sudo apt-get install unattended-upgrades
/etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
// "Ubuntu lucid-updates";
};
/etc/apt/apt.conf.d/10periodic:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
log: /var/log/unattended-upgrades
source
lshell lets you restrict a user’s shell environment to limited sets of commands, choose to enable or disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user’s commands, implement timing restrictions, and more.
reverse proxy
Dovecot:
% cat ssl.crt sub.class1.server.ca.crt > /etc/ssl/dovecot/certs/dovecot.pem
% cp ssl.key /etc/ssl/dovecot/private/dovecot.pem
% cp ca-bundle.crt /etc/ssl/apache2/
dovecot.conf:
ssl_cert_file = /etc/ssl/dovecot/certs/dovecot.pem
ssl_key_file = /etc/ssl/dovecot/private/dovecot.pem
ssl_ca_file = /etc/ssl/apache2/ca-bundle.crt
http://nooms.de/articles/startssl.html
Postfix:
% mv ssl.crt cert.pem
% mv ssl.key key.pem
main.cf:
## TLS parameters ##
smtpd_use_tls=yes
smtpd_tls_cert_file=/etc/ssl/postfix/cert.pem
smtpd_tls_key_file=/etc/ssl/postfix/key.pem
smtp_tls_CAfile = /etc/ssl/apache2/ca.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
cat /etc/aide/aide.conf
# AIDE conf
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes
# Here are all the things we can check - these are the default rules
#
#p: permissions
#i: inode
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
# Defines formerly set here have been moved to /etc/default/aide.
# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
# Next decide what directories/files you want in the database
# Kernel, system map, etc.
=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
=/var/log$ StaticDir
#!/var/log/ksymoops
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
!/var/log/aide
/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc
# You can look through these examples to get further ideas
# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1
# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
/var/spool/cron Databases
#/var/spool/cron/crontabs Databases
# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages
# docs
#/usr/doc ManPages
#/usr/share/doc ManPages
# check users' home directories
/home Binlib
# check sources for modifications
/usr/src L
#/usr/local/src L
# Check headers for same
#/usr/include L
#/usr/local/include L
Linux Security Notes – AIDE File Integrity | HowtoForge – Linux Howtos and Tutorials
Mount /tmp with noexec, nodev and nosuid flags. In most cases, a simpletmpfs ramdisk with a maximum size of 100 MB should be enough. Justinsert this line into /etc/fstab, and do a “mount /tmp†afterwards:
tmpfs /tmp tmpfs nodev,noexec,nosuid,size=100M,mode=1777 0 0
If a scriptkiddie still manages to drop a file in /tmp, there is no wayto execute it.