Ispconfig 3, Tiger security tool

Discussion in 'Tips/Tricks/Mods' started by esmiz, Dec 28, 2009.

  1. esmiz

    esmiz New Member

    Hello

    The first thing I want to do is to thank to the developers of ispconfig 3. Congratulations you have made a great product!

    I installed it a couple of weeks ago, and have been successfully testing it since then.
    It seems 100 % reliable to me, but before going on production, I want to secure it as much as possible.

    Apart from many other things, I have been using tiger to check my installation, I found it a quite useful tool.
    After polishing some fails and warnings. I still have some warnings in the report related mainly to some services,
    some system shells, cron jobs, and the /usr/local/ directory.

    I haven't tried to fix these ones because I guess that they are related to ispconfig itself, and I could break the system, but I' m unsure whether is still something that can be done.

    That's why I'd like someone with enough knowledge to have a look at the report and tell me if it looks good, or there is something that could be fixed.

    I'm attaching the file here.


    Regards
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks all fine. It seems as if the tiger tool does not know how to check the ispconfig setup and so produces some false positive warnings. For example, the server.sh is a root cronjob that has to be run as root and that needs a shell, so the permissions are all fine.
     
  3. esmiz

    esmiz New Member

    Securing ispconfig 3. Tiger

    Many thanks for your answers Till.

    I was a bit worried mainly for the /usr/local directory warnings. I messed it up a changing permissions thinking that would be harmless, and I had to reset them back.

    I see then that both ispconfig and getmail need a valid shell to run their cronjobs, but I'm not sure If I can "chsh -s /bin/false" libuuid and vmail.

    Let me ask you a couple of questions:

    Does mysql need to be listening on every interface if we are not planning a multiserver setup?
    What do you think about security tools like tiger, logwatch, Samhain, Aide? Do you use any of them yourself?

    Regards
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The /usr/local permissions are set by your linux distribution and not changed by ispconfig. So you should not change them.

    Regarding vmail: The mail system uses maildrop that runs as user vmail and maildrop invokes external commands, so it needs a shell. See also:

    http://markmail.org/message/w25epbo...ell page:1 mid:w25epbojb7t4laxw state:results

    libuuid is not from ISPConfig, so I dont know if you can change it or not.

    No. But then your customers are also not able to use tools like the mysql windows gui tools to manage their databases.

    I use logwatch on my servers.
     
  5. esmiz

    esmiz New Member

    Thanks for your advices

    Thanks for your advices Till

    In fact I don't have any customer, I set up the system because we have something like 11 sites with different hosting providers, and this is more expensive than to rent a dedicated server.

    I have some experience with linux systems so I felt comfortable to do it, but perhaps a little bit paranoid about security.

    Thanks again and happy new year!
     

Share This Page