Postfix Security

A major problem with the default postfix install is that any user can send email as any user (even if it’s not your domain!)

The solution is very simple.

Edit /etc/main.cf and add

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_sender_restrictions=check_sender_access,hash:/etc/postfix/domains,

reject_unauth_destination,reject_sender_login_mismatch

Make sure you don’t add ‘permit_mynetworks’ here, or local users (or webmail users) will be able to forge their email.

In /etc/postfix/domains, add

your.domain OK

other.domain OK

and run

postmap /etc/postfix/domains

postfix reload

You might also want to try to help stop spam (along with spamassassin) with blacklists and stopping bad senders.

In /etc/postfix/main.cf

smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination,

reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit

I have mixed feelings about blacklists; my website has shown up on them from time to time after all. Still, if you’re willing to get a few false positives then this should help stop quite a bit of spam.

Top 7 uses for a shell account

1. Always-on IRC client

screen

irssi

#Control+A D

Using screen (a back-groundable terminal that can be easily resumed at any time) and irssi you can stay connected to IRC at all times, quietly sitting there… logging everything. 🙂

2. Website

Apart from everything else you can do with a shell account, having a personal website on the same machine as the programs and services you run can be very nifty.

Accessing your IRC logs via your website (so even at work/school/etc. you can check IRC quickly and easily) is one example.

3. Anonymous Browsing

Want a secure, anonymous way to browse? On Linux:

ssh user@server -D 9050

Will create a SOCKS port (9050) on your local machine. Point firefox/whatever at localhost:9050 (SOCKS) and browse away!

Windows clients support this too.

4. File Storage

Obviously I’m not saying you should back up your home harddrive to a shell, but doing minor backups can be very useful.

Got a few MBs of source code you want to have backed-up offsite? Why not put it on your shell?

Been writing some papers that are more important than a dead hard drive? Why not back them up every now and then?

scp -r /path/to/folder [email protected]:~

Will copy all files/folders in /path/to/folder to your home directory on shell.com. Using ssh keys for password-less authentication allows you to have a simple, one-line backup script.

5. E-Mail, FTP and other network services

Behind a restrictive connection? If you have outbound access to port 22 (you can always request other ssh ports be used on st0rage.org ;)) you can access any port on that machine.

Check email, use ftp/etc, and choose whether it stays on the shell or if you download it for your machine.

6. Encryption

How can we not mention encryption?

How would you like to be able to store sensitive information remotely and encrypted? Keeping a list of passwords or financial information encrypted with gpg is easy and effective.

gpg –gen-key

#Fill out info, accept defaults.

#Select (O)kay instead of (Q)uit to enter your passphrase

#This can take some time. A lot.

gpg -e file-to-encrypt

#enter your name from the step above.

#push enter again to exit

gpg -d file-to-encrypt.gpg

#contents will be displayed on the screen

gpg -d file-to-encrypt.gpg > file-to-encrypt

#will put the contents in a file

Google will give you some more advanced stuff with gpg, have faith the above is the hardest part. 😛

7. Scheduled Tasks

Cron is a powerful tool. With it, you can run commands at pre-determined re-occurring intervals.

For example, want to email yourself a reminder a week in advance for certain people’s birthdays? Easy!

crontab -e

0 0 11 3 * mutt -s “Birthday Reminder!” [email protected] < ~/reminders/julie.txt
0 0 26 1 * mutt -s “Birthday Reminder!” [email protected] < ~/reminders/sarah.txt

mkdir ~/reminders

echo “Julie’s birthday is on 3-11-`date +%Y`” > ~/reminders/julie.txt

echo “Sarah’s birthday is on 1-26-`date +%Y`” > ~/reminders/sarah.txt

Already use the shell for screen+irssi? Why not email yourself a daily log of what was said (or lines containing your name)?

58 23 * * * cat ~/irclogs/*`date +%F`* | grep nickname > ~/daily.log

59 23 * * * mutt -s “IRC Log” [email protected] -i ~/daily.log

Ignoring snoopy logs with logcheck

snoppy is an awesome tool available on the debian archives. It allows you to see what commands your users have run (by default logs to /var/log/auth.log). It acts like a beefed up .bash_history that users cannot disable/delete/etc.

logcheck scans your logs for weird things, and emails them to you.

