Topic: Hardening SME server

[calisun]

Yesterday I was getting my email without any problems, today I was unable to log in into webmail or server-manager, the system was not accepting my password.
There were no changes made to the server, so it loks like it has been hacked overnight.

This is a temporary server, brand new SME 9_64 install, no contribs installed. Web page is a static HTML temporary page.

Only way I know how to harden the server is to disable ftp and not allow clear passwords (use public/private keys)

Are there any other suggestions on how to harden SME server and keep if from getting hacked.

thank you

[Daniel B.]

Without evidence of your server being hacked, there's no advice to give. If you want us to help, you can open a bug and tick the security box, we'll ask you to attach logs

[calisun]

The server is in a co-location fascility. I will create a bug report as soon as I retrieve it.

[TerryF]

A clean install, updated, no contribs and no changes to the default settings? dunno whether I would be pursuing the hacked case just yet

Default setting is ftp disabled.

[CharlieBrady]

Are there any other suggestions on how to harden SME server and keep if from getting hacked.

That's a continuous process which has been underway since 1999.

1. Identify security risk. 2. Address the risk.

[CharlieBrady]

The server is in a co-location fascility.

SME server isn't actually designed for that environment. You are expected to have physical access to the console, and the local network should exist and be isolated from the Internet.

well, OP should tell us how he configured his server.. we'd remember that SME9 is configurable in server & gw mode even if with only a phyisical NIC

[calisun]

The setup has two NIC's it is setup in server/gateway mode. I don't have anything connected to LAN side only WAN. I do use LAN when I go out to co-lo facility, I connect my laptop to LAN side to do some maintenance, but most of my maintenance is done remotely through secure shell and sftp. On my original server I did not allow clear passwords, I used private/public keys. It ran without any problems for 5 years. Recently it died and I put in temporary server on which I did not have time to set-up public/private keys, I used clear (very secure) password.

I am still in the process of setting up my new (used) permanent server. Once that is done I will get information from temporary server to see what happened.

It makes me very worried that two servers died in a matter of two weeks, and I would not rule out hacking.

Call me paranoid or tinfoil hat wearing geek, but the new server that I am working on, I will implement some of the suggestions at centos site for server hardening.
https://wiki.centos.org/HowTos/OS_Protection

I am even more paranoid after reading this article:
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/?tid=sm_fb

[CharlieBrady]

Call me paranoid or tinfoil hat wearing geek, but the new server that I am working on, I will implement some of the suggestions at centos site for server hardening.
https://wiki.centos.org/HowTos/OS_Protection

Most of those have already been done, or will cause problems if you do them, or are not relevant. If you find something you think should be done, but hasn't, please open a bug in the bug tracker.

[calisun]

Most of those have already been done, or will cause problems if you do them, ....

Agree, and I would need to create a template for the changes to stick. Since I am not a programmer, I will leave that to experts. That is why I was looking at some of the contribs already available for SME Server. I do have some questions about the contribs I have found, so I will continue this on SME 9.x Contribs forum. ( http://forums.contribs.org/index.php/topic,52083.0.html )

[CharlieBrady]

Yesterday I was getting my email without any problems, today I was unable to log in into webmail or server-manager, the system was not accepting my password.
There were no changes made to the server, so it loks like it has been hacked overnight.

Calisun, is this the same server you have reported as dying in another thread? If so, you weren't hacked; you had a hard drive failure.