Security

Postfix and Dovecot with StartSSL certificates

Dovecot:

% cat ssl.crt sub.class1.server.ca.crt > /etc/ssl/dovecot/certs/dovecot.pem
% cp ssl.key /etc/ssl/dovecot/private/dovecot.pem
% cp ca-bundle.crt /etc/ssl/apache2/

dovecot.conf:

ssl_cert_file = /etc/ssl/dovecot/certs/dovecot.pem
ssl_key_file = /etc/ssl/dovecot/private/dovecot.pem
ssl_ca_file = /etc/ssl/apache2/ca-bundle.crt

http://nooms.de/articles/startssl.html

Postfix:

% mv ssl.crt cert.pem
% mv ssl.key key.pem

main.cf:

## TLS parameters ##

smtpd_use_tls=yes
smtpd_tls_cert_file=/etc/ssl/postfix/cert.pem
smtpd_tls_key_file=/etc/ssl/postfix/key.pem
smtp_tls_CAfile = /etc/ssl/apache2/ca.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

http://forum.startcom.org/viewtopic.php?t=80

By WladyX on 9 November, 2009 | General, Mail, Security | A comment?

Linux Security Notes – AIDE File Integrity

cat /etc/aide/aide.conf
# AIDE conf

database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new

# Change this to "no" or remove it to not gzip output
# (only useful on systems with few CPU cycles to spare)
gzip_dbout=yes

# Here are all the things we can check - these are the default rules
#
#p:      permissions
#i:      inode
#n:      number of links
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#md5:    md5 checksum
#sha1:   sha1 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#R:      p+i+n+u+g+s+m+c+md5
#L:      p+i+n+u+g
#E:      Empty group
#>:      Growing logfile p+u+g+i+n+S
#haval:         haval checksum
#gost:          gost checksum
#crc32:         crc32 checksum

# Defines formerly set here have been moved to /etc/default/aide.

# Custom rules
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Next decide what directories/files you want in the database

# Kernel, system map, etc.
=/boot$ Binlib
# Binaries
/bin Binlib
/sbin Binlib
/usr/bin Binlib
/usr/sbin Binlib
/usr/local/bin Binlib
/usr/local/sbin Binlib
#/usr/games Binlib
# Libraries
/lib Binlib
/usr/lib Binlib
/usr/local/lib Binlib
# Log files
=/var/log$ StaticDir
#!/var/log/ksymoops
/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
!/var/log/aide
/var/log Logs
# Devices
!/dev/pts
# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
# you may uncomment this to get rid of them. They're harmless but sometimes
# annoying.
#!/dev/cpu/mtrr
#!/dev/xconsole
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
!/var/run
# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc

# You can look through these examples to get further ideas

# MD5 sum files - especially useful with debsums -g
#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1

# Check crontabs
#/var/spool/anacron/cron.daily Databases
#/var/spool/anacron/cron.monthly Databases
#/var/spool/anacron/cron.weekly Databases
/var/spool/cron Databases
#/var/spool/cron/crontabs Databases

# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages

# docs
#/usr/doc ManPages
#/usr/share/doc ManPages

# check users' home directories
/home Binlib

# check sources for modifications
/usr/src L
#/usr/local/src L

# Check headers for same
#/usr/include L
#/usr/local/include L

Linux Security Notes – AIDE File Integrity | HowtoForge – Linux Howtos and Tutorials

By WladyX on 19 October, 2009 | General, Security | A comment?

Linux Keylogger – Snoopy logger


SourceForge.net: Snoopy Logger

By WladyX on 18 February, 2008 | General, Security | A comment?

Securing the /tmp partion

Mount /tmp with noexec, nodev and nosuid flags. In most cases, a simpletmpfs ramdisk with a maximum size of 100 MB should be enough. Justinsert this line into /etc/fstab, and do a “mount /tmp” afterwards:

tmpfs /tmp tmpfs nodev,noexec,nosuid,size=100M,mode=1777 0 0

If a scriptkiddie still manages to drop a file in /tmp, there is no wayto execute it.

Gentoo Forums

By WladyX on 30 November, 2006 | General, Security | A comment?