Re: Email Server

From: Ken Fischer (kenf@users.junebug.org)
Date: 08/16/02


Date: Fri, 16 Aug 2002 11:05:03 -0400 (EDT)
From: Ken Fischer <kenf@users.junebug.org>
To: Chris Berry <compjma@hotmail.com>

On 14 Aug 2002, Chris Berry wrote:

> I'm looking at installing a linux based email server in our network.

<snip>
 lots of good feedback on MTA recommendations, so skipping that to
 save a few bytes on the list...
</snip>

> I'm going to be building a dmz to put this thing in, besides patching
> the OS and programs I'll be using, turning off unused daemons, is there
> any particular thing I should do to keep from getting rooted six ways from
> sunday while I'm learning?

Make sure that your DMZ can't connect to the internal network. A common
mistake is to create "DMZ" off the firewall with another NIC, then not
to keep those hosts from connecting internally. Ideally, DMZ hosts
should be considered untrusted, and given the minimum access to protected
resources.

Also, build/patch/un-daemon/harden the machine inside a protected network,
*before* you place it in the DMZ. I have seen attacks on a "soon to be
active" IP while the patches are still installing in the lab.

Finally, make sure that you scan the box for listening ports from the
perspective of the attacker. Don't rely on how the server looks from
the internal network - mistakes in firewall configurations can be a
dangerous thing, and you want to cover all of your bases.

Otherwise, basic security best-practices are always your friend :)

Cheers!

--
Ken Fischer, CCNA  <kenf@junebug.org>
PGP Fingerprint: 9523 54B6 D67B BBFB 53B3  2F3B 7E81 0891 C495 CB50
--



Relevant Pages

  • Re: 2 NIC Card security ?
    ... No, I want to use the configuration for my Email Server, since my network ... Installing the 2nd NIC wants speed the connection between LAN and the Email ...
    (comp.os.linux.security)
  • IT Security Administrator in Bend, OR
    ... workstations as well as physical security for I/T systems. ... manages network security software and hardware. ... Extensive experience with Windows 2000/2003 servers and Exchange ... Two years experience configuring, installing and implementing VMWare ...
    (comp.arch)
  • Re: [fw-wiz] Rationale of the great DMZ
    ... >DMZ and its implied security has changed. ... Network activity wouldn't ... >necessarily begin from the DMZ and be tunneled in to the internal network. ... >Commonly SSL accelerators terminate the SSL end point prior to the ...
    (Firewall-Wizards)
  • Network Administraot in Bend, OR
    ... Determines, installs and manages network ... Troubleshoots and configures Casino phone networks and servers to ... AUTHORITY & RESTRICTIONS (supervisory capacity, signatory ability, ... Three years experience configuring, installing and implementing HP ...
    (comp.sys.mac.system)
  • Network Administraot in Bend, OR
    ... Determines, installs and manages network ... Troubleshoots and configures Casino phone networks and servers to ... AUTHORITY & RESTRICTIONS (supervisory capacity, signatory ability, ... Three years experience configuring, installing and implementing HP ...
    (comp.arch)