ServerBuddies Support Blog

Exporting NFS File Systems

To allow a client access to a filesystem or directory, the /etc/exports serves as the access control list.

To give the network “lan.serverbuddies.com” read-only access to /public_docs, the entries in /etc/exports would look like as follows:

Security : It is very important NOT to give write access to NFS clients if not absolutely needed! Entries in /etc/exports are exported read-only (”ro” option) by default.

To allow servers lan1, lan2 and lan3 read-write access to the /backup/setup directory, the entries in /etc/exports would look like as follows:

Note that options MUST NOT be separated from hostnames or networks with whitespace(s). And use fully qualified domain names to diminish spoofing attempts.

All entries in /etc/exports are exported with the root_squash option (’root squashing’) by default. This means that a root user on a client machine does not have root privileges (root access) to root-owned files on exported NFS filesystems/directories. It is not recommended to turn ‘root squashing” off using the no_root_squash option!

After you’ve made all your entries in /etc/exports, you can export all filesystems/directories using the following command:

To unexport all shared filesystems/directories, run:

To see all shared filesystems/directories, run:

Export list for localhost:

Securing Sendmail

Note that it is recommended to use Postfix over Sendmail for various security reasons.

On newer Linux systems Sendmail is configured to run in the background for local mail delivery and not to accept incoming network connections. If your server is not a mail or relay server, then it is important that Sendmail is not accepting incoming network connections from any host other than the local server.

The default sendmail.cf configuration file on RedHat does not allow Sendmail to accept incoming network connections. The following setting in /etc/mail/sendmail.cf tells Sendmail not to accept incoming network connections from servers other than the local node:

If that’s not the case on your system, you can change it by setting or uncommenting the DAEMON_OPTIONS parameter in the /etc/mail/sendmail.mc file.

Uncomment the DAEMON_OPTIONS line in /etc/mail/sendmail.mc to read:

Then run:

To verify whether Sendmail is still listening for incoming network request, you can run one of the following commands from another node (make sure that you have permissions to probe a machine):

Securing Postfix

Postfix is a replacement for Sendmail which has several security advantages over Sendmail. Postfix consists of several small programs that perform their own small task. And almost all programs run in a chroot jail. These are just a few examples why Postfix is recommended over Sendmail.

Linux servers that are not dedicated mail or relay servers should not accept external emails. However, it is important for production servers to send local emails to a relay server.

Before you continue on a Red Hat system, make sure Postfix is activated using the following command:

The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery:

The parameter mydestination lists all domains to receive emails for. The parameter inet_interfaces specifies the network to liston on.

Once you’ve configured Postfix, restart the mail system with the following command:

To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node:

Don’t run these commands on the local host since Postfix is supposed to accept connections from the local node.

Allowing connections to the SSH service from one IP using APF

You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server.

Login to your server as the root user.

Add the following in:

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

Add the following:

Save the changes.

Restart APF firewall

Suhosin Install Guide

Suhosin is an advanced protection system for PHP installations.

It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination.

The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Installing the Extension

Source - http://download.suhosin.org/suhosin-0.9.29.tgz

The next step is unpacking the extension tarball and performing the usual compilation steps for PHP extensions.

This should install suhosin in the correct extension directory. The final step is adding a load directive to php.ini

Now copy suhosin.so to /usr/lib/php/extensions which php.ini points to.

Checking PHP

Find where your current PHP.ini is and then add the suhosin.so extension to php.ini

Check your /var/log/messages for logs of Suhosin