#1  
Old 2nd March 2010, 16:10
mnzava mnzava is offline
Member
  
Join Date: Aug 2007
Location: Dar es Salaam, Tanzania
Posts: 46
Thanks: 8
Thanked 0 Times in 0 Posts
Default ISPConfig 3 Security
Hi all,

I have managed to install ispconfig without any problem.

I was asked to run these commands to check server security by our old hosting company.

Code:
netstat -rn
lsof -i -n -P
iptables -L -n -v --line-numbers
iptables -L -n -v --line-numbers -t nat
These are the outputs.
netstat -rn
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
lsof -i -n -P
Code:
COMMAND     PID          USER   FD   TYPE DEVICE SIZE NODE NAME
apache2    1460      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2    1460      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2    1460      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
sshd       2286          root    3r  IPv4 459096       TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED)
sshd       2315 administrator    3u  IPv4 459096       TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED)
sshd       2345          root    3u  IPv4   5790       TCP *:22 (LISTEN)
sshd       2345          root    4u  IPv6   5793       TCP *:22 (LISTEN)
amavisd-n  2371        amavis    7u  IPv4   5861       TCP 127.0.0.1:10024 (LISTEN)
mysqld     2446         mysql   10u  IPv4   5951       TCP *:3306 (LISTEN)
spamd      2509          root    5u  IPv4   6131       TCP 127.0.0.1:783 (LISTEN)
couriertc  3068          root    3u  IPv6   7382       TCP *:143 (LISTEN)
couriertc  3098          root    3u  IPv6   7425       TCP *:993 (LISTEN)
couriertc  3121          root    3u  IPv6   7483       TCP *:110 (LISTEN)
couriertc  3149          root    3u  IPv6   7539       TCP *:995 (LISTEN)
mydns      3166        nobody    2u  IPv4   7702       UDP 127.0.0.1:53 
mydns      3166        nobody    3u  IPv4   7703       TCP 127.0.0.1:53 (LISTEN)
mydns      3166        nobody    4u  IPv4   7704       UDP 192.168.0.24:53 
mydns      3166        nobody    5u  IPv4   7705       TCP 192.168.0.24:53 (LISTEN)
mydns      3166        nobody    6u  IPv6   7706       UDP [::1]:53 
mydns      3166        nobody    7u  IPv6   7707       TCP [::1]:53 (LISTEN)
mydns      3169        nobody    2u  IPv4   7702       UDP 127.0.0.1:53 
mydns      3169        nobody    3u  IPv4   7703       TCP 127.0.0.1:53 (LISTEN)
mydns      3169        nobody    4u  IPv4   7704       UDP 192.168.0.24:53 
mydns      3169        nobody    5u  IPv4   7705       TCP 192.168.0.24:53 (LISTEN)
mydns      3169        nobody    6u  IPv6   7706       UDP [::1]:53 
mydns      3169        nobody    7u  IPv6   7707       TCP [::1]:53 (LISTEN)
master     3267          root   12u  IPv4   7953       TCP *:25 (LISTEN)
master     3267          root  106u  IPv4   8086       TCP 127.0.0.1:10025 (LISTEN)
pure-ftpd  3281          root    4u  IPv4   8113       TCP *:21 (LISTEN)
pure-ftpd  3281          root    5u  IPv6   8115       TCP *:21 (LISTEN)
ntpd       3332           ntp   16u  IPv4   8257       UDP *:123 
ntpd       3332           ntp   17u  IPv6   8258       UDP *:123 
ntpd       3332           ntp   18u  IPv6   8263       UDP [fe80::21e:c9ff:fee5:c538]:123 
ntpd       3332           ntp   19u  IPv6   8264       UDP [::1]:123 
ntpd       3332           ntp   20u  IPv4   8265       UDP 127.0.0.1:123 
ntpd       3332           ntp   21u  IPv4   8266       UDP 192.168.0.24:123 
apache2    3429          root    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2    3429          root    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2    3429          root    5u  IPv4   8447       TCP *:8080 (LISTEN)
amavisd-n  3510        amavis    7u  IPv4   5861       TCP 127.0.0.1:10024 (LISTEN)
amavisd-n  3510        amavis   16u  IPv4 332340       TCP 127.0.0.1:50560->127.0.0.1:10025 (CLOSE_WAIT)
amavisd-n  3511        amavis    7u  IPv4   5861       TCP 127.0.0.1:10024 (LISTEN)
spamd      3512          root    5u  IPv4   6131       TCP 127.0.0.1:783 (LISTEN)
spamd      3513          root    5u  IPv4   6131       TCP 127.0.0.1:783 (LISTEN)
apache2   31752      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2   31752      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2   31752      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
apache2   31754      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2   31754      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2   31754      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
apache2   31755      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2   31755      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2   31755      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
apache2   31756      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2   31756      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2   31756      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
apache2   31757      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2   31757      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2   31757      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
apache2   31758      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
apache2   31758      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
apache2   31758      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
iptables -L -n -v --line-numbers
Code:
Chain INPUT (policy ACCEPT 129K packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      538 39658 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 21139 packets, 1761K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-ssh (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      538 39658 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
iptables -L -n -v --line-numbers -t nat

