Difference between revisions of "Server cesurity"

From Ilianko
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Вход с ключ==
+
== set locales==
 
+
dpkg-reconfigure locales
[[Ssh login без парола]]
 
 
 
  
 
== Деактивиране на root ==
 
== Деактивиране на root ==
 
 
може да се ползва sudo  или да махнем ssh root login
 
може да се ползва sudo  или да махнем ssh root login
  
Line 26: Line 23:
 
AllowUsers username
 
AllowUsers username
  
 +
== Вход с ключ==
 +
[[Ssh login без парола]]
  
 
==LAMP==
 
==LAMP==
Line 53: Line 52:
 
==check version==
 
==check version==
 
apt-cache policy openssl
 
apt-cache policy openssl
 +
......
 +
== LAMP ==
 +
 +
apt-get update
 +
apt-get install apache2
 +
apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
 +
apt-get install php5 libapache2-mod-php5 php5-mcrypt
 +
 +
== mail ==
 +
 +
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
 +
 +
mysqladmin -p create servermail
 +
 +
GRANT SELECT ON servermail.* TO 'usermail'@'127.0.0.1' IDENTIFIED BY 'mailpassword'
 +
 +
FLUSH PRIVILIGES;
 +
 +
CREATE TABLE `virtual_domains` (
 +
`id`  INT NOT NULL AUTO_INCREMENT,
 +
`name` VARCHAR(50) NOT NULL,
 +
PRIMARY KEY (`id`)
 +
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 +
 +
CREATE TABLE `virtual_users` (
 +
`id` INT NOT NULL AUTO_INCREMENT,
 +
`domain_id` INT NOT NULL,
 +
`password` VARCHAR(106) NOT NULL,
 +
`email` VARCHAR(120) NOT NULL,
 +
PRIMARY KEY (`id`),
 +
UNIQUE KEY `email` (`email`),
 +
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
 +
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 +
 +
CREATE TABLE `virtual_aliases` (
 +
`id` INT NOT NULL AUTO_INCREMENT,
 +
`domain_id` INT NOT NULL,
 +
`source` varchar(100) NOT NULL,
 +
`destination` varchar(100) NOT NULL,
 +
PRIMARY KEY (`id`),
 +
FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE
 +
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 +
 +
 +
INSERT INTO `servermail`.`virtual_domains`
 +
(`id` ,`name`)
 +
VALUES
 +
('1', 'example.com'),
 +
('2', 'hostname.example.com');
 +
 +
INSERT INTO `servermail`.`virtual_users`
 +
(`id`, `domain_id`, `password` , `email`)
 +
VALUES
 +
('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'),
 +
('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');
 +
 +
 +
INSERT INTO `servermail`.`virtual_aliases`
 +
(`id`, `domain_id`, `source`, `destination`)
 +
VALUES
 +
('1', '1', 'alias@example.com', 'email1@example.com');
 +
 +
== postfix ==
 +
cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
 +
nano /etc/postfix/main.cf
 +
 +
...
 +
 +
virtual_transport = lmtp:unix:private/dovecot-lmtp
 +
 +
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
 +
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
 +
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
 +
..
 +
 +
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
 +
 +
user = usermail
 +
password = mailpassword
 +
hosts = 127.0.0.1
 +
dbname = servermail
 +
query = SELECT 1 FROM virtual_domains WHERE name='%s'
 +
 +
 +
nano /etc/postfix/mysql-virtual-alias-maps.cf
 +
 +
user = usermail
 +
password = mailpassword
 +
hosts = 127.0.0.1
 +
dbname = servermail
 +
query = SELECT destination FROM virtual_aliases WHERE source='%s'
 +
 +
postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf
 +
 +
If you want to enable port 587 to connect securely with email clients, it is necessary to modify the /etc/postfix/master.cf file
 +
 +
 +
nano /etc/postfix/master.cf
 +
 +
We need to uncomment these lines and append other parameters:
 +
 +
 +
submission inet n      -      -      -      -      smtpd
 +
-o syslog_name=postfix/submission
 +
-o smtpd_tls_security_level=encrypt
 +
-o smtpd_sasl_auth_enable=yes
 +
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
 +
In some cases, we need to restart Postfix to ensure port 587 is open.
 +
 +
service postfix restart
 +
 +
==dovecot==
 +
 +
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig
 +
cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig
 +
cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig
 +
cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig
 +
cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig
 +
cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig
 +
 +
nano /etc/dovecot/dovecot.conf
 +
 +
Verify this option is uncommented.
 +
 +
!include conf.d/*.conf
 +
 +
We are going to enable protocols (add pop3 if you want to) below the !include_try /usr/share/dovecot/protocols.d/*.protocol line.
 +
 +
 +
!include_try /usr/share/dovecot/protocols.d/*.protocol
 +
protocols = imap lmtp
 +
...
 +
 +
nano /etc/dovecot/conf.d/10-mail.com
 +
 +
== postfixAndSASL ==
 +
https://wiki.debian.org/PostfixAndSASL
 +
 +
fail2ban

