by Anil Jalela | Dec 11, 2020 | Linux
The “From:” line of an email newsletter should identify the sender and be quickly recognizable to the recipient. Studies have shown that when viewing their inbox, readers start by looking at the From line; engaging readers here have been shown to increase open rates. useless special characters and domain name.
The subject line should be engaging and benefit-oriented and talk about the content of this issue of the email newsletter. The key message in the subject line should be first; subject lines are often truncated. When writing subject lines, companies should be sure they don’t sound “spammy” by avoiding over-the-top claims and language favored by less reputable emailers.
Subject lines get truncated at all different lengths, but the shortest is on mobile. Android truncates at 24 characters Apple truncates at 31. A study from Informz provided data saying shorter email subject lines performed the best. These include email subject lines that were 10 characters or fewer. After the email subject lines of 10 or fewer characters, email subject lines of 50-59 characters in length were the second most popular. I’ve seen other studies that long subject lines work great too … so maybe test both. The long ones might get cut off and might be more clickable because they’re cut off.
Encourage signups to alternate lists just in case they decide to unsubscribe from your email lists later on down the road. Depending on your email template’s design, place the icons in the right or left navigation to give them prominence.
Not hide the unsubscribe button against CAN-SPAM regulations to omit your unsubscribe button, but making the button prominent makes subscribers feel more secure. It also keeps people from hitting the “spam” button and getting you blacklisted from important email domains.
Commercial emails sent to mobile phones must include clear identification (who are you?) as well as an easy way to unsubscribe and a physical mailing address for your business. You must give the subscriber a way to opt-out in the same way that they opted in – as in, you can’t ask them to call a phone number to get off your list when they subscribed online.
Make sure that the frequency of the send and the content are consistent with what subscribers were told when they signed up. Ask readers to share your email newsletter with their friends and colleagues. Provide those who receive a forwarded issue an easy way to sign-up themselves.
Data from eye-tracking marketers have shown that the left side of the screen is the main focus of email readers. Therefore, the left side should be where your email images are placed (and maybe your ads too!). For our newsletters with two columns, we vary from this rule with ads on the right.
Emails should be 600-800 pixels maximum width. This will make them behave better within the preview-pane size provided by many clients. ex-thunder outlook and Apple devices, AOL 660px yahoo640PX
There should be a balance between editorial and promotional content—60%/40% is the rule. The newsletter should be a manageable length to read online, usually 2 to 3 printed pages.
Design for simplicity. Use grid-based layers and avoid complicated elements that require HTML floats or positioning.
Assume images will be initially blocked by email clients, or that certain images—background images, for example—will completely fail to load.
Since version 2007, Outlook has provided zero background image support. When using layered images in your design, be sure they can degrade gracefully. Always use a solid background color as a fallback for Outlook and make sure no crucial information or imagery exists solely in a background image.
Don’t design an email that’s essentially one large, sliced-up image. An image-heavy email will increase the chances of your email client flagging it as spam, resulting in damage to your sender reputation. While these kinds of emails look pretty, they perform poorly.
A company logo in the preview pane that’s instantly recognizable to readers is important; a strong benefit-oriented headline or newsletter title helps as well. Image blocking (which is getting more prevalent) makes it important to include a link to view the email online in case images aren’t visible. Also good—making sure that the key messages of the preview pane get delivered even if the images aren’t visible.
Many publishers choose to add a table of contents box into their preview pane. The table of contents should include links so that the reader can “jump” directly to the item in the newsletter or to the website with the full story.
As a general rule, the best way to avoid ending up in the dreaded Spam folder is to make sure that your emails reflect a balanced image to text ratio. Most email clients block images by default. With this in mind, incorporate text that summarizes the main point of your message: the offer, the announcement, the transaction taking place, the action for the consumer to take, etc. Some text — especially the main call to action — should be viewable upon opening the email, even if the images are shut off.