Code:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
Now can someone tell me if there is any security issue on the output of these commands? If there is any issues. which service should i stop or what should i do to solve? regards.

am asking this so that i can understand this system much better. i've been using it for six months now. and it seems very good. but i've never tested it's security side.

i want to defend this to be used on our school.

Thanks in advance?
Reply With Quote
Sponsored Links
  #2  
Old 2nd March 2010, 17:17
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
Default
Looks fine. Only the services needed for a complete hosting system are running.

What do you use the server for? For example, if you dont run your own dns server, you can stop mydns.

Also make sure that you install the security updates of your linux distribution regularily.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 3rd March 2010, 19:38
mnzava mnzava is offline
Member
  
Join Date: Aug 2007
Location: Dar es Salaam, Tanzania
Posts: 46
Thanks: 8
Thanked 0 Times in 0 Posts
Default
Thank you very much Till, for clear explanation.
I dont need to configure DNS on this server. i will stop mydns.
Thank you and stay blessed.
Regards.
Reply With Quote
  #4  
Old 5th March 2010, 15:11
mnzava mnzava is offline
Member
  
Join Date: Aug 2007
Location: Dar es Salaam, Tanzania
Posts: 46
Thanks: 8
Thanked 0 Times in 0 Posts
Default
Dear Till,

Here is the advice from the security adviser of the hosting company after sending the commands. He insist there are no restrictions at all on the firewall.

Also, he advises to use sftp insted of ftp. Can you tell me how to enable sftp?

Also he advises to bind SMTP to 127.0.0.1:25
Here below is his advise.

Please advise since your are very familiar with ispconfig than me.

Thanks in advance.

----------------------------------------------

1. lsof -i -n -P



1.a) MySQL
Code:
mysqld     2475         mysql   10u     IPv4             6189                 TCP *:3306 (LISTEN)
listening to the whole world for connections, can be bad.

If you only expect connections from localhost, then please add this list

to /etc/my.cnf :
Code:
# only listen on localhost

bind-address=127.0.0.1

1.b) IMAP running....?
Code:
couriertc  3049          root    3u     IPv6             7457                 TCP *:143 (LISTEN)
if it's a webserver then IMAP services don't need to be running and

accessible worldwide, right?

outsiders could probe for passwords there....!



1.c) IMAP over SSL running... (same)
Code:
couriertc  3076          root    3u     IPv6             7471                 TCP *:993 (LISTEN)
same as above



1.d) POP running (same)
Code:
couriertc  3092          root    3u     IPv6              7501                 TCP *:110 (LISTEN)
same as above



1.e) POP over SSL running (same)
Code:
couriertc  3114          root    3u     IPv6             7533                 TCP *:995 (LISTEN)

1.f) DNS runnign, but OK.

Code:
mydns      3119        nobody    8u     IPv6             7656                 UDP [::1]:53

mydns      3119        nobody    9u     IPv6             7657                 TCP [::1]:53 (LISTEN)
not an issue as not an open resolver.



