Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 28th December 2009, 21:09
esmiz esmiz is offline
Member
 
Join Date: Dec 2009
Posts: 44
Thanks: 4
Thanked 3 Times in 3 Posts
Default Ispconfig 3, Tiger security tool

Hello

The first thing I want to do is to thank to the developers of ispconfig 3. Congratulations you have made a great product!

I installed it a couple of weeks ago, and have been successfully testing it since then.
It seems 100 % reliable to me, but before going on production, I want to secure it as much as possible.

Apart from many other things, I have been using tiger to check my installation, I found it a quite useful tool.
After polishing some fails and warnings. I still have some warnings in the report related mainly to some services,
some system shells, cron jobs, and the /usr/local/ directory.

I haven't tried to fix these ones because I guess that they are related to ispconfig itself, and I could break the system, but I' m unsure whether is still something that can be done.

That's why I'd like someone with enough knowledge to have a look at the report and tell me if it looks good, or there is something that could be fixed.

I'm attaching the file here.


Regards
Attached Files
File Type: txt tiger.txt (11.4 KB, 1019 views)
Reply With Quote
Sponsored Links
  #2  
Old 29th December 2009, 10:50
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,332 Times in 4,184 Posts
Default

Looks all fine. It seems as if the tiger tool does not know how to check the ispconfig setup and so produces some false positive warnings. For example, the server.sh is a root cronjob that has to be run as root and that needs a shell, so the permissions are all fine.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 29th December 2009, 13:52
esmiz esmiz is offline
Member
 
Join Date: Dec 2009
Posts: 44
Thanks: 4
Thanked 3 Times in 3 Posts
Default Securing ispconfig 3. Tiger

Many thanks for your answers Till.

I was a bit worried mainly for the /usr/local directory warnings. I messed it up a changing permissions thinking that would be harmless, and I had to reset them back.

I see then that both ispconfig and getmail need a valid shell to run their cronjobs, but I'm not sure If I can "chsh -s /bin/false" libuuid and vmail.

Let me ask you a couple of questions:

Does mysql need to be listening on every interface if we are not planning a multiserver setup?
What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?

Regards
Reply With Quote
  #4  
Old 29th December 2009, 14:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,332 Times in 4,184 Posts
Default

The /usr/local permissions are set by your linux distribution and not changed by ispconfig. So you should not change them.

Regarding vmail: The mail system uses maildrop that runs as user vmail and maildrop invokes external commands, so it needs a shell. See also:

http://markmail.org/message/w25epboj...+state:results

libuuid is not from ISPConfig, so I dont know if you can change it or not.

Quote:
Does mysql need to be listening on every interface if we are not planning a multiserver setup?
No. But then your customers are also not able to use tools like the mysql windows gui tools to manage their databases.

Quote:
What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?
I use logwatch on my servers.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
esmiz (29th December 2009)
  #5  
Old 29th December 2009, 16:03
esmiz esmiz is offline
Member
 
Join Date: Dec 2009
Posts: 44
Thanks: 4
Thanked 3 Times in 3 Posts
 
Default Thanks for your advices

Thanks for your advices Till

In fact I don't have any customer, I set up the system because we have something like 11 sites with different hosting providers, and this is more expensive than to rent a dedicated server.

I have some experience with linux systems so I felt comfortable to do it, but perhaps a little bit paranoid about security.

Thanks again and happy new year!
Reply With Quote
Reply

Bookmarks

Tags
security

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig 2.3.3-dev released till General 10 12th March 2008 21:08
Ispconfig security smilem Installation/Configuration 5 16th January 2008 08:45
What Ispconfig skill sets should I learn. slamb General 1 1st November 2007 11:45
Sites that are added using ISPConfig Tool direct to Apache page gimhan90 Installation/Configuration 11 13th February 2006 10:27
Installation requirement help for ispconfig tool gg234 Installation/Configuration 1 25th August 2005 14:59


All times are GMT +2. The time now is 16:54.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.