Server cesurity

From Ilianko

set locales

dpkg-reconfigure locales

Деактивиране на root

може да се ползва sudo или да махнем ssh root login

vi /etc/ssh/sshd_config 

   #LoginGraceTime 2m
   #PermitRootLogin no
   #StrictModes yes
   #MaxAuthTries 6

Make the line look like this to disable logging in through ssh as root. 

   PermitRootLogin no

Now you’ll need to restart the sshd service: 

   /etc/init.d/sshd restart

pozwolqvane na xxx

AllowUsers username

Вход с ключ

Ssh login без парола

LAMP

apt-get install mysql-server 

 heirloom-mailx libaio1 libclass-isa-perl libdbd-mysql-perl libdbi-perl
 libhtml-template-perl libmysqlclient18 libnet-daemon-perl libplrpc-perl
 libswitch-perl mysql-client-5.5 mysql-common mysql-server mysql-server-5.5
 mysql-server-core-5.5 perl perl-modules psmisc


apt-get install apache2 apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common file 

 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcap2
 libmagic1 mime-support openssl ssl-cert

apt-get install php5 

apache2-mpm-prefork libapache2-mod-php5 libonig2 libqdbm14 libxml2 php5
 php5-cli php5-common sgml-base xml-core

apt-get install phpmyadmin 

 dbconfig-common fontconfig-config libfontconfig1 libgd2-xpm libjpeg8
 libltdl7 libmcrypt4 php5-gd php5-mcrypt php5-mysql phpmyadmin
 ttf-dejavu-core

check version

apt-cache policy openssl ......

LAMP

apt-get update
apt-get install apache2
apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
apt-get install php5 libapache2-mod-php5 php5-mcrypt

mail

apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql

mysqladmin -p create servermail

GRANT SELECT ON servermail.* TO 'usermail'@'127.0.0.1' IDENTIFIED BY 'mailpassword'

FLUSH PRIVILIGES;

CREATE TABLE `virtual_domains` (

`id` INT NOT NULL AUTO_INCREMENT, `name` VARCHAR(50) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_users` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `password` VARCHAR(106) NOT NULL, `email` VARCHAR(120) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_aliases` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `source` varchar(100) NOT NULL, `destination` varchar(100) NOT NULL, PRIMARY KEY (`id`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;


INSERT INTO `servermail`.`virtual_domains` (`id` ,`name`) VALUES ('1', 'example.com'), ('2', 'hostname.example.com');

INSERT INTO `servermail`.`virtual_users` (`id`, `domain_id`, `password` , `email`) VALUES ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'), ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');


INSERT INTO `servermail`.`virtual_aliases` (`id`, `domain_id`, `source`, `destination`) VALUES ('1', '1', 'alias@example.com', 'email1@example.com');

postfix

cp /etc/postfix/main.cf /etc/postfix/main.cf.orig nano /etc/postfix/main.cf

...

virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf ..

nano /etc/postfix/mysql-virtual-mailbox-domains.cf

user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT 1 FROM virtual_domains WHERE name='%s'


nano /etc/postfix/mysql-virtual-alias-maps.cf

user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT destination FROM virtual_aliases WHERE source='%s'

postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf

If you want to enable port 587 to connect securely with email clients, it is necessary to modify the /etc/postfix/master.cf file


nano /etc/postfix/master.cf

We need to uncomment these lines and append other parameters:


submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject

In some cases, we need to restart Postfix to ensure port 587 is open.

service postfix restart

dovecot

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig

nano /etc/dovecot/dovecot.conf

Verify this option is uncommented.

!include conf.d/*.conf

We are going to enable protocols (add pop3 if you want to) below the !include_try /usr/share/dovecot/protocols.d/*.protocol line.


!include_try /usr/share/dovecot/protocols.d/*.protocol protocols = imap lmtp ...

nano /etc/dovecot/conf.d/10-mail.com

postfixAndSASL

https://wiki.debian.org/PostfixAndSASL

fail2ban

Retrieved from "https://ilianko.com/index.php?title=Server_cesurity&oldid=5213"