Archive for the ‘Debian’ Category
Hardening guide for Postfix 2.x
- Make sure the Postfix is running with non-root account:
ps aux | grep postfix | grep -v '^root'
- Change permissions and ownership on the destinations below:
chmod 755 /etc/postfix
chmod 644 /etc/postfix/*.cf
chmod 755 /etc/postfix/postfix-script*
chmod 755 /var/spool/postfix
chown root:root /var/log/mail*
chmod 600 /var/log/mail* - Edit using VI, the file /etc/postfix/main.cf and add make the following changes:
- Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
myhostname = myserver.example.com
- Configure network interface addresses that the Postfix service should listen on, for example:
inet_interfaces = 192.168.1.1
- Configure Trusted Networks, for example:
mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1
- Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example:
myorigin = example.com
- Configure the SMTP domain destination, for example:
mydomain = example.com
- Configure to which SMTP domains to relay messages to, for example:
relay_domains = example.com
- Configure SMTP Greeting Banner:
smtpd_banner = $myhostname
- Limit Denial of Service Attacks:
default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
queue_minfree = 20971520
header_size_limit = 51200
message_size_limit = 10485760
smtpd_recipient_limit = 100
- Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example:
- Restart the Postfix daemon:
service postfix restart
Hardening guide for BIND9 (Debian platform)
- Make sure the Bind is running with non-root account:
ps aux | grep bind | grep -v '^root'
- Change permissions and ownership on the destinations below:
chown -R root:bind /etc/bind
chown root:bind /etc/bind/named.conf*
chmod 640 /etc/bind/named.conf* - Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the “Options” section:
- Add the line below to replace DNS version banner:
version "Secured DNS server";
Note: In-order to test, run the command below:
dig +short @localhost version.bind chaos txt
- Add the line below to restrict recursive queries to trusted clients:
allow-recursion { localhost; 192.168.0.0/24; };
Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask.
Note 2: In-order to test, run the command below:
nslookup www.google.com
- Add the line below to restrict query origins to trusted clients:
allow-query { localhost; 192.168.0.0/24; };
Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask. - Add the line below to Nameserver ID:
server-id none;
- Add the line below to restrict which hosts can perform zone transfers:
allow-transfer { 192.168.1.1; };
Note: Replace 192.168.1.1 with the trusted DNS server. - Add the line below to restrict the DNS server to listen to specific interfaces:
listen-on port 53 { 127.0.0.1; 192.168.1.1; };
Note: Replace 192.168.1.1 with the IP address of the DNS server.
- Add the line below to replace DNS version banner:
- Restart the DNS daemon:
service bind9 restart