Difference between revisions of "HowTos/ScalixSecurity"
m (Textual) |
m (Textual) |
||
| Line 3: | Line 3: | ||
| − | This How-To describes how to secure Scalix based mail servers | + | This How-To describes how to secure Scalix based mail servers and hot to keep them secure. |
| Line 10: | Line 10: | ||
| − | ''Note: This is work in progress and still incomplete. | + | ''Note: This is work in progress and still incomplete. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.'' |
<br> | <br> | ||
Revision as of 10:41, 31 August 2006
Contents
Introduction
Securing your Scalix server is a way to provide your users with a stable platform that can be reached all the time. It prevents unauthorized access by people, trying to gain control over it or gather sensitive information stored on it. Last but not least it prohibits your machine to be used for other usages like scanning/attacking other hosts and spamming through relaying.
This How-To describes how to secure Scalix based mail servers and hot to keep them secure.
The systems used to test the solutions presented in this How-To were based on:
- CentOS 4.x with Scalix version 10.0.1 (RHEL 4 and Fedora Core 4 should behave simalar)
Note: This is work in progress and still incomplete. If you see any gaps or have comments please take some time and add them to this document, it helps others to implement secure servers that behave well on the internet.
Harden system and services
Hardening is the process of minimizing security vulnerabilities. This is done by eliminating as many security risks as possible, e.g removing unused services and programs and/or preventing required services from suppling sensitive information.
Install Bastille-Linux
Bastille-Linux will help you harden your system as a whole. Before using this software please see if your OS is supported on http://www.bastille-linux.org/running_bastille_on.htm (this is also were you can download the rpm or source files).
Install the latest Bastille-Linux rpm:
# rpm -ihv Bastille-3.0.9-1.0.noarch.rpm
Install perl-Curses to run Bastille-Linux in text mode:
# yum install perl-curses
Run Bastille-Linux for text mode hardening:
# bastille -c
During the hardening process read the questions carefully.
- Do not deactivate or limit Sendmail and Apache
- Do not deactivate the symbolic links from the Apache document root if you have a site that need those. However check that the symbolic links do not point outside the Apache document root (# find /var/www/html/ -type l -exec ls -l {} \;), since that might pose a security risk.
- Determine if you want the enhanced Bastille-Linux firewall or the simple build in OS firewall (see section Setup Firewall)
Afterwards you can see what Bastille-Linux did, using the logfiles in /var/log/Bastille/.
Change SMTP greeting
See http://www.scalix.com/wiki/index.php?title=HowTos/SMTP_Greeting
Change POP greeting
Standard POP session:
$ telnet mail 110 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. +OK Scalix POP3 interface ready on: mail.yourdomain.net quit +OK POP3 Server connection terminated Connection closed by foreign host.
As you can see the greeting line reveals the Scalix server (but not its version number). However, it is not currently possible to configure the greeting line, an enhancement request has been entered on 28 AUG 2006.
Change IMAP greeting
Standard IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK Scalix IMAP server 10.0.1.3 ready on mail.yourdomain.net a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
As you can see both the greeting and goodbye line reveal sensative information. You can change the greeting by setting the IMAP_GREETING tag in general.cfg, e.g. by adding "IMAP_GREETING=IMAPd" to the file.
Restart the IMAP daemon:
# omoff -d0 -w imap # omon imap
Custom IMAP session:
$ telnet mail 143 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. * OK IMAPd a1 logout * BYE Scalix IMAP Server logging out a1 OK LOGOUT completed Connection closed by foreign host.
It is not currently possible to configure the goodbye line, therefore the IMAP session still reveals the Scalix server (but not the version number anymore). An enhancement request has been entered on 28 AUG 2006.
Change Apache information
By default Appache supplies a lot of information about the system. In this section we will minimize the information provided.
- Replace default page
When you surf to http://mail.yourdomain.net you get the default page. This will tell you something like 'Apache 2 Test Page powered by CentOS'. Replace this with your own page or a blank page.
- Change error/header information
Telnet from the Linux command line to mailserver port 80 and ask for the header information (HEAD / HTTP).
