HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   ISPConfig 3 Security (http://www.howtoforge.com/forums/showthread.php?t=43784)

mnzava 2nd March 2010 16:10

ISPConfig 3 Security
 
Hi all,

I have managed to install ispconfig without any problem.

I was asked to run these commands to check server security by our old hosting company.

Code:

netstat -rn
lsof -i -n -P
iptables -L -n -v --line-numbers
iptables -L -n -v --line-numbers -t nat

These are the outputs.
netstat -rn
Code:

Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
192.168.0.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
0.0.0.0        192.168.0.1    0.0.0.0        UG        0 0          0 eth0

lsof -i -n -P
Code:

COMMAND    PID          USER  FD  TYPE DEVICE SIZE NODE NAME
apache2    1460      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2    1460      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2    1460      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)
sshd      2286          root    3r  IPv4 459096      TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED)
sshd      2315 administrator    3u  IPv4 459096      TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED)
sshd      2345          root    3u  IPv4  5790      TCP *:22 (LISTEN)
sshd      2345          root    4u  IPv6  5793      TCP *:22 (LISTEN)
amavisd-n  2371        amavis    7u  IPv4  5861      TCP 127.0.0.1:10024 (LISTEN)
mysqld    2446        mysql  10u  IPv4  5951      TCP *:3306 (LISTEN)
spamd      2509          root    5u  IPv4  6131      TCP 127.0.0.1:783 (LISTEN)
couriertc  3068          root    3u  IPv6  7382      TCP *:143 (LISTEN)
couriertc  3098          root    3u  IPv6  7425      TCP *:993 (LISTEN)
couriertc  3121          root    3u  IPv6  7483      TCP *:110 (LISTEN)
couriertc  3149          root    3u  IPv6  7539      TCP *:995 (LISTEN)
mydns      3166        nobody    2u  IPv4  7702      UDP 127.0.0.1:53
mydns      3166        nobody    3u  IPv4  7703      TCP 127.0.0.1:53 (LISTEN)
mydns      3166        nobody    4u  IPv4  7704      UDP 192.168.0.24:53
mydns      3166        nobody    5u  IPv4  7705      TCP 192.168.0.24:53 (LISTEN)
mydns      3166        nobody    6u  IPv6  7706      UDP [::1]:53
mydns      3166        nobody    7u  IPv6  7707      TCP [::1]:53 (LISTEN)
mydns      3169        nobody    2u  IPv4  7702      UDP 127.0.0.1:53
mydns      3169        nobody    3u  IPv4  7703      TCP 127.0.0.1:53 (LISTEN)
mydns      3169        nobody    4u  IPv4  7704      UDP 192.168.0.24:53
mydns      3169        nobody    5u  IPv4  7705      TCP 192.168.0.24:53 (LISTEN)
mydns      3169        nobody    6u  IPv6  7706      UDP [::1]:53
mydns      3169        nobody    7u  IPv6  7707      TCP [::1]:53 (LISTEN)
master    3267          root  12u  IPv4  7953      TCP *:25 (LISTEN)
master    3267          root  106u  IPv4  8086      TCP 127.0.0.1:10025 (LISTEN)
pure-ftpd  3281          root    4u  IPv4  8113      TCP *:21 (LISTEN)
pure-ftpd  3281          root    5u  IPv6  8115      TCP *:21 (LISTEN)
ntpd      3332          ntp  16u  IPv4  8257      UDP *:123
ntpd      3332          ntp  17u  IPv6  8258      UDP *:123
ntpd      3332          ntp  18u  IPv6  8263      UDP [fe80::21e:c9ff:fee5:c538]:123
ntpd      3332          ntp  19u  IPv6  8264      UDP [::1]:123
ntpd      3332          ntp  20u  IPv4  8265      UDP 127.0.0.1:123
ntpd      3332          ntp  21u  IPv4  8266      UDP 192.168.0.24:123
apache2    3429          root    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2    3429          root    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2    3429          root    5u  IPv4  8447      TCP *:8080 (LISTEN)
amavisd-n  3510        amavis    7u  IPv4  5861      TCP 127.0.0.1:10024 (LISTEN)
amavisd-n  3510        amavis  16u  IPv4 332340      TCP 127.0.0.1:50560->127.0.0.1:10025 (CLOSE_WAIT)
amavisd-n  3511        amavis    7u  IPv4  5861      TCP 127.0.0.1:10024 (LISTEN)
spamd      3512          root    5u  IPv4  6131      TCP 127.0.0.1:783 (LISTEN)
spamd      3513          root    5u  IPv4  6131      TCP 127.0.0.1:783 (LISTEN)
apache2  31752      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2  31752      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2  31752      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)
apache2  31754      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2  31754      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2  31754      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)
apache2  31755      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2  31755      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2  31755      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)
apache2  31756      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2  31756      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2  31756      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)
apache2  31757      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2  31757      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2  31757      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)
apache2  31758      www-data    3u  IPv4  8442      TCP *:80 (LISTEN)
apache2  31758      www-data    4u  IPv4  8444      TCP *:443 (LISTEN)
apache2  31758      www-data    5u  IPv4  8447      TCP *:8080 (LISTEN)

iptables -L -n -v --line-numbers
Code:

Chain INPUT (policy ACCEPT 129K packets, 13M bytes)
num  pkts bytes target    prot opt in    out    source              destination       
1      538 39658 fail2ban-ssh  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num  pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 21139 packets, 1761K bytes)
num  pkts bytes target    prot opt in    out    source              destination       

Chain fail2ban-ssh (1 references)
num  pkts bytes target    prot opt in    out    source              destination       
1      538 39658 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0

iptables -L -n -v --line-numbers -t nat

Code:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num  pkts bytes target    prot opt in    out    source              destination       

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num  pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num  pkts bytes target    prot opt in    out    source              destination

Now can someone tell me if there is any security issue on the output of these commands? If there is any issues. which service should i stop or what should i do to solve? regards.

am asking this so that i can understand this system much better. i've been using it for six months now. and it seems very good. but i've never tested it's security side.

i want to defend this to be used on our school.

