Hello again I used your ISP setup on Fedora 4. This is my first linux webserver, so new questions come up all the time I`ve now been running this setup on one server for two monts, and just installed another one for about a week ago. The setup is basicly unchanged from the tutorial, how sequre is this?. The question is now how do I sequre the server form attacks. -I vould like to get logs on attacks etc from the server daily. -I vould like to proteckt ssh etc from brute force. -Sugestions on modifications from the default setup to make it more sequre. -And anything alse to make it fortnox.... What is the max e-mail size in postfix as standard, how tho change this..... Well, quite many questions.... It sums up to, how do I sequre my server so it don`t get hacked (I know it can`t be 100% sequre),
Have a look at portsentry and logcheck. http://www.howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts What's the output of Code: postconf -n | grep message_size_limit and Code: postconf -d | grep message_size_limit ?
The output of postconf -n | grep message_size_limit is nothing.... The output of postconf -d | grep message_size_limit is: Code: message_size_limit = 10240000 Thanks for the tisps on sequring the server... Is this a guide that will work for me on fedora with portsentry and logcheck (keep in mind that I`m a noob)... http://www.falkotimme.com/howtos/chkrootkit_portsentry/ Should I also install Chkrootkit for "antivirus" or is there somting alse.... A few aditional questions... -I see the server gives output on telnet... Should i just shut down telnet.... I can`t think of anything I need it for? It just gives away information on the software I`m running on my server, and gives the hacker a head start? -Is there any online scanners for testing my server? -Is there a limit for how many e-mail adresses one can have under one domain? Thanks again for helping me out
IF you want to have another message_size_limit, run Code: postconf -e 'message_size_limit = 20480000' , for example, and restart Postfix afterwards. It should work for you. But the version numbers have increased, this tutorial is a little bit old. Have a look here: http://www.howtoforge.com/faq/1_38_en.html I think you mean the telnet client, not the server. The telnet client is ok. No.
Yeh, I messed up I mean the fackt that when I use a machine on the internet with a telnet client, and write "telnet myip 80" I get output on my webserver version "apache 2.0.54 (fedora)" Same with main en other stuff. Doesn`t these kind of feedbacks give hackers an advantage in knowing versions an system.
I didn`t explain what I ment vell.... When I use a telnet client against port 80 at my server it replies Code: <address>Apache/2.0.54 (Fedora) Server at localhost Port 80</address> And at port 25 it replys Code: www.domain.com ESMTP Postfix Port 110 Code: +OK AVG POP3 Proxy Server 7.1.371/7.1.385 [268.2.6/287] Isn`t this usefull information for hackers? Is it possible to make my server not reply on this.... Or I`m I making no sense now
You can configure these services to not show version numbers, but i dont have the exact configuration directives at hand. You may find these informations in the documentation and the man pages of the programs.
Ok... Found it... If anyone alse would like to do this: SSH to your fedora box. Code: nano /etc/httpd/conf/httpd.conf Type "ctrl+w" and search for "ServerSignature" Edit this to ServerSignature off You can also add "ServerTokens ProductOnly" in the line under to show only Apace, not version. Type "crtl+x" and save your settings. Restart Apache Code: /etc/init.d/httpd restart Telnet etc to your box and check This should mask server version and services. Didn`t find anyting yet on postfix, dovecot, mysql, proftp and pop3.... Doesn`t seem like port 81 gives out any info
After running postconf -e 'message_size_limit = 20480000' I get: Code: [root@www ~]# postconf -d | grep message_size_limit message_size_limit = 10240000 [root@www ~]# postconf -n | grep message_size_limit message_size_limit = 20480000 Witch is outgoing/incoming
Code: postconf -d | grep message_size_limit prints the default value, Code: postconf -n | grep message_size_limit your current setting. So the latter prints what is currently effective.
After getting the logs from logcheck I`m wondering what these attacks are... Code: Mar 23 00:31:06 www sshd[2320]: Failed password for invalid user soul from 67.104.249.10 port 51704 ssh2 I haven`t got the ssh on port 51704, so why does it say failed password..
Please post the output of Code: netstat -tap Do you have portsentry installed? In that case portsentry detected that login try and logged it.