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP
HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 22:32:32 GMT Server: Apache/2.0.52 (CentOS) Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
As you can see the telnet session reveals sensative information. You can change this by editing the httpd.conf file, make directives ServerTokens read Prod and ServerSignature read Off. The last directive is outdated after Apache version 2.0.44, see http://www.sans.org/top20/2003/#u3 for more information.
Restart the HTTP daemon:
# service httpd restart
Telnet again to the mail server:
$ telnet mail.yourdomain.net 80 Trying 192.168.100.11... Connected to mail.yourdomain.net (192.168.100.11). Escape character is '^]'. HEAD / HTTP HTTP/1.1 200 OK Date: Tue, 29 Aug 2006 23:04:44 GMT Server: Apache Last-Modified: Wed, 23 Aug 2006 22:09:41 GMT ETag: "44f1f-9bd-998d1340" Accept-Ranges: bytes Content-Length: 2493 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host.
The telnet session still contains the product name but the version number and OS name are gone. You can change the product name by getting the Apache source code, edit the file httpd.h, compile and reinstall Apache. However keep in mind that you can't use the Apache (and associated modules) security updates for your system anymore. That might impose an even bigger security risk.
- Remove version numbers from the Webmail and SAC logon pages
...
Run tomcat as non-root user
See http://www.scalix.com/wiki/index.php?title=HowTos/Tomcat
Set up SELinux
t.b.d. - anyone???
Use secure protocols
Force to use https
Force your users to use the https protocol instead of the http protocol when they want to use webmail or sac. This way the information they supply won't be send in plain text over the internet.
You achive this by adding a VirtualHost section at the bottom of the Apache ssl.conf file (mod_ssl has to be installed for this to work).
<VirtualHost *:80>
<LocationMatch "^/sac/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
<LocationMatch "^/webmail/*">
RewriteEngine on
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</LocationMatch>
</VirtualHost>
Setting up stunnel
t.b.d. - anyone???
Let SMTP guests authenticate themselves
t.b.d. - anyone???
Setup firewall
Available services
Before you setup a firewall you have to determine which services are running on your system and which services need to be available from the outside:
# netstat -npl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5729 0.0.0.0:* LISTEN 3010/advmail.sckd tcp 0 0 0.0.0.0:9090 0.0.0.0:* LISTEN 1652/httpd tcp 0 0 0.0.0.0:9092 0.0.0.0:* LISTEN 1627/python tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 3044/omslapd tcp 0 0 127.0.0.1:8005 0.0.0.0:* LISTEN 1501/java tcp 0 0 127.0.0.1:8009 0.0.0.0:* LISTEN 1501/java tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1057/mysqld tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 3081/pop3.server tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 966/clamd tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 3032/in.imap41d tcp 0 0 0.0.0.0:44975 0.0.0.0:* LISTEN 779/rpc.statd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 760/portmap tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 1603/postmaster tcp 0 0 192.168.100.11:25 0.0.0.0:* LISTEN 3700/omsmtpd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1249/sendmail: acce tcp 0 0 :::80 :::* LISTEN 1479/httpd tcp 0 0 :::22 :::* LISTEN 944/sshd tcp 0 0 :::443 :::* LISTEN 1479/httpd udp 0 0 0.0.0.0:32768 0.0.0.0:* 779/rpc.statd udp 0 0 192.168.100.11:5766 0.0.0.0:* 3029/omnssck udp 0 0 127.0.0.1:5766 0.0.0.0:* 3029/omnssck udp 0 0 0.0.0.0:955 0.0.0.0:* 779/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 760/portmap udp 0 0 0.0.0.0:3450 0.0.0.0:* 1501/java udp 0 0 0.0.0.0:5757 0.0.0.0:* 3022/omdrs Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 2506 1057/mysqld /var/lib/mysql/mysql.sock unix 2 [ ACC ] STREAM LISTENING 9728 3038/mime.control /var/opt/scalix/temp/mime_browse unix 2 [ ACC ] STREAM LISTENING 3718 1526/dbus-daemon-1 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 4245 1603/postmaster /tmp/.s.PGSQL.8081 unix 2 [ ACC ] STREAM LISTENING 13195 3702/omsmtpd /var/opt/scalix/temp/smtpd_socket unix 2 [ ACC ] STREAM LISTENING 9575 2979/omsessd /var/opt/scalix/temp/sessd_socket unix 2 [ ACC ] STREAM LISTENING 9626 2999/omlicmon /var/opt/scalix/temp/lic
As you see there are a lot of services listening, most of these services don't need to be accessible from the outside. If you don't need a service at all shut it down and remove it from the system, otherwise firewall it.