Thanks in advance?

till 2nd March 2010 17:17

Looks fine. Only the services needed for a complete hosting system are running.

What do you use the server for? For example, if you dont run your own dns server, you can stop mydns.

Also make sure that you install the security updates of your linux distribution regularily.

mnzava 3rd March 2010 19:38

Thank you very much Till, for clear explanation.
I dont need to configure DNS on this server. i will stop mydns.
Thank you and stay blessed.
Regards.

mnzava 5th March 2010 15:11

Dear Till,

Here is the advice from the security adviser of the hosting company after sending the commands. He insist there are no restrictions at all on the firewall.

Also, he advises to use sftp insted of ftp. Can you tell me how to enable sftp?

Also he advises to bind SMTP to 127.0.0.1:25
Here below is his advise.

Please advise since your are very familiar with ispconfig than me.

Thanks in advance.

----------------------------------------------

1. lsof -i -n -P



1.a) MySQL
Code:

mysqld    2475        mysql  10u    IPv4            6189                TCP *:3306 (LISTEN)
listening to the whole world for connections, can be bad.

If you only expect connections from localhost, then please add this list

to /etc/my.cnf :
Code:

# only listen on localhost

bind-address=127.0.0.1


1.b) IMAP running....?
Code:


couriertc  3049          root    3u    IPv6            7457                TCP *:143 (LISTEN)

if it's a webserver then IMAP services don't need to be running and

accessible worldwide, right?

outsiders could probe for passwords there....!



1.c) IMAP over SSL running... (same)
Code:

couriertc  3076          root    3u    IPv6            7471                TCP *:993 (LISTEN)
same as above



1.d) POP running (same)
Code:

couriertc  3092          root    3u    IPv6              7501                TCP *:110 (LISTEN)
same as above



1.e) POP over SSL running (same)
Code:


couriertc  3114          root    3u    IPv6            7533                TCP *:995 (LISTEN)


1.f) DNS runnign, but OK.

Code:

mydns      3119        nobody    8u    IPv6            7656                UDP [::1]:53

mydns      3119        nobody    9u    IPv6            7657                TCP [::1]:53 (LISTEN)

not an issue as not an open resolver.



1.g) SMTP service running (postfix)
Code:


master    3193          root  12u    IPv4            7795                TCP *:25 (LISTEN)

should not be necessary on a web server.

if necessary for emails from web-applications, then please bind to

127.0.0.1:25



1.h) FTP server
Code:


pure-ftpd  3207          root    4u    IPv4            7955                TCP *:21 (LISTEN)

pure-ftpd  3207          root    5u    IPv6            7957                TCP *:21 (LISTEN)

please make sure is is secured and passwords of permitted users are good

passwords.

It is more secure to use ssh, scp, sftp -- all via sshd and port 22



1.i) NTP running, but restricted. good!

Code:

ntpd      3590          ntp  16u    IPv4            8873                UDP *:123

ntpd      3590          ntp  17u    IPv6              8874                UDP *:123




note: 1.f) and 1.i) are not an issue, just noted for completeness.





2. iptables -L -n -v --line-numbers


no restriction at all. :-(



all on loopback interface "lo" should be allowed.

I recommend ssh (22), ftp (21) to be restricted to some certain known secure addresses.

I recommend to block connections (other than loopback allowed above) for

ports mysql (3306), dns (53), smtp (25), ntp (123) and if possible ftp (21) if you use ssh instead.

others, including IMAP, POP, should be blocked in iptables and disabled as a service.

-------------------------------------------------------------

What is your advice?

regards.

mnzava 6th March 2010 11:25

any response please....!!!!

till 6th March 2010 13:27

The answer is still the same then in #2. The setup is fine.

SFTP is not handled by the SSH daemon and not the ftp daemon, so you will have to create ssh users to use it which will not improve security as these users wiuld get shell access then instead of having just virtual FTP users. So in general its better to use ftps (which is FTP over ssl) and not SFTP. See ISPConfig FAQ for instructions how to enable ssl encryption for pure-ftpd.

Ben 6th March 2010 16:01

If he advised you to use Sftp instead of "plain" ftp, does he has a solution to jail down the logged in users? As Sftp is a sub protocol of ssh...
More than that I'd suggest the use of ftpS (ftp over SSL/TLS), so the only thing you need to do is to configure your ftp daemon for the use of ftps and if possible to force ssl / tls only.

Generally he is right, to enforce encryption anywhere where possible and disable the access to any service (or the service itself, depends on your business needs) that is not needed to be accessed from outside (or to restrict the access from only specific locations, if you are able to define these)...

But this is only the security on the network layer. For a complete overview, you should also consider taking a look, at the configuration of the used (web)apps, their soruce code (if possible) etc.

A tool which may also help you "hardening" your server is lynis (http://rootkit.nl).

mnzava 7th March 2010 20:44

thanks Till and Ben,
i will do as per your advice.
i will configure ftps. and force users to use it.
we do have a separate mail server.
so i will stop mail services as well.

thanks and regards.

till 8th March 2010 11:00

Do not stop mailservices. Mailservices are needed for several internal purposes on a linuy system. The default mail setup in ispconfig 3 is secure and nobody can send emails without having a mail user account, so just leave it as it is.


All times are GMT +2. The time now is 04:31.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.