Latest revision as of 06:04, 16 July 2014

set locales

dpkg-reconfigure locales

Деактивиране на root

може да се ползва sudo или да махнем ssh root login

vi /etc/ssh/sshd_config

   #LoginGraceTime 2m
   #PermitRootLogin no
   #StrictModes yes
   #MaxAuthTries 6

Make the line look like this to disable logging in through ssh as root.

   PermitRootLogin no

Now you’ll need to restart the sshd service:

   /etc/init.d/sshd restart

pozwolqvane na xxx

AllowUsers username

Вход с ключ

Ssh login без парола

LAMP

apt-get install mysql-server

 heirloom-mailx libaio1 libclass-isa-perl libdbd-mysql-perl libdbi-perl
 libhtml-template-perl libmysqlclient18 libnet-daemon-perl libplrpc-perl
 libswitch-perl mysql-client-5.5 mysql-common mysql-server mysql-server-5.5
 mysql-server-core-5.5 perl perl-modules psmisc


apt-get install apache2 apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common file

 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcap2
 libmagic1 mime-support openssl ssl-cert

apt-get install php5

apache2-mpm-prefork libapache2-mod-php5 libonig2 libqdbm14 libxml2 php5
 php5-cli php5-common sgml-base xml-core

apt-get install phpmyadmin

 dbconfig-common fontconfig-config libfontconfig1 libgd2-xpm libjpeg8
 libltdl7 libmcrypt4 php5-gd php5-mcrypt php5-mysql phpmyadmin
 ttf-dejavu-core

check version

apt-cache policy openssl ......

LAMP

apt-get update
apt-get install apache2
apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
apt-get install php5 libapache2-mod-php5 php5-mcrypt

mail

apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
mysqladmin -p create servermail
GRANT SELECT ON servermail.* TO 'usermail'@'127.0.0.1' IDENTIFIED BY 'mailpassword'
FLUSH PRIVILIGES;
CREATE TABLE `virtual_domains` (

`id` INT NOT NULL AUTO_INCREMENT, `name` VARCHAR(50) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_users` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `password` VARCHAR(106) NOT NULL, `email` VARCHAR(120) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `virtual_aliases` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `source` varchar(100) NOT NULL, `destination` varchar(100) NOT NULL, PRIMARY KEY (`id`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;


INSERT INTO `servermail`.`virtual_domains` (`id` ,`name`) VALUES ('1', 'example.com'), ('2', 'hostname.example.com');

INSERT INTO `servermail`.`virtual_users` (`id`, `domain_id`, `password` , `email`) VALUES ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'), ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');


INSERT INTO `servermail`.`virtual_aliases` (`id`, `domain_id`, `source`, `destination`) VALUES ('1', '1', 'alias@example.com', 'email1@example.com');

postfix

cp /etc/postfix/main.cf /etc/postfix/main.cf.orig nano /etc/postfix/main.cf

...

virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf ..

nano /etc/postfix/mysql-virtual-mailbox-domains.cf

user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT 1 FROM virtual_domains WHERE name='%s'


nano /etc/postfix/mysql-virtual-alias-maps.cf

user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT destination FROM virtual_aliases WHERE source='%s'

postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf

If you want to enable port 587 to connect securely with email clients, it is necessary to modify the /etc/postfix/master.cf file


nano /etc/postfix/master.cf

We need to uncomment these lines and append other parameters:


submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject

In some cases, we need to restart Postfix to ensure port 587 is open.

service postfix restart

dovecot

cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig

nano /etc/dovecot/dovecot.conf

Verify this option is uncommented.

!include conf.d/*.conf

We are going to enable protocols (add pop3 if you want to) below the !include_try /usr/share/dovecot/protocols.d/*.protocol line.


!include_try /usr/share/dovecot/protocols.d/*.protocol protocols = imap lmtp ...

nano /etc/dovecot/conf.d/10-mail.com

postfixAndSASL

https://wiki.debian.org/PostfixAndSASL

fail2ban