Re: Feedback solicited - best way to harden a mail/web server?

From: Jared (jared@hwai.com)
Date: 12/28/02 

From: jared@hwai.com (Jared)
Date: 27 Dec 2002 21:26:37 -0800

"teddy" <mouschi@cheese-head-state.rr.com> wrote in message news:<d55P9.27087$P36.504132@twister.rdc-kc.rr.com>...
> "Jared H." <jared@hwai.com> wrote:
> Do you need bind? What are you using it for? You've said this is for "home
> use," I've never heard of someone needing bind at home.

I am running my own domain from the server so yes, I need bind AFAIK.
Am running Apache/PHP/Squirrelmail so I can check email during the day
from client sites. I just realized there's no reason to use port 443,
so I am going to change it to a non-privileged number.

>
> What kind of stuff you you have running with apache? mod_ssl? What do you
> use it for? do you need any of those special modules?
>
> What kind of extra stuff has been installed on this machine? Does it need X
> windows? Do all of those files need to be suid? (a simple 'find
> / -perm -04000 > suids.txt' can be very revealing)

Hmm. No, strictly speaking it doesn't need X; but only ports 53 (UDP
and TCP), 25 and 443 are seen from the outside. A buddy did a deep
nmap scan today and confirms that.

> Is apache/php/squirrelmail needed or would a mere pop3/imap daemon do? err,
> okay you already have imap running. Why do you need squirrelmail? wouldn't
> just imap do for remote access?

Only when firewall admins poke open port 119 :-), which most of them
won't.

>
> -=-
> Basically, you want to minimize the number of suid-root files and processes
> running as root. then you want to make sure that those (hopefully few)
> packages are kept up to date.

That's been my philosophy all along. I am kinda wondering if
chkrootkit may be the problem. Am going to reinstall ps from CD, see
what's what and then rerun chkrootkit. I am wondering if the result
is ambiguous; none of the tells of adore and its ilk are on the
machine, and only the ports I want are open - really makes me wonder
if the machine is, in fact, OK. We'll see.

Thank you for replying; if nothing else you caused me to realize I had
no business leaving Apache at its default port. More important, you
are spot on in minimizing what should be exposed to the net so I am
going to see if I can get an old laptop set up to sit between the mail
server and the net.

Thanks again -

Kind regards,
jh

Relevant Pages

  • Re: Services listening on all ports?
    ... IIS does bind to all addresses. ... Apache does the same thing by default but if you add the address into the ... the same Port. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: ISPs supporting sshd on port 443?
    ... I run an instance of sshd on port 443 as well on most of my servers, due to firewall restrictions at some of my clients' sites. ... The only problem I have run into is if I'm running web services (apache in my case), I have to bind to specific IP's and ports in the apache conf on the machine, as if you let it try to bind to all addresses, Apache conflicts with sshd. ...
    (freebsd-isp)
  • Re: ISPs supporting sshd on port 443?
    ... apache and sshd running on port 443 will work without a hitch. ... I have to bind to specific IP's and ports in the apache conf on ...
    (freebsd-isp)
  • Re: Port 443 Question
    ... >> about not being to bind and port 443 already in use. ... > You enabled SSL on apache. ... SSL normally uses port 443 as one of the IANA "well-known ...
    (comp.os.linux.security)
  • Re: How to listen to more a specific IP and specific ports
    ... bind my socket to specific unlimited and selective IP addresses. ... Moreover, in Unix/Linux Berekly network programming, you can determin the ... port numbers. ...
    (microsoft.public.win32.programmer.networks)