputs($pop_socket, "pass $password\r\n");
change_pass_readfb($pop_so
if(!preg_match('/^[23]\d\d
change_pass_closeport($pop
return $messages;
}
fputs($pop_socket, "newpass $cp_newpass\r\n");
change_pass_readfb($pop_so
change_pass_closeport($pop
if(!preg_match('/^2\d\d/',
return $messages;
}
$messages[] = _("Password changed successfully.");
// Write new cookies for the password
$onetimepad = OneTimePadCreate(strlen($c
$key = OneTimePadEncrypt($cp_newp
sqsession_register($onetim
setcookie('key', $key, 0, $base_uri);
return $messages;
}
?>
check your netstat output - nobody listens port 106..
ASKER
Thanks for the reply ,
I do not know why the linux box is not listening to port 106 , i have put a following rule :
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
Please suggest me on this , if the rule is wrond please suggest me open the port 106 .
I do not know why the linux box is not listening to port 106 , i have put a following rule :
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
Please suggest me on this , if the rule is wrond please suggest me open the port 106 .
ASKER
I also tried with the differnet plugin to change the password that is with the
Change_passwd (4.0): change_passwd-4.0-1.2.8.ta
Details | Download 4.0 | Download 3.1 | Download 3.0.1 | Download 3.0 | Download 2.0
Original Author: Thiago Melo de Paula
This plugin is to allow your users to change his/her system password in /etc/passwd or /etc/shadow.
and for the same installed the Compatibility plugin 1.3
but when user logs in to the webmail and try to change the password output is the following :
Change Password An error has occurred while attempting to change your password. Please contact your system administrator.
following is the output of var/log/messages:
--------------------var/lo
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Please suggest me to fix this problem.
Change_passwd (4.0): change_passwd-4.0-1.2.8.ta
Details | Download 4.0 | Download 3.1 | Download 3.0.1 | Download 3.0 | Download 2.0
Original Author: Thiago Melo de Paula
This plugin is to allow your users to change his/her system password in /etc/passwd or /etc/shadow.
and for the same installed the Compatibility plugin 1.3
but when user logs in to the webmail and try to change the password output is the following :
Change Password An error has occurred while attempting to change your password. Please contact your system administrator.
following is the output of var/log/messages:
--------------------var/lo
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Please suggest me to fix this problem.
1. iptables doesn't open for listening any ports. it just provides rules for IP-packets.
2. what is port 106? I don't see any port requirements in change_passwd docs
3. Have you checked the troubleshooting section of README file? Is everything OK?
2. what is port 106? I don't see any port requirements in change_passwd docs
3. Have you checked the troubleshooting section of README file? Is everything OK?
ASKER
Thanks again ,
1. My question was even after adding the following rules
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
port 106 was not opened , similar rule with different ports like 80 , 443 the linux is listening but not for 106 .
please tell me anything wrong in my above two rules .
In the first plugin
change_pass-2.7-1.4.x.tar.
Original Author: Tyler Allison
Lets you change your password using PAM or Courier authentication modules. Includes poppassd and courierpassd which do the actual password changing
Yes i did as per the README file i have pasted the same :
$Id: README,v 1.4 2004/07/21 14:29:59 indiri69 Exp $
change_pass -- Version 2.5-1.4.x
Ritchie Low <rlow@xipware.com>
Seth Randall <sethr@missoulafcu.org>
Description
===========
This is a Squirrelmail plugin to change password using the Poppassd service
at port 106
You can get poppassd compliant services from the following:
Pawel Krawczyk http://echelon.pl/pubs/poppassd.html (Supports PAM)
Andrew Stevenson ftp://ftp.ugh.net.au/pub/unix/poppwd
NetWin http://netwinsite.com/poppassd/ (Changes /etc/passwd)
BSD users should try the one from the ports collection for their brand of BSD first.
Courier users should try courierpassd at http://www.arda.homeunix.net/store/
poppassd must be running on your mail server for this to work. Other than
that, you just need to add this plugin to SquirrelMail (using the perl script
or by editing config.php by hand), and all should be fine.
If you experience problems, first make sure that your mail server is running
poppassd, and it is answering to port 106, and when telnetting to that port
(with "telnet mail.server.address 106"), you can do this:
user YourUsername
pass YourPassword
newpass ANewPassword
and it should change your password.
To change the server or port poppassd listens on, change the options in
settings.php.
1. My question was even after adding the following rules
iptables -A INPUT -p tcp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
iptables -A INPUT -p udp -s $anywhere -d $int_ip --dport 106 -j ACCEPT
port 106 was not opened , similar rule with different ports like 80 , 443 the linux is listening but not for 106 .
please tell me anything wrong in my above two rules .
In the first plugin
change_pass-2.7-1.4.x.tar.