Use basic, cross-platform fonts such as Arial, Verdana, Georgia, and Times New Roman. Web fonts are not widely supported in an email, so in most cases, you’ll need a fallback. To circumvent the general lack of support available for handling these issues, stick with web-safe fonts like Arial, Helvetica, Tahoma, Times Roman, and Georgia. The font for mobile emails needs to be larger than that of standard emails. Apple will automatically increase a small font to be a minimum of 13 pixels. On Android devices, 16-18 scale-independent pixels are considered medium and large text sizes. Many designers recommend a minimum of a 14-pixel font for body text and a minimum of a 22-pixel font for headlines.
Avoid elements that require Flash or JavaScript. If you need the motion in an email, a .gif is your best bet. Don’t forget about mobile experience! Is your email readable at arm’s length on a small screen? Will the images slow their load time on a mobile device? Are your links easy to press with a thumb?
Code all structures using the table element. For more complicated layouts, you should nest tables to build complex structures. Use element attributes (such as cell padding, valign, and width) to set table dimensions. This forces a box-model structure.
Keep your CSS simple. Avoid compound style declarations (IE: “font:#000 12px Arial, Helvetica, sans-serif;”), shorthand code (IE: #000 instead of #000000), CSS layout properties (IE: slot, position, clear, visibility, etc.), complex selectors (IE: descendant, child or sibling selectors, and pseudo-elements)It’s true, CSS support in email has come a long way, and we can now incorporate some media queries to allow for responsive layouts — but by no means can we expect all clients and devices to support this yet.
Inline all CSS before sending.
Use only absolute links for images, and host those images on a reliable server.
Don’t bother with JavaScript or Flash—those technologies are largely unsupported by email clients.
Account for mobile-friendliness, if possible. Use media queries to increase text sizes on small screens, provide thumb-sized (~46x46px) hit areas for links. Make an email responsive if the design allows for it.
Readers have come to expect to find certain information in the footer of an email newsletter. Some of it, like a way to unsubscribe, is required by CAN-SPAM regulations (assuming the email’s purpose is promotional, not transactional). Other information is just best practice, like including a link to a subscription. Also, note that there are new Canadian email regulations in the market.
To first make sure you’re getting the best delivery rate, ask readers to “white list” you by adding your newsletter’s from address to their address book. Then conduct tests by scheduling your emails on different days and times to discover which delivery time works best. The timing of your delivery can also make or break your ability to reach readers. The email newsletter should be sent at regular intervals and delivered at an appropriate day/time (weekdays during business hours for B2B, weekends, or evenings for B2C).
Multipart MIME is used by most professional email marketers, and for mobile email design, that approach should not change. This format sends the email content in both HTML and plain text. Using Multipart MIME will assure your email content is available, even if the mobile device only allows text. And with that said, try to build your email template in as much basic HTML as possible, because CSS is sometimes blocked and can get screwy depending on what email client is opening it.
Test, test, test. Create email accounts across various services, and send emails to yourself.
by Anil Jalela | Dec 10, 2020 | Linux
Intoduction
———–
Linux is not secured by default configurations.
Security can be added to it very high level, but must be balanced with functionality.
The correct Linux distribution must be chosen, and minimum installation done.
Patches must be diligently applied.
Syslog logs must be exported and analyzed periodically.
Network Services must be kept to a minimum.
User and groups must be periodically audited.
File/folder access control lists must be set.
File Integrity software may be used in high-security installations.
Application-specific security measures are also a must.
where to start
————–
Physical System Security.
Identifies open ports & running services.
Check installed software.
remote login security.
User Security.
Linux auditing using syslogd.
File System Security.
os security.
Physical System Security
————————
1)disable booting from CDs/DVDs, floppies, and external devices, and set a bios password.
2)set a password for the GRUB bootloader.
password hash using the command “grub-md5-crypt”.
