Koozali.org: home of the SME Server
Obsolete Releases => SME Server 9.x => Topic started by: ReetP on July 18, 2018, 05:34:08 PM
-
As we know, SME makes a great LAMP stack.
I use it as a web/mail server for several sites.
Clearly there if it is used purely as LAMP there are a lot of services that are enabled by default that could be disabled.
I was thinking of compiling a basic list of services that should be enabled/disabled for a basic LAMP machine and sticking it on a wiki page.
e.g
Disabled
smbd
nmbd
Enabled
httpd-admin
httpd-e-smith
php
mysqld
mysql.init
Any thoughts?
Here's a list from one server that I just use for my website. It runs php56 and a few other contribs and here are the services that it shows:
AWStats enabled
DynDNS disabled
acpid enabled
backup disabled
backupwk disabled
bootstrap-console enabled
clamav enabled
clamd enabled
cpuspeed enabled
crond enabled
ctrlaltdel enabled
denyhosts disabled
dhcpd disabled
dnscache enabled
dnscache.forwarder enabled
dovecot enabled
fail2ban enabled
fetchmail disabled
freshclam enabled
ftp disabled
haldaemon enabled
horde enabled
httpd-admin enabled
httpd-e-smith enabled
imap enabled
imaps enabled
imp enabled
ippp disabled
ipsec enabled
irqbalance enabled
isdn disabled
klogd enabled
ldap enabled
ldap.init enabled
letsencrypt enabled
local enabled
lpd enabled
masq enabled
messagebus enabled
modPerl disabled
modSSL enabled
mysql.init enabled
mysql55-mysql.init enabled
mysql55-mysqld enabled
mysqld enabled
network enabled
nmbd enabled
ntpd enabled
nut disabled
oidentd disabled
pam_abl disabled
pam_tally disabled
php enabled
phpmyadmin enabled
pop3 disabled
pop3s disabled
pppoe disabled
pptpd disabled
qmail enabled
qpsmtpd enabled
radiusd enabled
raidmonitor enabled
rsyslog enabled
serial-console disabled
smartd disabled
smb enabled
smbd enabled
smolt enabled
smtp-auth-proxy disabled
smtpd enabled
spamassassin disabled
spamd enabled
sqpsmtpd enabled
squid disabled
sshd enabled
ssmtpd enabled
statusreport enabled
tinydns enabled
udev-post enabled
wan enabled
yum enabled
For reference here is the code I used to produce that:
#!/bin/perl
use esmith::ConfigDB;
my $configDB = esmith::ConfigDB->open or die("can't open Config DB");
my @keys = $configDB->keys;
foreach $key (@keys){
my $status = $configDB->get_prop($key, 'status');
if (defined $status){
printf ("%-20s %-15s\n",$key, $status);
}
}
Any thoughts or suggestions appreciated.
-
Any thoughts or suggestions appreciated.
Horses for courses...
If you want a web/email server to be directly connected to the Internet, Blue Onyx is a better choice. That is what it is designed to do. https://www.blueonyx.it/ (https://www.blueonyx.it/)
It's a direct descendant of the (Sun) Cobalt RaQ server that used to run a fton of sites on the Internet.
-
Horses for courses...
True.
If you want a web/email server to be directly connected to the Internet, Blue Onyx is a better choice. That is what is designed to do[/url]
Yup, and SME was designed likewise. Hence server/gateway mode :-) True, it was not originally designed for VMs and cloud, but then what was 20+ years ago?
Personally I've used SME for around 20 years. I know it pretty well and it makes a decent 'secure out of the box' LAMP stack.
I've used it on real hardware of all shapes and forms, and now on VMs, in all sorts of scenarios, and it is still my distro of choice.
It is versatile, easy to configure, and pretty secure.
I wasn't looking for an alternative (I'm not interested in a long debate on what's hot or not), but thoughts on how it could be deployed as a simple LAMP stack without all the local file sharing/printing/et al for those who might be interested.
So really what services need to be running/disabled.
-
Couple of starters for 10 as a reminder to self really.
These are enabled by default and not required.
config setprop smb status disabledconfig setprop nmbd status disabledconfig setprop lpd status disabled
radiusd? I know it is used somewhere - I think for PPTPD connections?
config setprop radiusd status disabled
Enable:
Denyhosts
config setprop denyhosts status enabled
Spamassassin (I have only one account and the mail is forwarded elsewhere) so pretty well block all other mail.
config setprop spamassassin status enabled Sensitivity veryhigh
Smtp authentication - Allow SSMTP only
config setprop smtpd Authentication disabled
Queries.
IMAP Server access, Allow private and public (secure IMAPS)
Still runs IMAP on 143.
Surely there should be:
Allow private and public (IMAP + secure IMAPS) (143 + 993)
Allow private and public (secure IMAPS) (993 only)
That may be a bug.....
We could
config setprop imap status disabled
Any more?
-
config show masq
masq=service
DenylogTarget=drop
Logging=most
Stealth=no
Trace=disabled
pptp=yes
status=enabled
Probably disable pptp again
config setprop masq pptp disabled
-
I understand from.JPP that Imap runs on localhost for horde auth.
So don't disable it unless you don't want webmail