HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   Ispconfig 3, Tiger security tool (http://www.howtoforge.com/forums/showthread.php?t=42233)

esmiz 28th December 2009 21:09

Ispconfig 3, Tiger security tool
 
1 Attachment(s)
Hello

The first thing I want to do is to thank to the developers of ispconfig 3. Congratulations you have made a great product!

I installed it a couple of weeks ago, and have been successfully testing it since then.
It seems 100 % reliable to me, but before going on production, I want to secure it as much as possible.

Apart from many other things, I have been using tiger to check my installation, I found it a quite useful tool.
After polishing some fails and warnings. I still have some warnings in the report related mainly to some services,
some system shells, cron jobs, and the /usr/local/ directory.

I haven't tried to fix these ones because I guess that they are related to ispconfig itself, and I could break the system, but I' m unsure whether is still something that can be done.

That's why I'd like someone with enough knowledge to have a look at the report and tell me if it looks good, or there is something that could be fixed.

I'm attaching the file here.


Regards

till 29th December 2009 10:50

Looks all fine. It seems as if the tiger tool does not know how to check the ispconfig setup and so produces some false positive warnings. For example, the server.sh is a root cronjob that has to be run as root and that needs a shell, so the permissions are all fine.

esmiz 29th December 2009 13:52

Securing ispconfig 3. Tiger
 
Many thanks for your answers Till.

I was a bit worried mainly for the /usr/local directory warnings. I messed it up a changing permissions thinking that would be harmless, and I had to reset them back.

I see then that both ispconfig and getmail need a valid shell to run their cronjobs, but I'm not sure If I can "chsh -s /bin/false" libuuid and vmail.

Let me ask you a couple of questions:

Does mysql need to be listening on every interface if we are not planning a multiserver setup?
What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?

Regards

till 29th December 2009 14:58

The /usr/local permissions are set by your linux distribution and not changed by ispconfig. So you should not change them.

Regarding vmail: The mail system uses maildrop that runs as user vmail and maildrop invokes external commands, so it needs a shell. See also:

http://markmail.org/message/w25epboj...+state:results

libuuid is not from ISPConfig, so I dont know if you can change it or not.

Quote:

Does mysql need to be listening on every interface if we are not planning a multiserver setup?
No. But then your customers are also not able to use tools like the mysql windows gui tools to manage their databases.

Quote:

What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?
I use logwatch on my servers.

esmiz 29th December 2009 16:03

Thanks for your advices
 
Thanks for your advices Till

In fact I don't have any customer, I set up the system because we have something like 11 sites with different hosting providers, and this is more expensive than to rent a dedicated server.

I have some experience with linux systems so I felt comfortable to do it, but perhaps a little bit paranoid about security.

Thanks again and happy new year!


All times are GMT +2. The time now is 10:07.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.