Archive for October, 2009

SBDavid

Securing NFS

Securing NFS

NFS (Network File System) allows servers to share files over a network. But like all network services using NFS involves risks.

If you don’t have shared directories to export, ensure that the NFS service is NOT enabled and running:

# service nfs status
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped

And then check using chkconfig

# chkconfig –list nfs
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#

You probably don’t need the portmap service as well which is used by NFS (the portmap daemon registers rpc-based services for services like NFS, NIS, etc.):

# service portmap status
portmap is stopped

Then check status using chkconfig

# chkconfig –list portmap
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#

NFS should not be enabled if not needed.
If you must use NFS, use TCP wrapper to restrict remote access.
Make sure you export to only those machines that you really need to.
Use fully qualified domain names to diminish spoofing attempts.
Export only directories you need to export.
Export read-only wherever possible.
Use NFS over TCP.

SBDavid

Exporting NFS File Systems

Exporting NFS File Systems

To allow a client access to a filesystem or directory, the /etc/exports serves as the access control list.

To give the network “lan.serverbuddies.com” read-only access to /public_docs, the entries in /etc/exports would look like as follows:

/public_docs *.lan.serverbuddies.com(ro,sync)

Security : It is very important NOT to give write access to NFS clients if not absolutely needed! Entries in /etc/exports are exported read-only (”ro” option) by default.

To allow servers lan1, lan2 and lan3 read-write access to the /backup/setup directory, the entries in /etc/exports would look like as follows:

/backup/setup lan1.serverbuddies.com(rw,sync) lan2.serverbuddies.com(rw,sync) lan3.serverbuddies.com(rw,sync)

Note that options MUST NOT be separated from hostnames or networks with whitespace(s). And use fully qualified domain names to diminish spoofing attempts.

All entries in /etc/exports are exported with the root_squash option (’root squashing’) by default. This means that a root user on a client machine does not have root privileges (root access) to root-owned files on exported NFS filesystems/directories. It is not recommended to turn ‘root squashing” off using the no_root_squash option!

After you’ve made all your entries in /etc/exports, you can export all filesystems/directories using the following command:

# exportfs -a

To unexport all shared filesystems/directories, run:

# exportfs -ua

To see all shared filesystems/directories, run:

# showmount -e localhost

Export list for localhost:

/public_docs *.lan.serverbuddies.com
/backup/setup lan1.serverbuddies.com lan2.serverbuddies.com lan3.serverbuddies.com
SBDavid

Securing Sendmail

Securing Sendmail

Note that it is recommended to use Postfix over Sendmail for various security reasons.

On newer Linux systems Sendmail is configured to run in the background for local mail delivery and not to accept incoming network connections. If your server is not a mail or relay server, then it is important that Sendmail is not accepting incoming network connections from any host other than the local server.

The default sendmail.cf configuration file on RedHat does not allow Sendmail to accept incoming network connections. The following setting in /etc/mail/sendmail.cf tells Sendmail not to accept incoming network connections from servers other than the local node:

DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

If that’s not the case on your system, you can change it by setting or uncommenting the DAEMON_OPTIONS parameter in the /etc/mail/sendmail.mc file.

Uncomment the DAEMON_OPTIONS line in /etc/mail/sendmail.mc to read:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl

Then run:

# mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.old
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart

To verify whether Sendmail is still listening for incoming network request, you can run one of the following commands from another node (make sure that you have permissions to probe a machine):

# nmap -sT -p 25 [ip address]
# telnet [ip address] 25
SBDavid

Securing Postfix

Securing Postfix

Postfix is a replacement for Sendmail which has several security advantages over Sendmail. Postfix consists of several small programs that perform their own small task. And almost all programs run in a chroot jail. These are just a few examples why Postfix is recommended over Sendmail.

Linux servers that are not dedicated mail or relay servers should not accept external emails. However, it is important for production servers to send local emails to a relay server.

Before you continue on a Red Hat system, make sure Postfix is activated using the following command:

# alternatives –set mta /usr/sbin/sendmail.postfix

The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery:

mydestination = $myhostname, localhost.$mydomain, localhost
inet_interfaces = localhost

The parameter mydestination lists all domains to receive emails for. The parameter inet_interfaces specifies the network to liston on.

Once you’ve configured Postfix, restart the mail system with the following command:

# /etc/init.d/postfix restart

To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node:

# nmap -sT -p 25 [ip address]
# telnet [ip address] 25

Don’t run these commands on the local host since Postfix is supposed to accept connections from the local node.

Allowing connections to the SSH service from one IP using APF

You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server.

Login to your server as the root user.

cd /etc/apf
vi /etc/apf/allow_hosts.rules

Add the following in:

tcp:in:d=22:s=IP-ADDRESS
out:d=22:d=IP-ADDRESS

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

vi /etc/apf/deny_hosts.rules

Add the following:

tcp:in:d=22:s=0/0
out:d=22:d=0/0

Save the changes.

Restart APF firewall

apf -r

« Prev - Next »