Topic: Securing Down 6.0

[Brian L.]

Everyone,

After recovering from being hacked on my 5.6 box, I am getting paranoid about security on my 6.0 box.

How do you guys (or what do you use to) disable services, close ports, secure the filesystem, and scan for vulnerabilities/open ports?

This could make a good addition to the wiki.

Brian

[Boris]

What services and applications you going to be using?

[Brian]

Well, various ones, per the usual SME user.

IMAP
SSH
HTTP
HTTPS
Webmail
VPN
POP3

It would also be nice to turn off unneccessary services similar to the services contrib for 5.6. Does such a contrib exist for 6.0.1?

Brian

[Hermie]

you could use tools like nessus to scan the external interface and rkhunter to look for root kits and exploits

did you find out how you got broken into, that would be my first stop

[Boris]

It would also be nice to turn off unnecessary services similar to the services contrib for 5.6. Does such a contrib exist for 6.0.1?

Yes it does.
e-smith-service-control-1.1.0-06.noarch.rpm works with SME 6.x
Get it here: http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/dmay/mitel/contrib/e-smith-service-control/e-smith-service-control-1.1.0-06.noarch.rpm

Re: securing your box:
Will you have users accessing it via ssh and VPN? If you can avoid it don't give shell accounts to users. Do "background check" on the applications you are installing and exercise generally advisable security measures like good passwords, changed regularly etc...
SME in the default installation is relatively secure. Every new change you do (create an account, install application, open VPN etc.) lowers this default security. Don't do it more then you have to achieve functionality you need.

[Anonymous]

Brian

POP3 & IMAP - NOT secure if external access enabled, local access only is OK

SSH - OK secure

HTTP - NOT secure if you use passwords and logins on ibays

HTTPS - OK secure

Webmail - use https ONLY for external

VPN - OK secure


Regs
Ray

[Krisen]

For SSH doesn't it depend if you upgrade to latest openssh rpms?  There have been exploits announced in March. I have not seen any updates on the contribs.org site so I had to go to rpmfind.net.  I have also recently been hacked (rooted last week running sme5.6).  I'm not sure how the hacker got in, but am now paranoid about having the latest patches for all exploits for the basic SME services (apache, php, ssh, proftpd etc.).  

It seems to me that security has taken a backburner in this new contribs.org release.  Does anyone else feel this way?

Brian

POP3 & IMAP - NOT secure if external access enabled, local access only is OK

SSH - OK secure

HTTP - NOT secure if you use passwords and logins on ibays

HTTPS - OK secure

Webmail - use https ONLY for external

VPN - OK secure


Regs
Ray

[Boris]

It seems to me that security has taken a backburner in this new contribs.org release.  Does anyone else feel this way?

If you check devinfo maillist you will have the same feeling about whole development.
Is it beginning of the end?

[Anonymous]

It seems to me that security has taken a backburner in this new contribs.org release.  Does anyone else feel this way?

If you check devinfo maillist you will have the same feeling about whole development.
Is it beginning of the end?

Devinfo has been so quite recently, I dont know what to think.

[Brenno]

Well, if this isn't a cause for concern, what is??!!

Now that I keep hearing about these boxes being hacked, I grow anxious.  One of my primary reasons for choosing e-smith, other than the cost, ease of use and reliability, was it's inherent security.  If the latter is no more, we're in trouble.

How can we be reassured that the security of these distros is still a primary goal?  I'd hate this software to go the way of Microsoft and let security take a back seat.

[jcoleman]

There are always concerns about boxes being hacked.  That is life.  

However, there are NO secuirty issues with 6.x to be fixed at the moment.

The SSH exploit is only on the older boxen, not on 6.x.    There have been NO reports of hack attempts where there was any information that could lead us to believe that an exploit was available under the current rev.

While Brian reported his box being hacked, remember that his hacked box was an older version with known exploits available.

BTW, if SME Server is dead, why are our usage stats on the website going up by an average of 300K hits per month?  We should get almost 3 million hits this month alone.

One of the issues that caused consternation in the community with the Mitel version was that they end-of-life'd their versions about evvery 6 months.  That caused great problems in the field with upgrading boxes to remain current.

SME Server is committed to giving a longer term life cycle to the distro than Mitel did.  Additionally, there have been no security releases because they haven't been required.

If it ain't broke, don't fix it.

Cheers,

-jeff

[Anonymous]

Thank-you

This was another pointless thread that should have slipped off the front page instead of getting bumped every so often - like I have just done.

To answer the original question - nothing, I do nothing to "lock it down". I am more than happy with the vanilla install. But Because I choose to add Hylafax, Asterisk and Tapeware and I diminish the security of the box then I run the server in server only mode hidden behind a dedicated firewall.

Brenno - there is no proof that a stock standard recent machine has been hacked.

6.0.1 is the best yet and I am not just talking cosmetics. The add-on stuff - clamav, mailfront, spamassassin etc that the Dev guys (you know the really quiet ones) have been putting out integrates exceptionally well with a minimum of fuss.

If your concerned about security - find the problem and fix it - roll the rpm and let us know. This is after all a community site. There is no reason to expect those that have built this great site, given there time and bandwidth for little in return to do everything.

Regards Duncan

[duncan]

I never remember log in.

[stancol]

There has been a lot of talk on the boards about boxes being hacked. So far I've seen no proof of it. Just some body saying they were hacked with out any proof is like trying to convict someone without any evidence. If we are going to convict 6.0 then we should be seeing some proof. Proof like  "What contribs were you running?", What other types of software were you running on your HTTP server. All the posts I've seen list people that had extra contribs and programs added to those boxes. Don't forget that human enginering is still one of the best ways to break in. If several people know the root password your asking for trouble on any system.

So much goes into securing a box. Doesn't matter what kind of security you run if your machine is near an outside window where prying eyes can watch you.

If we were to take in all the evidence I've seen so far into a court room the judge would laugh us out of the building.

P.S. If you really do have some concerns with some evidence we shouldn't be discussing them in an open form for all the world to see. In other words don't post your evidence for every one to see.

[Anonymous]

Agreed.

If you really have security concerns please post your issues to security@lists.contribs.org.

Enclose your suspicions, any evidence, logs, configs, etc.   So far, we have yet to find a real hack against 6.x.

-jeff