- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: Secure My Server
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 01:23 AM
тАО03-17-2005 01:23 AM
Our CEO wanted to get mail from overseas. So we created a new mail domain for the big boss's. We put a Linux RH9 server running sendmail inside our network as a relay. So our exchange server points overseas mail to the linux box and tehn forwards it to the bosses.
We have a pix in fron the the network, but if a spoofed email comes through the pix might let it through. I feel this is a security issue:
Question,, what would you all do out there to the Linux server to make it very secure. All I need is sendmail running. I know I can stop ftp and ssh and stuff like that. I am looking for more help....
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 01:31 AM
тАО03-17-2005 01:31 AM
Re: Secure My Server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 02:18 AM
тАО03-17-2005 02:18 AM
Re: Secure My Server
I don't believe that limiting your mail server for accept only US mail is good policy.
The first thing - you should configure and support your server in secure way. And you have enough crackers in US, you know :-)
So I suggest you to take *supported* Linux evrsion, for example RHEL3.0 or 4 and don't use old and unsupported RHL9.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 02:20 AM
тАО03-17-2005 02:20 AM
Re: Secure My Server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 02:50 AM
тАО03-17-2005 02:50 AM
SolutionAs for RHL9 - you can or use some project [Fedora Legacy?] which produces patches for old RHL;
or install sendmail using latest stable version from sendmail site.
As for sendmail secure configuration - you may use any linux/sendmail book for learning or use this article as start point http://www.itworld.com/nl/unix_insider/03032005/
and continue to http://sendmail.org [ Primary resources for learning about sendmail & Resources for learning more about sendmail]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 03:51 PM
тАО03-17-2005 03:51 PM
Re: Secure My Server
some more points to make RHL more secure:
1. configure iptables firewall to allow only port 25 traffic, from specific source to specific destination.tighten it by adding antispoofing rules.
2. tighten the sendmail by making rules to relay only for specific hosts.there are so many feature in sendmail you can configure for more security, read sendmail documents for it.
3. if you want, you can install MailScanner in conjunction with sendmail and use an antivirus & spamassassin with it, for stoping spam & virus mails coming inside.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 10:12 PM
тАО03-17-2005 10:12 PM
Re: Secure My Server
first: use ONE mail server not TWO - fewer security issues!
second: why do you don't want to communicate with me - i'm coming from germany. blocking email is silly, rejecting is also strange. how do you select
use spamassasin and a harden linux mail server with iptables running.
bye peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-17-2005 10:19 PM
тАО03-17-2005 10:19 PM
Re: Secure My Server
Hi. I agree with Mr Karasik that this sounds like a strange solution.
However, if you go ahead you could try using the Bastille script http://www.bastille-linux.org for tightening the OS and reducing the exponation of servers on your machine.
Also, you may concider using another mail transfer agent as a more secure drop-in replacement for sendmail. Qmail http://www.qmail.org/ is widely respected for security. Wietse Venema's Postfix server http://www.postfix.org/ is supposedly also more secure than Sendmail. Postfix first choice on my servers.
Both of these MTA's supports loads of additional plugins like the Amavis virus scanner and the SpamAssassin spam killer engine. See http://www.postfix.org/addon.html for more info on the addons.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-18-2005 12:52 AM
тАО03-18-2005 12:52 AM
Re: Secure My Server
iptables. Make sure all ports other than 25 and others you need open are locked down tight and hard.
People will use other ports to try and abuse httpd and mail servers and relay spam and just bring your kernel down. They do this for kicks, fun.
The best place to block mail is in the /etc/mail/access file.
Then you need to do m4 macro generation to genreate a sendmail.cf script to apply these file entries to your setup.
Blocking by country is difficult and probably fuitile. There is no way to know who gets wha t IP address.
If this is a spam issue, note that its a good idea to reject mail from those that have no reverse dns lookups. I do it, aol does it and it makes a lot of sense.
Most spam comes from relay servers set up by viruses spread by the spammers. Joe Schmoe's pc is taken over or running an open relay and all the spammers start using it until poor Joe loses his ISP connection for spamming (not).
You can actually limit attachments by using a web based mail solution like squirrelmail. Just adjust down the attachment limit. You can also block by extension, squirrelmail even has a limited function plugin to scan for viruses.
Let me know if any of the approaches above require elaboration and I will do so.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-19-2005 07:15 AM
тАО03-19-2005 07:15 AM
Re: Secure My Server
I appreciate that you're thinking about security. I wish security-consciousness was more widespread.
I think the advice offered here is excellent. A couple of possible additions:
- if you mean Cisco PIX, my personal opinion is that you might like an application proxy better (last I knew, PIX was a packet filter type, correct me if I'm wrong)
- I assume your sendmail config makes use of RBLs; if not, it would be something to try for spam reduction
Regards,
Mic