Difference between revisions of "Server cesurity"
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | == | + | == set locales== |
| − | + | dpkg-reconfigure locales | |
| − | |||
| − | |||
== Деактивиране на root == | == Деактивиране на root == | ||
| − | |||
може да се ползва sudo или да махнем ssh root login | може да се ползва sudo или да махнем ssh root login | ||
| Line 26: | Line 23: | ||
AllowUsers username | AllowUsers username | ||
| + | == Вход с ключ== | ||
| + | [[Ssh login без парола]] | ||
==LAMP== | ==LAMP== | ||
| Line 35: | Line 34: | ||
libswitch-perl mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 | libswitch-perl mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 | ||
mysql-server-core-5.5 perl perl-modules psmisc | mysql-server-core-5.5 perl perl-modules psmisc | ||
| + | |||
| + | |||
| + | apt-get install apache2 | ||
| + | apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common file | ||
| + | libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcap2 | ||
| + | libmagic1 mime-support openssl ssl-cert | ||
| + | |||
| + | apt-get install php5 | ||
| + | apache2-mpm-prefork libapache2-mod-php5 libonig2 libqdbm14 libxml2 php5 | ||
| + | php5-cli php5-common sgml-base xml-core | ||
| + | |||
| + | apt-get install phpmyadmin | ||
| + | dbconfig-common fontconfig-config libfontconfig1 libgd2-xpm libjpeg8 | ||
| + | libltdl7 libmcrypt4 php5-gd php5-mcrypt php5-mysql phpmyadmin | ||
| + | ttf-dejavu-core | ||
| + | |||
| + | ==check version== | ||
| + | apt-cache policy openssl | ||
| + | ...... | ||
| + | == LAMP == | ||
| + | |||
| + | apt-get update | ||
| + | apt-get install apache2 | ||
| + | apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql | ||
| + | apt-get install php5 libapache2-mod-php5 php5-mcrypt | ||
| + | |||
| + | == mail == | ||
| + | |||
| + | apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql | ||
| + | |||
| + | mysqladmin -p create servermail | ||
| + | |||
| + | GRANT SELECT ON servermail.* TO 'usermail'@'127.0.0.1' IDENTIFIED BY 'mailpassword' | ||
| + | |||
| + | FLUSH PRIVILIGES; | ||
| + | |||
| + | CREATE TABLE `virtual_domains` ( | ||
| + | `id` INT NOT NULL AUTO_INCREMENT, | ||
| + | `name` VARCHAR(50) NOT NULL, | ||
| + | PRIMARY KEY (`id`) | ||
| + | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; | ||
| + | |||
| + | CREATE TABLE `virtual_users` ( | ||
| + | `id` INT NOT NULL AUTO_INCREMENT, | ||
| + | `domain_id` INT NOT NULL, | ||
| + | `password` VARCHAR(106) NOT NULL, | ||
| + | `email` VARCHAR(120) NOT NULL, | ||
| + | PRIMARY KEY (`id`), | ||
| + | UNIQUE KEY `email` (`email`), | ||
| + | FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE | ||
| + | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; | ||
| + | |||
| + | CREATE TABLE `virtual_aliases` ( | ||
| + | `id` INT NOT NULL AUTO_INCREMENT, | ||
| + | `domain_id` INT NOT NULL, | ||
| + | `source` varchar(100) NOT NULL, | ||
| + | `destination` varchar(100) NOT NULL, | ||
| + | PRIMARY KEY (`id`), | ||
| + | FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE | ||
| + | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; | ||
| + | |||
| + | |||
| + | INSERT INTO `servermail`.`virtual_domains` | ||
| + | (`id` ,`name`) | ||
| + | VALUES | ||
| + | ('1', 'example.com'), | ||
| + | ('2', 'hostname.example.com'); | ||
| + | |||
| + | INSERT INTO `servermail`.`virtual_users` | ||
| + | (`id`, `domain_id`, `password` , `email`) | ||
| + | VALUES | ||
| + | ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'), | ||
| + | ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com'); | ||
| + | |||
| + | |||
| + | INSERT INTO `servermail`.`virtual_aliases` | ||
| + | (`id`, `domain_id`, `source`, `destination`) | ||
| + | VALUES | ||
| + | ('1', '1', 'alias@example.com', 'email1@example.com'); | ||
| + | |||
| + | == postfix == | ||
| + | cp /etc/postfix/main.cf /etc/postfix/main.cf.orig | ||
| + | nano /etc/postfix/main.cf | ||
| + | |||
| + | ... | ||
| + | |||
| + | virtual_transport = lmtp:unix:private/dovecot-lmtp | ||
| + | |||
| + | virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf | ||
| + | virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf | ||
| + | virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf | ||
| + | .. | ||
| + | |||
| + | nano /etc/postfix/mysql-virtual-mailbox-domains.cf | ||
| + | |||
| + | user = usermail | ||
| + | password = mailpassword | ||
| + | hosts = 127.0.0.1 | ||
| + | dbname = servermail | ||
| + | query = SELECT 1 FROM virtual_domains WHERE name='%s' | ||
| + | |||
| + | |||
| + | nano /etc/postfix/mysql-virtual-alias-maps.cf | ||
| + | |||
| + | user = usermail | ||
| + | password = mailpassword | ||
| + | hosts = 127.0.0.1 | ||
| + | dbname = servermail | ||
| + | query = SELECT destination FROM virtual_aliases WHERE source='%s' | ||
| + | |||
| + | postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf | ||
| + | |||
| + | If you want to enable port 587 to connect securely with email clients, it is necessary to modify the /etc/postfix/master.cf file | ||
| + | |||
| + | |||
| + | nano /etc/postfix/master.cf | ||
| + | |||
| + | We need to uncomment these lines and append other parameters: | ||
| + | |||
| + | |||
| + | submission inet n - - - - smtpd | ||
| + | -o syslog_name=postfix/submission | ||
| + | -o smtpd_tls_security_level=encrypt | ||
| + | -o smtpd_sasl_auth_enable=yes | ||
| + | -o smtpd_client_restrictions=permit_sasl_authenticated,reject | ||
| + | |||
| + | In some cases, we need to restart Postfix to ensure port 587 is open. | ||
| + | |||
| + | service postfix restart | ||
| + | |||
| + | ==dovecot== | ||
| + | |||
| + | cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig | ||
| + | cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig | ||
| + | cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig | ||
| + | cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig | ||
| + | cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig | ||
| + | cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig | ||
| + | |||
| + | nano /etc/dovecot/dovecot.conf | ||
| + | |||
| + | Verify this option is uncommented. | ||
| + | |||
| + | !include conf.d/*.conf | ||
| + | |||
| + | We are going to enable protocols (add pop3 if you want to) below the !include_try /usr/share/dovecot/protocols.d/*.protocol line. | ||
| + | |||
| + | |||
| + | !include_try /usr/share/dovecot/protocols.d/*.protocol | ||
| + | protocols = imap lmtp | ||
| + | ... | ||
| + | |||
| + | nano /etc/dovecot/conf.d/10-mail.com | ||
| + | |||
| + | == postfixAndSASL == | ||
| + | https://wiki.debian.org/PostfixAndSASL | ||
| + | |||
| + | fail2ban | ||
Latest revision as of 06:04, 16 July 2014
Contents
set locales
dpkg-reconfigure locales
Деактивиране на root
може да се ползва sudo или да махнем ssh root login
vi /etc/ssh/sshd_config
#LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6
Make the line look like this to disable logging in through ssh as root.
