ISPConfig 3 Security

Discussion in 'Installation/Configuration' started by mnzava, Mar 2, 2010.

  1. mnzava

    mnzava New Member

    Hi all,

    I have managed to install ispconfig without any problem.

    I was asked to run these commands to check server security by our old hosting company.

    Code:
    netstat -rn
    lsof -i -n -P
    iptables -L -n -v --line-numbers
    iptables -L -n -v --line-numbers -t nat
    These are the outputs.
    netstat -rn
    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
    0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
    
    lsof -i -n -P
    Code:
    COMMAND     PID          USER   FD   TYPE DEVICE SIZE NODE NAME
    apache2    1460      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2    1460      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2    1460      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    sshd       2286          root    3r  IPv4 459096       TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED)
    sshd       2315 administrator    3u  IPv4 459096       TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED)
    sshd       2345          root    3u  IPv4   5790       TCP *:22 (LISTEN)
    sshd       2345          root    4u  IPv6   5793       TCP *:22 (LISTEN)
    amavisd-n  2371        amavis    7u  IPv4   5861       TCP 127.0.0.1:10024 (LISTEN)
    mysqld     2446         mysql   10u  IPv4   5951       TCP *:3306 (LISTEN)
    spamd      2509          root    5u  IPv4   6131       TCP 127.0.0.1:783 (LISTEN)
    couriertc  3068          root    3u  IPv6   7382       TCP *:143 (LISTEN)
    couriertc  3098          root    3u  IPv6   7425       TCP *:993 (LISTEN)
    couriertc  3121          root    3u  IPv6   7483       TCP *:110 (LISTEN)
    couriertc  3149          root    3u  IPv6   7539       TCP *:995 (LISTEN)
    mydns      3166        nobody    2u  IPv4   7702       UDP 127.0.0.1:53 
    mydns      3166        nobody    3u  IPv4   7703       TCP 127.0.0.1:53 (LISTEN)
    mydns      3166        nobody    4u  IPv4   7704       UDP 192.168.0.24:53 
    mydns      3166        nobody    5u  IPv4   7705       TCP 192.168.0.24:53 (LISTEN)
    mydns      3166        nobody    6u  IPv6   7706       UDP [::1]:53 
    mydns      3166        nobody    7u  IPv6   7707       TCP [::1]:53 (LISTEN)
    mydns      3169        nobody    2u  IPv4   7702       UDP 127.0.0.1:53 
    mydns      3169        nobody    3u  IPv4   7703       TCP 127.0.0.1:53 (LISTEN)
    mydns      3169        nobody    4u  IPv4   7704       UDP 192.168.0.24:53 
    mydns      3169        nobody    5u  IPv4   7705       TCP 192.168.0.24:53 (LISTEN)
    mydns      3169        nobody    6u  IPv6   7706       UDP [::1]:53 
    mydns      3169        nobody    7u  IPv6   7707       TCP [::1]:53 (LISTEN)
    master     3267          root   12u  IPv4   7953       TCP *:25 (LISTEN)
    master     3267          root  106u  IPv4   8086       TCP 127.0.0.1:10025 (LISTEN)
    pure-ftpd  3281          root    4u  IPv4   8113       TCP *:21 (LISTEN)
    pure-ftpd  3281          root    5u  IPv6   8115       TCP *:21 (LISTEN)
    ntpd       3332           ntp   16u  IPv4   8257       UDP *:123 
    ntpd       3332           ntp   17u  IPv6   8258       UDP *:123 
    ntpd       3332           ntp   18u  IPv6   8263       UDP [fe80::21e:c9ff:fee5:c538]:123 
    ntpd       3332           ntp   19u  IPv6   8264       UDP [::1]:123 
    ntpd       3332           ntp   20u  IPv4   8265       UDP 127.0.0.1:123 
    ntpd       3332           ntp   21u  IPv4   8266       UDP 192.168.0.24:123 
    apache2    3429          root    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2    3429          root    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2    3429          root    5u  IPv4   8447       TCP *:8080 (LISTEN)
    amavisd-n  3510        amavis    7u  IPv4   5861       TCP 127.0.0.1:10024 (LISTEN)
    amavisd-n  3510        amavis   16u  IPv4 332340       TCP 127.0.0.1:50560->127.0.0.1:10025 (CLOSE_WAIT)
    amavisd-n  3511        amavis    7u  IPv4   5861       TCP 127.0.0.1:10024 (LISTEN)
    spamd      3512          root    5u  IPv4   6131       TCP 127.0.0.1:783 (LISTEN)
    spamd      3513          root    5u  IPv4   6131       TCP 127.0.0.1:783 (LISTEN)
    apache2   31752      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2   31752      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2   31752      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    apache2   31754      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2   31754      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2   31754      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    apache2   31755      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2   31755      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2   31755      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    apache2   31756      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2   31756      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2   31756      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    apache2   31757      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2   31757      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2   31757      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    apache2   31758      www-data    3u  IPv4   8442       TCP *:80 (LISTEN)
    apache2   31758      www-data    4u  IPv4   8444       TCP *:443 (LISTEN)
    apache2   31758      www-data    5u  IPv4   8447       TCP *:8080 (LISTEN)
    
