Hi all, I have managed to install ispconfig without any problem. I was asked to run these commands to check server security by our old hosting company. Code: netstat -rn lsof -i -n -P iptables -L -n -v --line-numbers iptables -L -n -v --line-numbers -t nat These are the outputs. netstat -rn Code: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 lsof -i -n -P Code: COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME apache2 1460 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 1460 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 1460 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) sshd 2286 root 3r IPv4 459096 TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED) sshd 2315 administrator 3u IPv4 459096 TCP 192.168.0.24:22->192.168.0.125:50229 (ESTABLISHED) sshd 2345 root 3u IPv4 5790 TCP *:22 (LISTEN) sshd 2345 root 4u IPv6 5793 TCP *:22 (LISTEN) amavisd-n 2371 amavis 7u IPv4 5861 TCP 127.0.0.1:10024 (LISTEN) mysqld 2446 mysql 10u IPv4 5951 TCP *:3306 (LISTEN) spamd 2509 root 5u IPv4 6131 TCP 127.0.0.1:783 (LISTEN) couriertc 3068 root 3u IPv6 7382 TCP *:143 (LISTEN) couriertc 3098 root 3u IPv6 7425 TCP *:993 (LISTEN) couriertc 3121 root 3u IPv6 7483 TCP *:110 (LISTEN) couriertc 3149 root 3u IPv6 7539 TCP *:995 (LISTEN) mydns 3166 nobody 2u IPv4 7702 UDP 127.0.0.1:53 mydns 3166 nobody 3u IPv4 7703 TCP 127.0.0.1:53 (LISTEN) mydns 3166 nobody 4u IPv4 7704 UDP 192.168.0.24:53 mydns 3166 nobody 5u IPv4 7705 TCP 192.168.0.24:53 (LISTEN) mydns 3166 nobody 6u IPv6 7706 UDP [::1]:53 mydns 3166 nobody 7u IPv6 7707 TCP [::1]:53 (LISTEN) mydns 3169 nobody 2u IPv4 7702 UDP 127.0.0.1:53 mydns 3169 nobody 3u IPv4 7703 TCP 127.0.0.1:53 (LISTEN) mydns 3169 nobody 4u IPv4 7704 UDP 192.168.0.24:53 mydns 3169 nobody 5u IPv4 7705 TCP 192.168.0.24:53 (LISTEN) mydns 3169 nobody 6u IPv6 7706 UDP [::1]:53 mydns 3169 nobody 7u IPv6 7707 TCP [::1]:53 (LISTEN) master 3267 root 12u IPv4 7953 TCP *:25 (LISTEN) master 3267 root 106u IPv4 8086 TCP 127.0.0.1:10025 (LISTEN) pure-ftpd 3281 root 4u IPv4 8113 TCP *:21 (LISTEN) pure-ftpd 3281 root 5u IPv6 8115 TCP *:21 (LISTEN) ntpd 3332 ntp 16u IPv4 8257 UDP *:123 ntpd 3332 ntp 17u IPv6 8258 UDP *:123 ntpd 3332 ntp 18u IPv6 8263 UDP [fe80::21e:c9ff:fee5:c538]:123 ntpd 3332 ntp 19u IPv6 8264 UDP [::1]:123 ntpd 3332 ntp 20u IPv4 8265 UDP 127.0.0.1:123 ntpd 3332 ntp 21u IPv4 8266 UDP 192.168.0.24:123 apache2 3429 root 3u IPv4 8442 TCP *:80 (LISTEN) apache2 3429 root 4u IPv4 8444 TCP *:443 (LISTEN) apache2 3429 root 5u IPv4 8447 TCP *:8080 (LISTEN) amavisd-n 3510 amavis 7u IPv4 5861 TCP 127.0.0.1:10024 (LISTEN) amavisd-n 3510 amavis 16u IPv4 332340 TCP 127.0.0.1:50560->127.0.0.1:10025 (CLOSE_WAIT) amavisd-n 3511 amavis 7u IPv4 5861 TCP 127.0.0.1:10024 (LISTEN) spamd 3512 root 5u IPv4 6131 TCP 127.0.0.1:783 (LISTEN) spamd 3513 root 5u IPv4 6131 TCP 127.0.0.1:783 (LISTEN) apache2 31752 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 31752 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 31752 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) apache2 31754 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 31754 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 31754 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) apache2 31755 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 31755 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 31755 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) apache2 31756 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 31756 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 31756 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) apache2 31757 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 31757 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 31757 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) apache2 31758 www-data 3u IPv4 8442 TCP *:80 (LISTEN) apache2 31758 www-data 4u IPv4 8444 TCP *:443 (LISTEN) apache2 31758 www-data 5u IPv4 8447 TCP *:8080 (LISTEN) iptables -L -n -v --line-numbers Code: Chain INPUT (policy ACCEPT 129K packets, 13M bytes) num pkts bytes target prot opt in out source destination 1 538 39658 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 21139 packets, 1761K bytes) num pkts bytes target prot opt in out source destination Chain fail2ban-ssh (1 references) num pkts bytes target prot opt in out source destination 1 538 39658 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 iptables -L -n -v --line-numbers -t nat Code: Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Now can someone tell me if there is any security issue on the output of these commands? If there is any issues. which service should i stop or what should i do to solve? regards. am asking this so that i can understand this system much better. i've been using it for six months now. and it seems very good. but i've never tested it's security side. i want to defend this to be used on our school. Thanks in advance?
