|
ISPConfig 3 Security
Hi all,
I have managed to install ispconfig without any problem. I was asked to run these commands to check server security by our old hosting company. Code:
netstat -rnnetstat -rn Code:
Kernel IP routing tableCode:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMECode:
Chain INPUT (policy ACCEPT 129K packets, 13M bytes)Code:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)am asking this so that i can understand this system much better. i've been using it for six months now. and it seems very good. but i've never tested it's security side. i want to defend this to be used on our school. Thanks in advance? |
Looks fine. Only the services needed for a complete hosting system are running.
What do you use the server for? For example, if you dont run your own dns server, you can stop mydns. Also make sure that you install the security updates of your linux distribution regularily. |
Thank you very much Till, for clear explanation.
I dont need to configure DNS on this server. i will stop mydns. Thank you and stay blessed. Regards. |
Dear Till,
Here is the advice from the security adviser of the hosting company after sending the commands. He insist there are no restrictions at all on the firewall. Also, he advises to use sftp insted of ftp. Can you tell me how to enable sftp? Also he advises to bind SMTP to 127.0.0.1:25 Here below is his advise. Please advise since your are very familiar with ispconfig than me. Thanks in advance. ---------------------------------------------- 1. lsof -i -n -P 1.a) MySQL Code:
mysqld 2475 mysql 10u IPv4 6189 TCP *:3306 (LISTEN)If you only expect connections from localhost, then please add this list to /etc/my.cnf : Code:
# only listen on localhost1.b) IMAP running....? Code:
accessible worldwide, right? outsiders could probe for passwords there....! 1.c) IMAP over SSL running... (same) Code:
couriertc 3076 root 3u IPv6 7471 TCP *:993 (LISTEN)1.d) POP running (same) Code:
couriertc 3092 root 3u IPv6 7501 TCP *:110 (LISTEN)1.e) POP over SSL running (same) Code:
1.f) DNS runnign, but OK. Code:
mydns 3119 nobody 8u IPv6 7656 UDP [::1]:531.g) SMTP service running (postfix) Code:
if necessary for emails from web-applications, then please bind to 127.0.0.1:25 1.h) FTP server Code:
passwords. It is more secure to use ssh, scp, sftp -- all via sshd and port 22 1.i) NTP running, but restricted. good! Code:
ntpd 3590 ntp 16u IPv4 8873 UDP *:123note: 1.f) and 1.i) are not an issue, just noted for completeness. 2. iptables -L -n -v --line-numbers no restriction at all. :-( all on loopback interface "lo" should be allowed. I recommend ssh (22), ftp (21) to be restricted to some certain known secure addresses. I recommend to block connections (other than loopback allowed above) for ports mysql (3306), dns (53), smtp (25), ntp (123) and if possible ftp (21) if you use ssh instead. others, including IMAP, POP, should be blocked in iptables and disabled as a service. ------------------------------------------------------------- What is your advice? regards. |
any response please....!!!!
|
The answer is still the same then in #2. The setup is fine.
SFTP is not handled by the SSH daemon and not the ftp daemon, so you will have to create ssh users to use it which will not improve security as these users wiuld get shell access then instead of having just virtual FTP users. So in general its better to use ftps (which is FTP over ssl) and not SFTP. See ISPConfig FAQ for instructions how to enable ssl encryption for pure-ftpd. |
If he advised you to use Sftp instead of "plain" ftp, does he has a solution to jail down the logged in users? As Sftp is a sub protocol of ssh...
More than that I'd suggest the use of ftpS (ftp over SSL/TLS), so the only thing you need to do is to configure your ftp daemon for the use of ftps and if possible to force ssl / tls only. Generally he is right, to enforce encryption anywhere where possible and disable the access to any service (or the service itself, depends on your business needs) that is not needed to be accessed from outside (or to restrict the access from only specific locations, if you are able to define these)... But this is only the security on the network layer. For a complete overview, you should also consider taking a look, at the configuration of the used (web)apps, their soruce code (if possible) etc. A tool which may also help you "hardening" your server is lynis (http://rootkit.nl). |
thanks Till and Ben,
i will do as per your advice. i will configure ftps. and force users to use it. we do have a separate mail server. so i will stop mail services as well. thanks and regards. |
Do not stop mailservices. Mailservices are needed for several internal purposes on a linuy system. The default mail setup in ispconfig 3 is secure and nobody can send emails without having a mail user account, so just leave it as it is.
|
| All times are GMT +2. The time now is 23:52. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.