    
    iptables -L -n -v --line-numbers
    Code:
    Chain INPUT (policy ACCEPT 129K packets, 13M bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    1      538 39658 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 22 
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 21139 packets, 1761K bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    
    Chain fail2ban-ssh (1 references)
    num   pkts bytes target     prot opt in     out     source               destination         
    1      538 39658 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
    
    iptables -L -n -v --line-numbers -t nat

    Code:
    Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    num   pkts bytes target     prot opt in     out     source               destination 
    
    Now can someone tell me if there is any security issue on the output of these commands? If there is any issues. which service should i stop or what should i do to solve? regards.

    am asking this so that i can understand this system much better. i've been using it for six months now. and it seems very good. but i've never tested it's security side.

    i want to defend this to be used on our school.

    Thanks in advance?
     
  2. till

    till Super Moderator

    Looks fine. Only the services needed for a complete hosting system are running.

    What do you use the server for? For example, if you dont run your own dns server, you can stop mydns.

    Also make sure that you install the security updates of your linux distribution regularily.
     
  3. mnzava

    mnzava New Member

    Thank you very much Till, for clear explanation.
    I dont need to configure DNS on this server. i will stop mydns.
    Thank you and stay blessed.
    Regards.
     
  4. mnzava

    mnzava New Member

    Dear Till,

    Here is the advice from the security adviser of the hosting company after sending the commands. He insist there are no restrictions at all on the firewall.

    Also, he advises to use sftp insted of ftp. Can you tell me how to enable sftp?

    Also he advises to bind SMTP to 127.0.0.1:25
    Here below is his advise.

    Please advise since your are very familiar with ispconfig than me.

    Thanks in advance.

    ----------------------------------------------

    1. lsof -i -n -P



    1.a) MySQL
    Code:
    mysqld     2475         mysql   10u     IPv4             6189                 TCP *:3306 (LISTEN)
    
    listening to the whole world for connections, can be bad.

    If you only expect connections from localhost, then please add this list

    to /etc/my.cnf :
    Code:
    # only listen on localhost
    
    bind-address=127.0.0.1
    

    1.b) IMAP running....?
    Code:
    
    couriertc  3049          root    3u     IPv6             7457                 TCP *:143 (LISTEN)
    
    if it's a webserver then IMAP services don't need to be running and

    accessible worldwide, right?

    outsiders could probe for passwords there....!