Looks fine. Only the services needed for a complete hosting system are running. What do you use the server for? For example, if you dont run your own dns server, you can stop mydns. Also make sure that you install the security updates of your linux distribution regularily.
Thank you very much Till, for clear explanation. I dont need to configure DNS on this server. i will stop mydns. Thank you and stay blessed. Regards.
Dear Till, Here is the advice from the security adviser of the hosting company after sending the commands. He insist there are no restrictions at all on the firewall. Also, he advises to use sftp insted of ftp. Can you tell me how to enable sftp? Also he advises to bind SMTP to 127.0.0.1:25 Here below is his advise. Please advise since your are very familiar with ispconfig than me. Thanks in advance. ---------------------------------------------- 1. lsof -i -n -P 1.a) MySQL Code: mysqld 2475 mysql 10u IPv4 6189 TCP *:3306 (LISTEN) listening to the whole world for connections, can be bad. If you only expect connections from localhost, then please add this list to /etc/my.cnf : Code: # only listen on localhost bind-address=127.0.0.1 1.b) IMAP running....? Code: couriertc 3049 root 3u IPv6 7457 TCP *:143 (LISTEN) if it's a webserver then IMAP services don't need to be running and accessible worldwide, right? outsiders could probe for passwords there....! 1.c) IMAP over SSL running... (same) Code: couriertc 3076 root 3u IPv6 7471 TCP *:993 (LISTEN) same as above 1.d) POP running (same) Code: couriertc 3092 root 3u IPv6 7501 TCP *:110 (LISTEN) same as above 1.e) POP over SSL running (same) Code: couriertc 3114 root 3u IPv6 7533 TCP *:995 (LISTEN) 1.f) DNS runnign, but OK. Code: mydns 3119 nobody 8u IPv6 7656 UDP [::1]:53 mydns 3119 nobody 9u IPv6 7657 TCP [::1]:53 (LISTEN) not an issue as not an open resolver. 1.g) SMTP service running (postfix) Code: master 3193 root 12u IPv4 7795 TCP *:25 (LISTEN) should not be necessary on a web server. if necessary for emails from web-applications, then please bind to 127.0.0.1:25 1.h) FTP server Code: pure-ftpd 3207 root 4u IPv4 7955 TCP *:21 (LISTEN) pure-ftpd 3207 root 5u IPv6 7957 TCP *:21 (LISTEN) please make sure is is secured and passwords of permitted users are good passwords. It is more secure to use ssh, scp, sftp -- all via sshd and port 22 1.i) NTP running, but restricted. good! Code: ntpd 3590 ntp 16u IPv4 8873 UDP *:123 ntpd 3590 ntp 17u IPv6 8874 UDP *:123 note: 1.f) and 1.i) are not an issue, just noted for completeness. 2. iptables -L -n -v --line-numbers no restriction at all. :-( all on loopback interface "lo" should be allowed. I recommend ssh (22), ftp (21) to be restricted to some certain known secure addresses. I recommend to block connections (other than loopback allowed above) for ports mysql (3306), dns (53), smtp (25), ntp (123) and if possible ftp (21) if you use ssh instead. others, including IMAP, POP, should be blocked in iptables and disabled as a service. ------------------------------------------------------------- What is your advice? regards.
The answer is still the same then in #2. The setup is fine. SFTP is not handled by the SSH daemon and not the ftp daemon, so you will have to create ssh users to use it which will not improve security as these users wiuld get shell access then instead of having just virtual FTP users. So in general its better to use ftps (which is FTP over ssl) and not SFTP. See ISPConfig FAQ for instructions how to enable ssl encryption for pure-ftpd.
If he advised you to use Sftp instead of "plain" ftp, does he has a solution to jail down the logged in users? As Sftp is a sub protocol of ssh... More than that I'd suggest the use of ftpS (ftp over SSL/TLS), so the only thing you need to do is to configure your ftp daemon for the use of ftps and if possible to force ssl / tls only. Generally he is right, to enforce encryption anywhere where possible and disable the access to any service (or the service itself, depends on your business needs) that is not needed to be accessed from outside (or to restrict the access from only specific locations, if you are able to define these)... But this is only the security on the network layer. For a complete overview, you should also consider taking a look, at the configuration of the used (web)apps, their soruce code (if possible) etc. A tool which may also help you "hardening" your server is lynis (http://rootkit.nl).
thanks Till and Ben, i will do as per your advice. i will configure ftps. and force users to use it. we do have a separate mail server. so i will stop mail services as well. thanks and regards.
Do not stop mailservices. Mailservices are needed for several internal purposes on a linuy system. The default mail setup in ispconfig 3 is secure and nobody can send emails without having a mail user account, so just leave it as it is.