netstat -tap output: Code: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:41318 *:* LISTEN 2220/rpc.statd tcp 0 0 *:mysql *:* LISTEN 2572/mysqld tcp 0 0 www.xxx.xxx:783 *:* LISTEN 2672/spamd.pid tcp 0 0 *:sunrpc *:* LISTEN 2203/portmap tcp 0 0 *:81 *:* LISTEN 2898/ispconfig_http tcp 0 0 *:ftp *:* LISTEN 4527/proftpd: (acce tcp 0 0 static47.xxx.xx:domain *:* LISTEN 26203/named tcp 0 0 static49.xxx.xx:domain *:* LISTEN 26203/named tcp 0 0 static48.xxx.xx:domain *:* LISTEN 26203/named tcp 0 0 www.xxx.xx:domain *:* LISTEN 26203/named tcp 0 0 www.xxx.xx:ipp *:* LISTEN 10121/cupsd tcp 0 0 www.xxx.xx:5335 *:* LISTEN 2412/mDNSResponder tcp 0 0 *:smtp *:* LISTEN 4706/master tcp 0 0 www.xxx.xx:rndc *:* LISTEN 26203/named tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam tcp 0 0 *:23314 *:* LISTEN 20893/sshd tcp 0 0 *:imaps *:* LISTEN 2592/dovecot tcp 0 0 *:pop3s *:* LISTEN 2592/dovecot tcp 0 0 *:pop3 *:* LISTEN 2592/dovecot tcp 0 0 *:imap *:* LISTEN 2592/dovecot tcp 0 0 *:http *:* LISTEN 13136/httpd tcp 0 0 localhost:rndc *:* LISTEN 26203/named tcp 0 0 *:https *:* LISTEN 13136/httpd tcp 0 888 static48.xxx.xx:23314 static67.xxx.xxx:63425 ESTABLISHED 25776/0 What`s this one?: Code: tcp 0 0 static48.xxx.xx:41390 host196.101.vtm-net.ev:http ESTABLISHED 3044/freshclam Some other info in the logs that got me worried is that this happens every 30 min (from logcheck): Code: Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session opened. Mar 26 00:30:02 www proftpd[5430]: www.xxx.xxx (127.0.0.1[127.0.0.1]) - FTP session closed And lots of these (from logcheck): Code: Mar 25 05:57:45 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 209.142.136.142#53 Mar 25 05:57:47 www named[26203]: unexpected RCODE (REFUSED) resolving '55.165.161.72.in-addr.arpa/PTR/IN': 207.230.192.252#53 Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'rose.man.poznan.pl/A/IN': 150.254.65.7#53 Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/A/IN': 150.254.65.7#53 Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sunflower.man.poznan.pl/AAAA/IN': 150.254.65.7#53 Mar 25 09:51:15 www named[26203]: unexpected RCODE (REFUSED) resolving 'sol.put.poznan.pl/A/IN': 150.254.65.7#53 Am I hacked, or what is going on here? I installed logcheck and chkrootkit, and set them up with cron to run every night. I also changed the SSH port to none standard. I haven`t installed portsentry yet.... I`m a bit unsure if it`s the right thing for me. With dial up users and dhcp I can`t just put adresses in hosts.deny, wouldn`t this cause problems?. Should I install a firewall to, in addition to the one in ISPConfig?.
That's freshclam. It belongs to ClamAV and updates your virus signatures. Nothing to worry about. That's the ISPConfig monitoring script that checks if the important services like web, ftp, etc. are still running. If it finds they aren't, the monitoring scripts sends you an email. It might cause problems if someone gets an IP address that's in /etc/hosts.deny. No. You can use one firewall at a time, but not mix several ones.
Thanks again for your help falco!. I can`t even begin to describe how mutch easier your help and howto`s has made the change from win servers to linux. What about the messages from named... nothing unnormal?
I haven't seen something like this before, so I can't say. If your system is able to resolve domains, it should be ok.
I,m did a portscan from ISPConfig Code: Port 21 (tcp) is open (ftp)! Port 25 (tcp) is open (smtp)! Port 53 (tcp) is open (domain)! Port 80 (tcp) is open (http)! Port 81 (tcp) is open (unknown)! Port 110 (tcp) is open (pop3)! Port 111 (tcp) is open (sunrpc)! Port 143 (tcp) is open (imap)! Port 443 (tcp) is open (https)! Port 631 (tcp) is open (ipp)! Port 783 (tcp) is open (unknown)! Port 953 (tcp) is open (rndc)! Port 993 (tcp) is open (imaps)! Port 995 (tcp) is open (pop3s)! Port 3306 (tcp) is open (mysql)! Port 5335 (tcp) is open (unknown)! Port 41318 (tcp) is open (unknown)! Port 42141 (tcp) is open (unknown)! Port 43025 (tcp) is open (unknown)! The setup in ISPConfig firewall is: Code: Name Port Type Active FTP 21 tcp yes SSH 22 tcp yes SMTP 25 tcp yes DNS 53 tcp yes DNS 53 udp yes WWW 80 tcp yes ISPConfig 81 tcp yes POP3 110 tcp yes SSL (www) 443 tcp yes Why is all this other ports (that are not configured in firewall) open
You cannot test your firewall with the ISPConfig portscan The ISPConfig script that scans the ports is on your server (inside) the firewall. Ttry to find an portscanner that you can run on your workstation and scan your server from there.
