Ispconfig 3, Tiger security tool

[esmiz]

Hello

The first thing I want to do is to thank to the developers of ispconfig 3. Congratulations you have made a great product!

I installed it a couple of weeks ago, and have been successfully testing it since then.
It seems 100 % reliable to me, but before going on production, I want to secure it as much as possible.

Apart from many other things, I have been using tiger to check my installation, I found it a quite useful tool.
After polishing some fails and warnings. I still have some warnings in the report related mainly to some services,
some system shells, cron jobs, and the /usr/local/ directory.

I haven't tried to fix these ones because I guess that they are related to ispconfig itself, and I could break the system, but I' m unsure whether is still something that can be done.

That's why I'd like someone with enough knowledge to have a look at the report and tell me if it looks good, or there is something that could be fixed.

I'm attaching the file here.


Regards

[till]

Looks all fine. It seems as if the tiger tool does not know how to check the ispconfig setup and so produces some false positive warnings. For example, the server.sh is a root cronjob that has to be run as root and that needs a shell, so the permissions are all fine.

[esmiz]

Many thanks for your answers Till.

I was a bit worried mainly for the /usr/local directory warnings. I messed it up a changing permissions thinking that would be harmless, and I had to reset them back.

I see then that both ispconfig and getmail need a valid shell to run their cronjobs, but I'm not sure If I can "chsh -s /bin/false" libuuid and vmail.

Let me ask you a couple of questions:

Does mysql need to be listening on every interface if we are not planning a multiserver setup?
What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?

Regards

[till]

The /usr/local permissions are set by your linux distribution and not changed by ispconfig. So you should not change them.

Regarding vmail: The mail system uses maildrop that runs as user vmail and maildrop invokes external commands, so it needs a shell. See also:

http://markmail.org/message/w25epboj...+state:results

libuuid is not from ISPConfig, so I dont know if you can change it or not.

Quote:

Does mysql need to be listening on every interface if we are not planning a multiserver setup?

No. But then your customers are also not able to use tools like the mysql windows gui tools to manage their databases.

Quote:

What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?

I use logwatch on my servers.

[esmiz]

Thanks for your advices Till

In fact I don't have any customer, I set up the system because we have something like 11 sites with different hosting providers, and this is more expensive than to rent a dedicated server.

I have some experience with linux systems so I felt comfortable to do it, but perhaps a little bit paranoid about security.

Thanks again and happy new year!