Original Author: Tyler Allison
Lets you change your password using PAM or Courier authentication modules. Includes poppassd and courierpassd which do the actual password changing
Yes i did as per the README file i have pasted the same :
$Id: README,v 1.4 2004/07/21 14:29:59 indiri69 Exp $
change_pass -- Version 2.5-1.4.x
Ritchie Low <rlow@xipware.com>
Seth Randall <sethr@missoulafcu.org>
Description
===========
This is a Squirrelmail plugin to change password using the Poppassd service
at port 106
You can get poppassd compliant services from the following:
Pawel Krawczyk http://echelon.pl/pubs/poppassd.html (Supports PAM)
Andrew Stevenson ftp://ftp.ugh.net.au/pub/unix/poppwd
NetWin http://netwinsite.com/poppassd/ (Changes /etc/passwd)
BSD users should try the one from the ports collection for their brand of BSD first.
Courier users should try courierpassd at http://www.arda.homeunix.net/store/
poppassd must be running on your mail server for this to work. Other than
that, you just need to add this plugin to SquirrelMail (using the perl script
or by editing config.php by hand), and all should be fine.
If you experience problems, first make sure that your mail server is running
poppassd, and it is answering to port 106, and when telnetting to that port
(with "telnet mail.server.address 106"), you can do this:
user YourUsername
pass YourPassword
newpass ANewPassword
and it should change your password.
To change the server or port poppassd listens on, change the options in
settings.php.
1. These lines are not wrong. they just allow packets to go to port 106. but there's no application who listens to that port (look at the netstat output). In your example, Apache is the application that listens for ports 80 and 443.
2. Looks like you use very old version of that plugin. Try to download and install the latest one:
change_passwd-4.0-1.2.8.ta
2. Looks like you use very old version of that plugin. Try to download and install the latest one:
change_passwd-4.0-1.2.8.ta
ASKER
i too tried with change_passwd-4.0-1.2.8.ta
but when user logs in to the webmail and try to change the password output is the following :
Change Password
An error has occurred while attempting to change your password. Please contact your system administrator.
following is the output of var/log/messages:
--------------------var/lo
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
but when user logs in to the webmail and try to change the password output is the following :
Change Password
An error has occurred while attempting to change your password. Please contact your system administrator.
following is the output of var/log/messages:
--------------------var/lo
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
now after commenting the following lines in the etc/selinux/config:
commented the /etc/selinux/config:
#SELINUX=Enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
#SELINUXTYPE=targeted
users are able to change the password successfully but the error message will popup on the console and also same is logged in the var/log/messages:
---------------------log of /var/log/messages---------
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
1. Will there be any security issues by disabling the selinux /etc/selinux/config .
2. As mentioned above message pops up on the console while change the password is anythiing to be changed ,please suggest me.
commented the /etc/selinux/config:
#SELINUX=Enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
#SELINUXTYPE=targeted
users are able to change the password successfully but the error message will popup on the console and also same is logged in the var/log/messages:
---------------------log of /var/log/messages---------
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:47:26 mail kernel: audit(1159172246.526:0): avc: denied
{ execute } for pid=1553 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
Sep 25 13:48:02 mail kernel: audit(1159172282.330:0): avc: denied
{ execute } for pid=1579 exe=/bin/bash name=chpasswd dev=hda5
ino=458432 scontext=root:system_r:htt
tcontext=root:object_r:usr
1. Will there be any security issues by disabling the selinux /etc/selinux/config .
2. As mentioned above message pops up on the console while change the password is anythiing to be changed ,please suggest me.
1. In my opnion, if you don't use selinux, it won't descrease security much if you turn it off. from another point - you may adjust selinux for this plugin, but I can't help you with that, since I don't use selinux and have no experience with it.
Allowing users to change password via web might is already a big security issue. Moreover, there are a lot of XSS vulnerability reported for SquirrelMail.
2. i guess you should explicitly disable selinux if you want to turn the messages off. just commenting seems not suits.
Allowing users to change password via web might is already a big security issue. Moreover, there are a lot of XSS vulnerability reported for SquirrelMail.
2. i guess you should explicitly disable selinux if you want to turn the messages off. just commenting seems not suits.
ASKER
Thanks for the support , it would be great help if you can suggest me any other webmail which does not have vulnerablity.
nobody can tell you that :) every piece of software has bugs. so, it's up to you to decide which one to use.
I use Squirrel for my internal corporate purposes and I'm not afraid about these vulnerabilities because only employees use it and they won't do any bad things. and I don't use changepass plugin since people should (and can) change pass by another means.
I use Squirrel for my internal corporate purposes and I'm not afraid about these vulnerabilities because only employees use it and they won't do any bad things. and I don't use changepass plugin since people should (and can) change pass by another means.
ASKER
Thanks for the support .