Hello again :)

I used your ISP setup on Fedora 4.

This is my first linux webserver, so new questions come up all the time :rolleyes:

I`ve now been running this setup on one server for two monts, and just installed another one for about a week ago.

The setup is basicly unchanged from the tutorial, how sequre is this?.

The question is now how do I sequre the server form attacks.
-I vould like to get logs on attacks etc from the server daily.
-I vould like to proteckt ssh etc from brute force.
-Sugestions on modifications from the default setup to make it more sequre.
-And anything alse to make it fortnox....

What is the max e-mail size in postfix as standard, how tho change this.....

Well, quite many questions....
It sums up to, how do I sequre my server so it don`t get hacked (I know it can`t be 100% sequre),

-I vould like to get logs on attacks etc from the server daily.

Have a look at portsentry and logcheck.

-I vould like to proteckt ssh etc from brute force.

http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts


What is the max e-mail size in postfix as standard, how tho change this.....

What's the output of postconf -n | grep message_size_limit and postconf -d | grep message_size_limit?

The output of postconf -n | grep message_size_limit is nothing....
The output of postconf -d | grep message_size_limit is:
message_size_limit = 10240000

Thanks for the tisps on sequring the server...

Is this a guide that will work for me on fedora with portsentry and logcheck (keep in mind that I`m a noob)... http://www.falkotimme.com/howtos/chkrootkit_portsentry/
Should I also install Chkrootkit for "antivirus" or is there somting alse....


A few aditional questions...

-I see the server gives output on telnet...
Should i just shut down telnet....
I can`t think of anything I need it for?
It just gives away information on the software I`m running on my server, and gives the hacker a head start?
-Is there any online scanners for testing my server?
-Is there a limit for how many e-mail adresses one can have under one domain?

Thanks again for helping me out :D

The output of postconf -n | grep message_size_limit is nothing....
The output of postconf -d | grep message_size_limit is:
message_size_limit = 10240000
IF you want to have another message_size_limit, run
postconf -e 'message_size_limit = 20480000', for example, and restart Postfix afterwards.


Is this a guide that will work for me on fedora with portsentry and logcheck (keep in mind that I`m a noob)... http://www.falkotimme.com/howtos/chkrootkit_portsentry/
It should work for you. But the version numbers have increased, this tutorial is a little bit old.

Should I also install Chkrootkit for "antivirus" or is there somting alse....Have a look here: http://www.howtoforge.com/faq/1_38_en.html



-I see the server gives output on telnet...
Should i just shut down telnet....
I think you mean the telnet client, not the server. The telnet client is ok.


-Is there a limit for how many e-mail adresses one can have under one domain?
No.

I think you mean the telnet client, not the server. The telnet client is ok.

Yeh, I messed up :p


I mean the fackt that when I use a machine on the internet with a telnet client, and write "telnet myip 80" I get output on my webserver version "apache 2.0.54 (fedora)"

Same with main en other stuff.

Doesn`t these kind of feedbacks give hackers an advantage in knowing versions an system.

I didn`t explain what I ment vell....

When I use a telnet client against port 80 at my server it replies <address>Apache/2.0.54 (Fedora) Server at localhost Port 80</address>

And at port 25 it replys
www.domain.com ESMTP Postfix

Port 110
+OK AVG POP3 Proxy Server 7.1.371/7.1.385 [268.2.6/287]

Isn`t this usefull information for hackers?
Is it possible to make my server not reply on this....

Or I`m I making no sense now :confused:

You can configure these services to not show version numbers, but i dont have the exact configuration directives at hand.

You may find these informations in the documentation and the man pages of the programs.

Ok...

Found it...

If anyone alse would like to do this:

SSH to your fedora box.
nano /etc/httpd/conf/httpd.conf
Type "ctrl+w" and search for "ServerSignature"
Edit this to ServerSignature off

You can also add "ServerTokens ProductOnly" in the line under to show only Apace, not version.

Type "crtl+x" and save your settings.
Restart Apache
/etc/init.d/httpd restart

Telnet etc to your box and check :)
This should mask server version and services.

Didn`t find anyting yet on postfix, dovecot, mysql, proftp and pop3....
Doesn`t seem like port 81 gives out any info

After running postconf -e 'message_size_limit = 20480000'
I get:

[root@www ~]# postconf -d | grep message_size_limit
message_size_limit = 10240000
[root@www ~]# postconf -n | grep message_size_limit
message_size_limit = 20480000

Witch is outgoing/incoming :confused:

postconf -d | grep message_size_limit prints the default value,

postconf -n | grep message_size_limit your current setting. So the latter prints what is currently effective.

After getting the logs from logcheck I`m wondering what these attacks are...
Mar 23 00:31:06 www sshd[2320]: Failed password for invalid user soul from 67.104.249.10 port 51704 ssh2

I haven`t got the ssh on port 51704, so why does it say failed password..