1.g) SMTP service running (postfix)
Code:
master     3193          root   12u     IPv4             7795                 TCP *:25 (LISTEN)
should not be necessary on a web server.

if necessary for emails from web-applications, then please bind to

127.0.0.1:25



1.h) FTP server
Code:
pure-ftpd  3207          root    4u     IPv4             7955                 TCP *:21 (LISTEN)

pure-ftpd  3207          root    5u     IPv6             7957                 TCP *:21 (LISTEN)
please make sure is is secured and passwords of permitted users are good

passwords.

It is more secure to use ssh, scp, sftp -- all via sshd and port 22



1.i) NTP running, but restricted. good!

Code:
ntpd       3590           ntp   16u     IPv4             8873                 UDP *:123

ntpd       3590           ntp   17u     IPv6              8874                 UDP *:123



note: 1.f) and 1.i) are not an issue, just noted for completeness.





2. iptables -L -n -v --line-numbers


no restriction at all. :-(



all on loopback interface "lo" should be allowed.

I recommend ssh (22), ftp (21) to be restricted to some certain known secure addresses.

I recommend to block connections (other than loopback allowed above) for

ports mysql (3306), dns (53), smtp (25), ntp (123) and if possible ftp (21) if you use ssh instead.

others, including IMAP, POP, should be blocked in iptables and disabled as a service.

-------------------------------------------------------------

What is your advice?

regards.
Reply With Quote
  #5  
Old 6th March 2010, 11:25
mnzava mnzava is offline
Member
  
Join Date: Aug 2007
Location: Dar es Salaam, Tanzania
Posts: 46
Thanks: 8
Thanked 0 Times in 0 Posts
Default
any response please....!!!!
Reply With Quote
  #6  
Old 6th March 2010, 13:27
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
Default
The answer is still the same then in #2. The setup is fine.

SFTP is not handled by the SSH daemon and not the ftp daemon, so you will have to create ssh users to use it which will not improve security as these users wiuld get shell access then instead of having just virtual FTP users. So in general its better to use ftps (which is FTP over ssl) and not SFTP. See ISPConfig FAQ for instructions how to enable ssl encryption for pure-ftpd.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 6th March 2010, 16:01
Ben Ben is offline
Moderator
  
Join Date: Jul 2006
Posts: 1,016
Thanks: 7
Thanked 56 Times in 51 Posts
Default
If he advised you to use Sftp instead of "plain" ftp, does he has a solution to jail down the logged in users? As Sftp is a sub protocol of ssh...
More than that I'd suggest the use of ftpS (ftp over SSL/TLS), so the only thing you need to do is to configure your ftp daemon for the use of ftps and if possible to force ssl / tls only.

Generally he is right, to enforce encryption anywhere where possible and disable the access to any service (or the service itself, depends on your business needs) that is not needed to be accessed from outside (or to restrict the access from only specific locations, if you are able to define these)...

But this is only the security on the network layer. For a complete overview, you should also consider taking a look, at the configuration of the used (web)apps, their soruce code (if possible) etc.

A tool which may also help you "hardening" your server is lynis (http://rootkit.nl).
Last edited by Ben; 6th March 2010 at 16:05.
Reply With Quote
  #8  
Old 7th March 2010, 20:44
mnzava mnzava is offline
Member
  
Join Date: Aug 2007
Location: Dar es Salaam, Tanzania
Posts: 46
Thanks: 8
Thanked 0 Times in 0 Posts
Default
thanks Till and Ben,
i will do as per your advice.
i will configure ftps. and force users to use it.
we do have a separate mail server.
so i will stop mail services as well.

thanks and regards.
Reply With Quote
  #9  
Old 8th March 2010, 11:00
till till is offline
Super Moderator
  
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 31,911
Thanks: 693
Thanked 4,198 Times in 3,213 Posts
 
Default
Do not stop mailservices. Mailservices are needed for several internal purposes on a linuy system. The default mail setup in ispconfig 3 is secure and nobody can send emails without having a mail user account, so just leave it as it is.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
juan_g (17th September 2010)
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig PHP Security exabytes18 General 4 20th June 2009 12:02
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 08:20
ispconfig 3 + mysql security for virtual user paswords Teddy_2009 General 1 6th May 2009 19:00
ISPConfig 3.0.0.4 Beta Released till General 54 4th March 2009 09:55
What Ispconfig skill sets should I learn. slamb General 1 1st November 2007 11:45


All times are GMT +2. The time now is 03:15.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.