Server cesurity
Contents
set locales
dpkg-reconfigure locales
Деактивиране на root
може да се ползва sudo или да махнем ssh root login
vi /etc/ssh/sshd_config
#LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6
Make the line look like this to disable logging in through ssh as root.
PermitRootLogin no
Now you’ll need to restart the sshd service:
/etc/init.d/sshd restart
pozwolqvane na xxx
AllowUsers username
Вход с ключ
LAMP
apt-get install mysql-server
heirloom-mailx libaio1 libclass-isa-perl libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18 libnet-daemon-perl libplrpc-perl libswitch-perl mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 mysql-server-core-5.5 perl perl-modules psmisc
apt-get install apache2
apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common file
libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcap2 libmagic1 mime-support openssl ssl-cert
apt-get install php5
apache2-mpm-prefork libapache2-mod-php5 libonig2 libqdbm14 libxml2 php5 php5-cli php5-common sgml-base xml-core
apt-get install phpmyadmin
dbconfig-common fontconfig-config libfontconfig1 libgd2-xpm libjpeg8 libltdl7 libmcrypt4 php5-gd php5-mcrypt php5-mysql phpmyadmin ttf-dejavu-core
check version
apt-cache policy openssl ......
LAMP
apt-get update apt-get install apache2 apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql apt-get install php5 libapache2-mod-php5 php5-mcrypt
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
mysqladmin -p create servermail
GRANT SELECT ON servermail.* TO 'usermail'@'127.0.0.1' IDENTIFIED BY 'mailpassword'
FLUSH PRIVILIGES;
CREATE TABLE `virtual_domains` (
`id` INT NOT NULL AUTO_INCREMENT, `name` VARCHAR(50) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `virtual_users` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `password` VARCHAR(106) NOT NULL, `email` VARCHAR(120) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `virtual_aliases` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `source` varchar(100) NOT NULL, `destination` varchar(100) NOT NULL, PRIMARY KEY (`id`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `servermail`.`virtual_domains`
(`id` ,`name`)
VALUES
('1', 'example.com'),
('2', 'hostname.example.com');
INSERT INTO `servermail`.`virtual_users` (`id`, `domain_id`, `password` , `email`) VALUES ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'), ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');
INSERT INTO `servermail`.`virtual_aliases`
(`id`, `domain_id`, `source`, `destination`)
VALUES
('1', '1', 'alias@example.com', 'email1@example.com');
postfix
cp /etc/postfix/main.cf /etc/postfix/main.cf.orig nano /etc/postfix/main.cf
...
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf ..
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT 1 FROM virtual_domains WHERE name='%s'
nano /etc/postfix/mysql-virtual-alias-maps.cf
user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT destination FROM virtual_aliases WHERE source='%s'
postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf
If you want to enable port 587 to connect securely with email clients, it is necessary to modify the /etc/postfix/master.cf file
nano /etc/postfix/master.cf
We need to uncomment these lines and append other parameters:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
In some cases, we need to restart Postfix to ensure port 587 is open.
service postfix restart
dovecot
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig
nano /etc/dovecot/dovecot.conf
Verify this option is uncommented.
!include conf.d/*.conf
We are going to enable protocols (add pop3 if you want to) below the !include_try /usr/share/dovecot/protocols.d/*.protocol line.
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
...
nano /etc/dovecot/conf.d/10-mail.conf
fail2ban