Please post the output of netstat -tap

Do you have portsentry installed? In that case portsentry detected that login try and logged it.

netstat -tap output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:41318 *:* LISTEN 2220/rpc.statd
tcp 0 0 *:mysql *:* LISTEN 2572/mysqld
tcp 0 0 www.xxx.xxx:783 *:* LISTEN 2672/spamd.pid
tcp 0 0 *:sunrpc *:* LISTEN 2203/portmap
tcp 0 0 *:81 *:* LISTEN 2898/ispconfig_http
tcp 0 0 *:ftp *:* LISTEN 4527/proftpd: (acce
tcp 0 0 static47.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 static49.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 static48.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 www.xxx.xx:domain *:* LISTEN 26203/named
tcp 0 0 www.xxx.xx:ipp *:* LISTEN 10121/cupsd
tcp 0 0 www.xxx.xx:5335 *:* LISTEN 2412/mDNSResponder
tcp 0 0 *:smtp *:* LISTEN 4706/master
tcp 0 0 www.xxx.xx:rndc *:* LISTEN 26203/named
tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
tcp 0 0 *:23314 *:* LISTEN 20893/sshd
tcp 0 0 *:imaps *:* LISTEN 2592/dovecot
tcp 0 0 *:pop3s *:* LISTEN 2592/dovecot
tcp 0 0 *:pop3 *:* LISTEN 2592/dovecot
tcp 0 0 *:imap *:* LISTEN 2592/dovecot
tcp 0 0 *:http *:* LISTEN 13136/httpd
tcp 0 0 localhost:rndc *:* LISTEN 26203/named
tcp 0 0 *:https *:* LISTEN 13136/httpd
tcp 0 888 static48.xxx.xx:23314 static67.xxx.xxx:63425 ESTABLISHED 25776/0


What`s this one?:
tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam

Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed

And lots of these (from logcheck):
Mar 25 05:57:45 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 209.142.136.142#53
Mar 25 05:57:47 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 207.230.192.252#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'rose.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/A/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/AAAA/IN': 150.254.65.7#53
Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sol.put.poznan.pl/A/IN': 150.254.65.7#53


Am I hacked, or what is going on here? :confused:

I installed logcheck and chkrootkit, and set them up with cron to run every night.

I also changed the SSH port to none standard.

I haven`t installed portsentry yet....
I`m a bit unsure if it`s the right thing for me.
With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.

Should I install a firewall to, in addition to the one in ISPConfig?.

What`s this one?:
tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam
That's freshclam. It belongs to ClamAV and updates your virus signatures. Nothing to worry about.

Some other info in the logs that got me worried is that this happens every 30 min (from logcheck):
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened.
Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closedThat's the ISPConfig monitoring script that checks if the important services like web, ftp, etc. are still running. If it finds they aren't, the monitoring scripts sends you an email.


With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?.It might cause problems if someone gets an IP address that's in /etc/hosts.deny.

Should I install a firewall to, in addition to the one in ISPConfig?.No. You can use one firewall at a time, but not mix several ones.

Thanks again for your help falco!.

I can`t even begin to describe how mutch easier your help and howto`s has made the change from win servers to linux.

What about the messages from named... nothing unnormal?

What about the messages from named... nothing unnormal?
I haven't seen something like this before, so I can't say. If your system is able to resolve domains, it should be ok.

I,m did a portscan from ISPConfig

Port 21 (tcp) is open (ftp)!
Port 25 (tcp) is open (smtp)!
Port 53 (tcp) is open (domain)!
Port 80 (tcp) is open (http)!
Port 81 (tcp) is open (unknown)!
Port 110 (tcp) is open (pop3)!
Port 111 (tcp) is open (sunrpc)!
Port 143 (tcp) is open (imap)!
Port 443 (tcp) is open (https)!
Port 631 (tcp) is open (ipp)!
Port 783 (tcp) is open (unknown)!
Port 953 (tcp) is open (rndc)!
Port 993 (tcp) is open (imaps)!
Port 995 (tcp) is open (pop3s)!
Port 3306 (tcp) is open (mysql)!
Port 5335 (tcp) is open (unknown)!
Port 41318 (tcp) is open (unknown)!
Port 42141 (tcp) is open (unknown)!
Port 43025 (tcp) is open (unknown)!

The setup in ISPConfig firewall is:

Name Port Type Active
FTP 21 tcp yes
SSH 22 tcp yes
SMTP 25 tcp yes
DNS 53 tcp yes
DNS 53 udp yes
WWW 80 tcp yes
ISPConfig 81 tcp yes
POP3 110 tcp yes
SSL (www) 443 tcp yes


Why is all this other ports (that are not configured in firewall) open :eek:

Why is all this other ports (that are not configured in firewall) open :eek:

You cannot test your firewall with the ISPConfig portscan :) The ISPConfig script that scans the ports is on your server (inside) the firewall.

Ttry to find an portscanner that you can run on your workstation and scan your server from there.