    1.c) IMAP over SSL running... (same)
    Code:
    couriertc  3076          root    3u     IPv6             7471                 TCP *:993 (LISTEN)
    
    same as above



    1.d) POP running (same)
    Code:
    couriertc  3092          root    3u     IPv6              7501                 TCP *:110 (LISTEN)
    
    same as above



    1.e) POP over SSL running (same)
    Code:
    
    couriertc  3114          root    3u     IPv6             7533                 TCP *:995 (LISTEN)
    

    1.f) DNS runnign, but OK.

    Code:
    mydns      3119        nobody    8u     IPv6             7656                 UDP [::1]:53
    
    mydns      3119        nobody    9u     IPv6             7657                 TCP [::1]:53 (LISTEN)
    
    not an issue as not an open resolver.



    1.g) SMTP service running (postfix)
    Code:
    
    master     3193          root   12u     IPv4             7795                 TCP *:25 (LISTEN)
    
    should not be necessary on a web server.

    if necessary for emails from web-applications, then please bind to

    127.0.0.1:25



    1.h) FTP server
    Code:
    
    pure-ftpd  3207          root    4u     IPv4             7955                 TCP *:21 (LISTEN)
    
    pure-ftpd  3207          root    5u     IPv6             7957                 TCP *:21 (LISTEN)
    
    please make sure is is secured and passwords of permitted users are good

    passwords.

    It is more secure to use ssh, scp, sftp -- all via sshd and port 22



    1.i) NTP running, but restricted. good!

    Code:
    ntpd       3590           ntp   16u     IPv4             8873                 UDP *:123
    
    ntpd       3590           ntp   17u     IPv6              8874                 UDP *:123
    



    note: 1.f) and 1.i) are not an issue, just noted for completeness.





    2. iptables -L -n -v --line-numbers


    no restriction at all. :-(



    all on loopback interface "lo" should be allowed.

    I recommend ssh (22), ftp (21) to be restricted to some certain known secure addresses.

    I recommend to block connections (other than loopback allowed above) for

    ports mysql (3306), dns (53), smtp (25), ntp (123) and if possible ftp (21) if you use ssh instead.

    others, including IMAP, POP, should be blocked in iptables and disabled as a service.

    -------------------------------------------------------------

    What is your advice?

    regards.
     
  5. mnzava

    mnzava New Member

    any response please....!!!!
     
  6. till

    till Super Moderator

    The answer is still the same then in #2. The setup is fine.

    SFTP is not handled by the SSH daemon and not the ftp daemon, so you will have to create ssh users to use it which will not improve security as these users wiuld get shell access then instead of having just virtual FTP users. So in general its better to use ftps (which is FTP over ssl) and not SFTP. See ISPConfig FAQ for instructions how to enable ssl encryption for pure-ftpd.
     
  7. Ben

    Ben HowtoForge Supporter

    If he advised you to use Sftp instead of "plain" ftp, does he has a solution to jail down the logged in users? As Sftp is a sub protocol of ssh...
    More than that I'd suggest the use of ftpS (ftp over SSL/TLS), so the only thing you need to do is to configure your ftp daemon for the use of ftps and if possible to force ssl / tls only.

    Generally he is right, to enforce encryption anywhere where possible and disable the access to any service (or the service itself, depends on your business needs) that is not needed to be accessed from outside (or to restrict the access from only specific locations, if you are able to define these)...

    But this is only the security on the network layer. For a complete overview, you should also consider taking a look, at the configuration of the used (web)apps, their soruce code (if possible) etc.

    A tool which may also help you "hardening" your server is lynis (http://rootkit.nl).
     
    Last edited: Mar 6, 2010
  8. mnzava

    mnzava New Member

    thanks Till and Ben,
    i will do as per your advice.
    i will configure ftps. and force users to use it.
    we do have a separate mail server.
    so i will stop mail services as well.

    thanks and regards.
     
  9. till

    till Super Moderator

    Do not stop mailservices. Mailservices are needed for several internal purposes on a linuy system. The default mail setup in ispconfig 3 is secure and nobody can send emails without having a mail user account, so just leave it as it is.
     

Share This Page