By default, these two programs do not get along. snoopy entries show up in logcheck’s emails (which can get very, very big). This sort of defeats the purpose of logcheck, since you get sent massive emails with the important stuff hidden between giant blocks of snoopy logs.

To disable this

echo ‘^w{3} [ :0-9]{11} [._[:alnum:]-]+ snoopy.*’ > /etc/logcheck/violations.ignore.d/snoopy

chmod 644  /etc/logcheck/violations.ignore.d/snoopy

ln -s /etc/logcheck/violations.ignore.d/snoopy /etc/logcheck/ignore.d.server/snoopy

Now test it

sudo -u logcheck logcheck

To make more logcheck ignore rules, test your file(s) by:

egrep -f logcheck-file /var/log/auth.log

It will display only what will be ignored.

Make sure the file(s) are 644 (rw r r) or logcheck won’t be able to ignore what’s in the file.

Debian/Ubuntu Apache2 + PHP5 + Mysql + SSL

First let’s grab the packages we need for a basic LAMP setup:

apt-get install apache2 php5-cgi libapache2-mod-php5 mysql-server php5-mysql php5-common apache2.2-common ssl-cert

If using Ubuntu, be sure to install libapache2-mod-auth-mysql

apache2.2-common and ssl-cert are needed to generate a ssl cert

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.crt
mkdir /etc/apache2/ssl
mv apache.crt /etc/apache2/ssl

cd /etc/apache2/mods-enabled
ln -s ../mods-available/ssl.conf ssl.conf
ln -s ../mods-available/ssl.load ssl.load

Make sure /etc/apache2/ports.conf is listening on 443

Listen *:443

In your 000-default file in /etc/apache2/sites-enabled (or where ever your VirtualHosts are managed) Change:

NameVirtualHost *
<VirtualHost *>

to

NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>

Add a site for SSL:

<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/wwws
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/wwws>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

/etc/init.d/apache2 restart

By default, the User/group is www-data so make sure all your website files are owned by this user/group.

chown -R www-data:www-data /var/wwws/

Will accomplish this

All website files should be located in /var/www and /var/wwws (you can choose different directories, of course, like /home/www but make sure you change the config)

Debian Spamassassin/SquirrelMail

Updated Jan 24, 2008

Try the following crontab entries

0 0 * * * /usr/bin/find /home/*/Maildir/.Spam/cur/ -type f -mtime +7 | xargs rm -f 1> /dev/null
0 1 * * * sa-learn –spam /home/youruser/Maildir/.Spam/cur/* 1>/dev/null

The first line will check for spam older than 7 days and delete it. This is a very useful (and fast!) way to save diskspace.

Change ‘youruser’ to your actual user. Anything put in your spam folder on squirrelmail will be marked as spam.

Thanks to WastedMemory for helping me with this.

This assumes you’ve already set up a functioning MTA and have imap/pop working.

apt-get install spamassassin squrirelmail

Edit /etc/default/spamassassin and set ENABLED=1

Create a file called /etc/procmailrc

MAILDIR=$HOME/Maildir
DEFAULT=$HOME/Maildir/cur
DROPPRIVS=YES
:0fw
| /usr/bin/spamc

:0:
* ^X-Spam-Status: Yes
$HOME/Maildir/.Spam/cur

To set up squirrelmail, edit /etc/apache2/sites-enabled/000-default (or whatever site you want to use) and add:

Alias /mail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

Restart apache2, squirrelmail

/etc/init.d/apache2 restart && /etc/init.d/spamassassin restart

As a normal user (su – user), do:

maildirmake (or maildirmake.courier) ~/Maildir

Go to http://your-ip/mail and log in as the user you created Maildir with. Log in, and send a test email to another address.

Back as your user, do:

cd ~/Maildir

cp -rp .Sent .Spam

It might be a good idea to have all new users have this directory created.

cp -r /home/user/Maildir /etc/skel

If you have many users that already exit, you can do this:

for x in `ls /home`; do

cp -r /etc/skel/Maildir /home/$x

chown -R $x /home/$x/Maildir

done

Spam will now go to their Spam folder. They can check this by subscribing to INBOX.Spam in squirrelmail (Folders)

You can change the sensitivity of Spamassassin by editing /etc/spamassassin/local.cf

required_score 1.0