PermitRootLogin no
Now you’ll need to restart the sshd service:
/etc/init.d/sshd restart
pozwolqvane na xxx
AllowUsers username
Вход с ключ
LAMP
apt-get install mysql-server
heirloom-mailx libaio1 libclass-isa-perl libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18 libnet-daemon-perl libplrpc-perl libswitch-perl mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 mysql-server-core-5.5 perl perl-modules psmisc
apt-get install apache2
apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common file
libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcap2 libmagic1 mime-support openssl ssl-cert
apt-get install php5
apache2-mpm-prefork libapache2-mod-php5 libonig2 libqdbm14 libxml2 php5 php5-cli php5-common sgml-base xml-core
apt-get install phpmyadmin
dbconfig-common fontconfig-config libfontconfig1 libgd2-xpm libjpeg8 libltdl7 libmcrypt4 php5-gd php5-mcrypt php5-mysql phpmyadmin ttf-dejavu-core
check version
apt-cache policy openssl ......
LAMP
apt-get update apt-get install apache2 apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql apt-get install php5 libapache2-mod-php5 php5-mcrypt
apt-get install postfix postfix-mysql dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql
mysqladmin -p create servermail
GRANT SELECT ON servermail.* TO 'usermail'@'127.0.0.1' IDENTIFIED BY 'mailpassword'
FLUSH PRIVILIGES;
CREATE TABLE `virtual_domains` (
`id` INT NOT NULL AUTO_INCREMENT, `name` VARCHAR(50) NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `virtual_users` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `password` VARCHAR(106) NOT NULL, `email` VARCHAR(120) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `email` (`email`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `virtual_aliases` ( `id` INT NOT NULL AUTO_INCREMENT, `domain_id` INT NOT NULL, `source` varchar(100) NOT NULL, `destination` varchar(100) NOT NULL, PRIMARY KEY (`id`), FOREIGN KEY (domain_id) REFERENCES virtual_domains(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `servermail`.`virtual_domains`
(`id` ,`name`)
VALUES
('1', 'example.com'),
('2', 'hostname.example.com');
INSERT INTO `servermail`.`virtual_users` (`id`, `domain_id`, `password` , `email`) VALUES ('1', '1', ENCRYPT('firstpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email1@example.com'), ('2', '1', ENCRYPT('secondpassword', CONCAT('$6$', SUBSTRING(SHA(RAND()), -16))), 'email2@example.com');
INSERT INTO `servermail`.`virtual_aliases`
(`id`, `domain_id`, `source`, `destination`)
VALUES
('1', '1', 'alias@example.com', 'email1@example.com');
postfix
cp /etc/postfix/main.cf /etc/postfix/main.cf.orig nano /etc/postfix/main.cf
...
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf ..
nano /etc/postfix/mysql-virtual-mailbox-domains.cf
user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT 1 FROM virtual_domains WHERE name='%s'
nano /etc/postfix/mysql-virtual-alias-maps.cf
user = usermail password = mailpassword hosts = 127.0.0.1 dbname = servermail query = SELECT destination FROM virtual_aliases WHERE source='%s'
postmap -q alias@example.com mysql:/etc/postfix/mysql-virtual-alias-maps.cf
If you want to enable port 587 to connect securely with email clients, it is necessary to modify the /etc/postfix/master.cf file
nano /etc/postfix/master.cf
We need to uncomment these lines and append other parameters:
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
In some cases, we need to restart Postfix to ensure port 587 is open.
service postfix restart
dovecot
cp /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.orig cp /etc/dovecot/conf.d/10-mail.conf /etc/dovecot/conf.d/10-mail.conf.orig cp /etc/dovecot/conf.d/10-auth.conf /etc/dovecot/conf.d/10-auth.conf.orig cp /etc/dovecot/dovecot-sql.conf.ext /etc/dovecot/dovecot-sql.conf.ext.orig cp /etc/dovecot/conf.d/10-master.conf /etc/dovecot/conf.d/10-master.conf.orig cp /etc/dovecot/conf.d/10-ssl.conf /etc/dovecot/conf.d/10-ssl.conf.orig
nano /etc/dovecot/dovecot.conf
Verify this option is uncommented.
!include conf.d/*.conf
We are going to enable protocols (add pop3 if you want to) below the !include_try /usr/share/dovecot/protocols.d/*.protocol line.
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
...
nano /etc/dovecot/conf.d/10-mail.com
postfixAndSASL
https://wiki.debian.org/PostfixAndSASL
fail2ban