Add the hash to the first line of /etc/grub.conf as follows:
password –md5 passwordhash
Identifies open ports & running services
—————————————-
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 783814/httpd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 325048/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4550/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 645920/sendmail
tcp 0 0 0.0.0.0:48000 0.0.0.0:* LISTEN 17535/nimbus(contro
tcp 0 0 0.0.0.0:48001 0.0.0.0:* LISTEN 17574/nimbus(spoole
tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 7959/nrpe
tcp 0 0 0.0.0.0:48006 0.0.0.0:* LISTEN 17588/nimbus(hdb)
tcp 0 0 0.0.0.0:587 0. 0.0.0:* LISTEN 312402/master
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 135878/perl
tcp 0 0 127.0.0.1:10028 0.0.0.0:* LISTEN 312402/master
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 17020/mysqld
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 1009332/memcached
tcp 0 0 0.0.0.0:15243 0.0.0.0:* LISTEN 16806/vsftpd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 15386/httpd
tcp 0 0 :::22 :::* LISTEN 4550/sshd
tcp 0 0 :::80 :::* LISTEN 2180/httpd
udp 0 0 0.0.0.0:48000 0.0.0.0:* 17535/nimbus(contro
udp 0 0 127.0.0.1:11211 0.0.0.0:* 1009332/memcached
Stop unused service or filter port for specific ips.
Some services are not open port but create socket so find which service running
/sbin/chkconfig –list |grep ‘3:on’
(For EL7 /usr/bin/systemctl list-unit-files)
root@anil:~# /sbin/chkconfig –list |grep ‘3:on’
abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrt-oops 0:off 1:off 2:off 3:on 4:off 5:on 6:off
abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
blk-availability 0:off 1:on 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dkimproxy 0:off 1:off 2:off 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
icinga 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
kdump 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mailgraph 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
npcd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nrpe 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pmtadbloader 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pmtamc 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pmtapgsql 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
puppetserver 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rrdcached 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
root@anil:~#
Also lsof can be used
Once you’ve find out any unwanted service are running, disable it using below command.
# chkconfig serviceName off
Note:- Do not stop services which you don’t know because it is create problem when booting any system .e.g you are on grapical mode (level 5) and stop gpm then at that time mouse will not working
Check installed software
————————
Check installed software using “rpm -qa –last” and ensure latest versions of packages are installed – especially those that are used by lower-privileged users: httpd, openssh, kernel, sendmail, etc.
Possibly not required software remove it from system.
NFS and related services: autofs, nfs, nfsserver, nfslock
Unused networking services: routed, gated, ratvf, snmpd, named, dhcpd, dhclient, dhrelay, nscd, smb.
Mail Services: Sendmail, postfix.
Optional network and local services: atd, ldap, kudzu, rhnsd, ypbind, apache, quota, quotad, myself, etc.
Printing services: lpr, cups, lprng.
# yum remove package-name.
Note:- Before type yes or “y”, make sure this package does not break your setup. For Eg, when you remove the postfix that will remove the dependent rpm crontab. It will break your scheduled service.
remote login security
———————
main configuration file sshd_config make necessary change as per below.
PermitRootLogin no
AllowUsers username
Protocol 2
remove telnet-server and rssh
Banner /some/Banner file path with security warning
No user must login directly as ‘root’.
Administrators must login with their own accounts, and then use ‘su’ to become root.
This ensures accountability
Viable alternative is the ‘sudo’ utility, which allows:
Listing of privileged accounts.
Actions that can be taken by these accounts.
Download from http://www.courtesan.com/sudo/intro.html
Time out of logged in user, so he has to re-authenticate in order to use ‘sudo’
User Security
————-
:- Restrict Users to Use Old Passwords
his is very useful if you want to disallow users to use same old passwords. The old password file is located at /etc/security/opasswd. This can be achieved by using PAM module.
Add the following line to ‘auth‘ section in “/etc/pam.d/system-auth”.
auth sufficient pam_unix.so likeauth nullok
:- Enforcing Stronger Passwords
vi /etc/pam.d/system-auth and set below line
/lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-2 dcredit=-2 ocredit=-1
(lcredit, ucredit, dcredit and/or ocredit respectively lower-case, upper-case, digit and other)
:- Check Password Expiration of Users
chage -l username
# chage -l sysadm
Last password change : Jul 02, 2014
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
set password expires
#chage -M 60 -m 7 -W 7 userName
-M Set maximum number of days
-m Set minimum number of days
-W Set the number of days of warning
:- Lock and Unlock Account
# passwd -l accountName
# passwd -u accountName
:- Lock Cronjobs for users
Cron has it’s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ‘ALL‘ line to cron.deny file.