Here we assume we need to have ports 22 (ssh), 25 (smtp), 80 (http), 443 (https) and 5729 (scalixual) available, see the next 2 sections how to configure that with your firewall.
Default OS firewall
This firewall can be easily implemented with only the knowledge of the ports that have to be open for Scalix to function.
When you decided to use the default OS firewall over the Bastille-Linux firewall, you have to make sure that the Bastille-Linux firewall is disabled at boot time and the default OS firewall is enabled at boot time.
First shutdown and disable the Bastille-Linux firewall completely (if it is running):
# vi /etc/Bastille/config => PSAD.psad_config="N", Firewall.ip_enable_firewall="N" & Firewall.ip_intro="N" # bastille -b # service psad stop # service bastille-firewall stop # chkconfig psad off # chkconfig bastille-firewall off # chmod 0600 /etc/init.d/psad # chmod 0600 /etc/init.d/bastille-firewall
As you can see from the list of commands, it was not easy to shutdown the Bastille-Linux firewall but it did the trick (there should be an easier way however).
Now you can enable and configure the standard OS firewall using:
# system-config-securitylevel => Enabled & Customize # chkconfig --level 2345 iptables on
View the active iptables rules (it should at least accept packages on the ports you specified):
# iptables -L ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:scalixual ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ...
Bastille-Linux firewall
This is an advanced firewall and to configure it you need indept knowledge of protocols, port numbers, interfaces and the psad software.
When you decided to use the Bastille-Linux firewall over the default OS firewall, you have to make sure that the default OS firewall is disabled at boot time and the Bastille-Linux firewall is enabled at boot time.
Deactivate the default OS firewall:
# system-config-securitylevel => Disabled # chkconfig iptables off
Activate the Bastille-Linux firewall (possibly already configured during system hardening process):
# service bastille-firewall start
The firewall has its own configuration file (/etc/Bastille/bastille-firewall.cfg), however only edit this file when it can't be done in the global Bastille-Linux configuration file (/etc/Bastille/config). This way you avoid loosing the specific firewall rules when running Bastille-Linux on a later date. The global Bastille-Linux configuration file can be excecuted by issueing the command:
# bastille -b
Another nice feature of the Bastille-Linux firewall is, that it can be integrated with the Port Scan Attack Detector psad. Installing this tool is easy, just execute the commands:
$ wget http://www.cipherdyne.com/psad/download/psad-1.4.6-1.i386.rpm # rpm -ivh psad-1.4.6-1.i386.rpm # cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig # vi /etc/psad/psad.conf => you have to change the HOME_NET variable # service psad start
The configuration of psad is difficult, you want to receive messages on scans but not on lost packages. It can take some time to find the right configuration settings.
Keep secure
Update system
When you are done configuring and hardening your system you should keep it secure over time. Therefore always take action quickly when new updates and security paches becom available.
System software can be updated using the command:
# yum update
This can be automated to ensure that you are always up to date. The downside of automating is that it sometimes breaks your configuration (over the last 7 years I had 1 time downtime through a failed automatic update). Consider for yourself if possible downtime outweights the risk of being outdated for some time).
Non system software can be updated as it comes available from the vendor, Scalix belongs to this kind of software. To keep up to date subscribe to a vendors update & security patches announce list or if available decide to use the automatic update service.
Todo / Questions:
- what is the update & security patches announce list?
- for how long are security patches available after the release of a new version?
- is it possible to update automatically?
Install Tripwire and Chkrootkit
This section is realy a way to give you a feeling if your system is still secure and not compromised. It won't be a 100% fail proof but it monitors your system and warns when strange things are happening on your system.
Tripwire will monitor the system critical files for modifications by a creating a base line and comparing files periodically afterwards.
Todo / Questions:
- Still have to figure out how to let this work correctly with automatic updates.
Chkrootkit will monitor the system periodically for the installation of rootkits.
