web analytics

Archive for August, 2013

Hardening guide for Postfix 2.x

  1. Make sure the Postfix is running with non-root account:
    ps aux | grep postfix | grep -v '^root'
  2. Change permissions and ownership on the destinations below:
    chmod 755 /etc/postfix
    chmod 644 /etc/postfix/*.cf
    chmod 755 /etc/postfix/postfix-script*
    chmod 755 /var/spool/postfix
    chown root:root /var/log/mail*
    chmod 600 /var/log/mail*
  3. Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
    • Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
      myhostname = myserver.example.com
    • Configure network interface addresses that the Postfix service should listen on, for example:
      inet_interfaces = 192.168.1.1
    • Configure Trusted Networks, for example:
      mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
    • Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
      myorigin = example.com

    • Configure the SMTP domain destination, for example:
      mydomain = example.com
    • Configure to which SMTP domains to relay messages to, for example:
      relay_domains = example.com
    • Configure SMTP Greeting Banner:
      smtpd_banner = $myhostname
    • Limit Denial of Service Attacks:
      default_process_limit = 100
      smtpd_client_connection_count_limit = 10
      smtpd_client_connection_rate_limit = 30
      queue_minfree = 20971520
      header_size_limit = 51200
      message_size_limit = 10485760
      smtpd_recipient_limit = 100
  4. Restart the Postfix daemon:
    service postfix restart

Hardening guide for BIND9 (Debian platform)

  1. Make sure the Bind is running with non-root account:
    ps aux | grep bind | grep -v '^root'
  2. Change permissions and ownership on the destinations below:
    chown -R root:bind /etc/bind
    chown root:bind /etc/bind/named.conf*
    chmod 640 /etc/bind/named.conf*
  3. Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
    • Add the line below to replace DNS version banner:
      version "Secured DNS server";
      Note: In-order to test, run the command below:
      dig +short @localhost version.bind chaos txt
    • Add the line below to restrict recursive queries to trusted clients:
      allow-recursion { localhost; 192.168.0.0/24; };
      Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
      Note 2: In-order to test, run the command below:
      nslookup www.google.com
    • Add the line below to restrict query origins to trusted clients:
      allow-query { localhost; 192.168.0.0/24; };
      Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
    • Add the line below to Nameserver ID:
      server-id none;
    • Add the line below to restrict which hosts can perform zone transfers:
      allow-transfer { 192.168.1.1; };
      Note: Replace 192.168.1.1 with the trusted DNS server.
    • Add the line below to restrict the DNS server to listen to specific interfaces:
      listen-on port 53 { 127.0.0.1; 192.168.1.1; };
      Note: Replace 192.168.1.1 with the IP address of the DNS server.
  4. Restart the DNS daemon:
    service bind9 restart