Topic: Securing/Hardning SME?

[Dreamless]

I'm look for an article where i can find information on how to keep my sme box updated and secure. I have looked into yum, but it doesn't seem to install (dependency hell, damn i miss my ports collection from freebsd). So tell me your tech tips on how to keeping your box running secure 24/7/365 and how to monitor the rest of your network.
 
I guess running the latest stable version of SME with ClamAV, SpamAssasin, Nagios (or something like that to monitor the network), Subscribing to the mailing lists for sme and maybe the mailing lists for every package installed would do the trick, so you know when to update the packages. Strip down the processes so only the needed ones are running. Only have the ports needed open. More?
 
Please tell everything so basic that everyone can be in one this one. Think theres alot of beginners out there using the sme server that doesn't know very much about security and how important it is
 
- Kristian  

[Black]

That seems to be the MAIN problem around here. There are not very many tools for this so most people just post links and hacks to rpms to add to a template.

I would love to see more concise posts and update patterns.

I get confused just going to the updates page.

[Dreamless]

Feedback please...

Regards Kristian

[jester]

For SME up to version 6.5 i think it is going to be as you described, but...

In the new SME7 alpha's i've seen an update panel that seems to be designed for keeping your system up-to-date, not sure though! You might wanna look into that or ask around in this topic: http://forums.contribs.org/index.php?topic=26762.0

Jester.

[Dreamless]

For SME up to version 6.5 i think it is going to be as you described, but...

That suck! It´s gonna take ages for me to subscribe/find all det mailing lists, i think my basis sme setup have 411 packages installed!!! Isent there an easyer way to keeping your box secure than getting into this mailing list hell? Why is sme that bloated?

Regards
Kristian

[guest22]

As always, the DEFAULT unmodified SME Server is secure as it was when released. security AT contribs.org will be happy to receive any issues related to your DEFAULT SME Server install.

Installing additional contribs has ALWAYS been at your own risk. Please contact the author of the contrib(s) if you think you have found an issue.

[Dreamless]

Offcause its as secure as it was when it was released! The problems is thats there proberly a dozen of exploits to the standard install of the sme installation now. So my question is just plain simple?! How do i get it updated, are there a security mailing list here? Where are the updates released and so on... Im not talking about 3rd parties contribs ONLY the sme packages.

Regards
Kristian

[raem]

Dreamless

Hsing Foo means that the smeserver (6.0.1) is still secure if being used in it's original form.
As I understand it, more recently identified vulnerabilities in various packages do not affect the default installation of the server.

If you have modified your server or installed applications or package updates, then that is another matter.
I'm aware that php needs updating re a security issue if you use php apps. There is a script available, do a search.

As you say, you also need to monitor any apps you have installed (via mail lists etc) and ensure that they are updated to the latest versions when security issues are discovered in those apps eg phpBB, gallery, phpmyadmin etc.

Less is sometimes better, & more secure.

[CharlieBrady]

For SME up to version 6.5 i think it is going to be as you described, but...

That suck! It´s gonna take ages for me to subscribe/find all det mailing lists, i think my basis sme setup have 411 packages installed!!! Isent there an easyer way to keeping your box secure than getting into this mailing list hell?

Yep, there is an easier way. Purchase a subscription from a Mitel dealer (or some other system integrator selling support for the "unsupported" version) and have someone else take responsibility for providing security updates.

[Dreamless]

Hsing Foo means that the smeserver (6.0.1) is still secure if being used in it's original form.
As I understand it, more recently identified vulnerabilities in various packages do not affect the default installation of the server.

Oh thanks, that was all i was looking for but i would still like to know where security updates are posted so i can subscribe to the mailinglist. Because there really havent been any security flaws dosent mean that there are gonna be some in the future? Im not posting to flame anyone im just curious on how do work process is and how to get the most and best out of the sme product. Yes subscription is a possiblity so you  can outsouce the maintenance of the server, but not in my case.

Regards
Kristian - Dreamless

Sorry my english is a bit rusty

[raem]

Dreamless

>....i would still like to know where security updates are posted so i can subscribe to the mailinglist...

No mailing list, which I think would be a good idea.

You just need to read the News section of contribs.org, read the forums and check the update location(s) from time to time.

ftp://ftp.ibiblio.org/pub/linux/distributions/smeserver/updates/6.0.1/

[MSmith]

And while you're at it, Dreamless, how about NOT popping in to a forum with your first few posts and telling everyone that the product sucks?

[ngomes]

The SME Server development (aka, the new releases) and maintenance (aka, the updates) depends entirely on the Contribs.org community.

Just to keep all of you up to date, Ian Wells, Floyd Hartog, Dave Kainer and Matthew Copple (sorry if I left someone out) are the people trying to give to this community the SME Server 6.x maintenance and bugfix updates and  bring to live the SME Server 6.5 final stable release.

Contribs.org needs your help on this project.
What can you do for Contribs.org?

# Read the maintenance process:
http://no.longer.valid/phpwiki/index.php/Maintenance%20Process

# Join the devinfo mailing list and offer your help to test, debug, etc:
http://lists.contribs.org/mailman/listinfo/devinfo

# Go to the Contribs.org Bug Tracker and study some of the listed bugs with new or feedback status, simulate them, give your feedback, try to find some sort of solution. Also if you have some packager skills try to build some rpm packages to the listed bugs with resolved or closed status:
http://no.longer.valid/mantis/view_all_bug_page.php

Finally, take these thoughts into seriously consideration (taken from Charlie Brady, a SME core developer):

If maintenance of distribution updates is not a "core role" for contribs.org, then what is?

Don't ask what contribs.org can do for me, ask what I can do for contribs.org.

-Nuno