# echo ALL >>/etc/cron.deny
:- Disable CTR+ALT+DEL Restart using /etc/sysctl.conf
# Disable CTR+ALT+DEL Restart Keys
kernel.ctrl-alt-del = 1
:- User with Empty Passwords
check user which created but password not set .
# cat /etc/shadow | awk -F: ‘($2==””){print $1}’
No dormant or generic accounts present Accounts of separated users not present.
All system (non-user) accounts have /bin/false for the shell.
All system accounts have *NP* or *LK* in their password fields in /etc/shadow.
SOP exists for verifying validity of accounts in these files Every account in passwd has a corresponding entry in shadow.
Only one line contains 0 in the uid field in the passwd file.
Also known as Password Cracking
Use ‘Crack’ from http://www.users.dircon.co.uk/~crypto/download/c50-faq.html
Works on almost all Unix platforms, and is very fast
Also viable password cracker is John the Ripper
Set these tools running for a day or two and ferret out all weak passwords
Linux auditing using syslogd
—————————-
Configuration file is /etc/syslog.conf
Format is:
Facility.Priority Action to be taken.
Facility – the application/program that is generating the logs.
Priority – Emerg, alert, crit, err, warning, notice, info, debug, none.
Action – send it to a file, send it to console, send it via email, send it to another system (loghost).
Segregation of responsibilities – send logs to another system, where the security administrator has control.
/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.
useful command check login and process :- last,lastlog,lastb
other command :- atop ,top –n 1 –b ,ps- aux, who,w, whoami,uptime.
:-use Tools for Log Analysis
Swatch – real-time monitoring of logs
Logsentry
Logwatch
File System Security
——————–
Unix Permissions are applicable to three entities:
Owner:Group:Everyone.
Three main permissions apply, with numeric representations
Read = 4 Write = 2 Execute = 1.
First character identified type of file “D = directory” “- = file” “S = socket” “L = link” “P = pipe”
Permissions of a new files are determined by the value umask so make sure all user run with default umask 0022
:-for check umask
# for user in $(awk -F: ‘{print $1}’ /etc/passwd); do printf “%-10s” “$user” ; su -c ‘umask’ -l $user 2>/dev/null; done
To avoid checking system user do :
# for user in $(awk -F: ‘( $3 >= 500 ){print $1}’ /etc/passwd); do printf “%-10s” “$user” ; su -c ‘umask’ -l $user 2>/dev/null; done
SUID and SGID files are executables that can be executed by anyone, but they execute with privileges of owner (usually root) or group – very critical checks!
# find / -perm –4000
# find / -perm –2000
https://www.rfxn.com/downloads/faf-current.tar.gz is best software to find and fix system
:-File Integrity
File Integrity can be verified:
Size and timestamp – can be modified to fool the auditor
MD5 hashes – secured method, but tedious.
File Integrity Software:
Must be used immediately after the installation.
Create a database of MD5 hashes of all critical files.
Monitor changes to these files and send alerts.
Tripwire – commercial, scalable, central console
AIDE – open-source, reasonably enterprise-levels
os security
———–
use TCPWrappers to restric service and port access
set limits for user process and open file
Keep System updated using yum update
Turn on SELinux Permissive :-
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
do not use X Window System
Enable Iptables or other firewall
set /boot partition s read-only using vi /etc/fstab
LABEL=/boot /boot ext2 defaults,ro 1 2
Ignore ICMP or Broadcast Request using sysctl.conf
#Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1
#Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1
diable ipv6 using /etc/sysconfig/network
NETWORKING_IPV6=no
IPV6INIT=no
make system security check regularly
Snort
nmap
nessus
openvas
nikto and other tools.
Vulnerability Databases
———————–
www.SecurityFocus.com/bid Feed in vendor, software and version number Check the vulnerabilities and see if any exploits available
Portscan Report – Superscan
Portscan Report – Nmap
