well i am new in the raqs server thing ... but from what i know in order to tighten the security of raq we should:

1. update the most updated patches
2. disable DNS control panel

well, anyone raq experts have any ideas what else we can do to tighten the security of our raq?

thanks a lot in advance as this will be very useful for all the newbies like me :)

Originally posted by noti
well i am new in the raqs server thing ... but from what i know in order to tighten the security of raq we should:

1. update the most updated patches
2. disable DNS control panel

well, anyone raq experts have any ideas what else we can do to tighten the security of our raq?

thanks a lot in advance as this will be very useful for all the newbies like me :)


Base d upon my short experience with a Raq3:

1) use ssh instead of telent. use the sftp client instead of ftp. Disable telnet on the box.

2) put the main site for the RAQ3 on its own IP address and use that site only for administration of the box, i.e., don't host any sites on that IP, don't use that site for email.

3) use SSL for the site administration screens (generate your own security certificate if you have to.)

4) use passwords that are not in a dictionary, that contain letters and numbers and contain a mixture of upper and lower case letters. For example: h9Kspq7Vf. I know it is a pain to remember, but it is more secure.

5) change the default administration password for everything you install, e.g., mySQL.

6) keep up to date with the patches.

7) use APOP for any admin-level email.

8) investigate the ipchains and PortSentry programs.



That's all I can rememebr for now. I'm sure others will append to the thread.

Great list Mike -- here are some additions:

Anonymous MySQL User
A couple of things about MySQL. Make sure you kill off the anonymous user or restrict all access to localhost only. MySQL's default installation allows connections of an anonymous user from anywhere. Why they don't change this is beyond me.

Shutdown Anything that is Not Neccessary
I think this is often overlooked. If you are not using an application, network protocol or service, kill it. I don't use ChiliSoft, so I got rid of it. I also closed all network protocols that I do not use. If you use something only occassionaly, start it only when needed, e.g. SWAT for SAMBA configuration, and then turn it off.

TCP Wrappers
There are some types of network connections that you may rely on that your clients do not need. I use TCP wrappers and configure the hosts.allow and hosts.deny files to suit my needs, thus granting access to these services to only those who need them.

Nessus Security Scanner
I use nessus security scanner on every machine I set up. Why? Nessus is free and can check for over 650 exploits -- which means hackers can use it as well. Nessus is not fool proof but it is very useful for spotting hidden servers or other services that are running by default on a Raq. Nessus can give false alerts, so you have to check things out for yourself. Also, beware of the dangerous plugins --- they can kill your machine and if you admin remotely this means getting a manual re-boot.
http://www.nessus.org

Monitoring Software
I also install Tripwire or equivalent software. Tripwire will not prevent an intrusion but it can sure help to investigate the possibility of one.
http://www.tripwire.org

I also use logcheck. Logcheck simply scans your logs and sends you an email if something looks out of whack. It takes a bit to get the filters setup, but this can really save you time.
http://www.psionic.com/abacus/logcheck


Email Security
Depending on your usage, you may want to lock down your SMTP server. One of the best methods is to make sure you get the POP before SMTP patch. This will significantly reduce the chance of someone using your server to relay SPAM to thousands of victims.

Resources
http://www.securityportal.org
http://www.linuxsecurity.com/


----------------------
Just when you see the light at the end of the tunnel, somebody turns it out.

Great list both of u
heres a few urls:
http://www.packetstorm.com
http://www.securityforcus.com - join their bugtrak mailing list
Heres a fw books also:
Maximium Security - Author - me :)
Maximium Security - Author - me :)
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ they help in basic security the dont focus on raq security alone.
i guess thats a|| i g0t t0 s/\y
:D
hope it helps
if u want those 2 b00ks contact me ill zip them up and send them
cya l8r
®acker

Originally posted by huck
Great list Mike -- here are some additions:

Anonymous MySQL User
A couple of things about MySQL. Make sure you kill off the anonymous user or restrict all access to localhost only. MySQL's default installation allows connections of an anonymous user from anywhere. Why they don't change this is beyond me.




How do you do this?

FOLKS, I need some assistance. I have POP before SMTP setup on my server.

Problem 1: I cannot send emai through SMTP. I can receive at my server, but not send (to any account outside my server)

Problem 2: I got an email today asking me to stop (or face legal action) spamming a server. I haven't sent any emails (I've only had the RaQ 3 weeks), because my SMTP service doesn't work. Can this be possible? How can I plug this hole when I can't send email myself?

rdrye
I got an email today asking me to stop (or face legal action) spamming a server.

If feasible , I would shut down your SMTP server now. The last thing you want is to end up the the RBL (Realtime Blackhole List).
http://mail-abuse.org/rbl/
:bawling:


Check for Relay Ability
http://www.abuse.net/relay.html
Goto abuse net and check to see if your server can relay email. This may be helpful in determing how people can send email through your server. :confused:

Enable Hosts Restrictions in the Control Panel
In the Control Panel, you can set mail to come from only certain hosts/IPs. If this is an option for you, then I would use it as it provides some of the best production. If you have users connecting from all over, then this is not really feasible.

Mail Logs
Check and backup your mail logs immediately. This is your evidence for tracking down the spammer, and if necessary, defending any accusations that you spammed someone.



Cannot Send Email
Check to make sure you have specified the appropriate hosts in the allow relay section of the Email control panel. Also, if you sending email to one of a virtual domain, make sure it is listed in the hosts aliases section. :D

WOW thanks guys for all your great comments and recommendations!!! :D i think now i have tons of stuff to read up hehehe :)

by the way, as i am a total newbie and haven't really read up those stuff you guys mentioned above, is BIND the main area where the hackers/viruses started with? so it is like 90% safe if i can install the lastest version of BIND9.1?

Here's one to add:

use a different password for admin and root. This needs to be done through a SSH session, since the RAQ's Control Panel gives admin and root the same password...

How do I do this?

How do i do this?
log into ur telnet/ssh session
username:admin
pass:######
type in
passwd
itll give u a prompt(type in a diffrent pass from the root pass):
new login pass:######
retype new login pass:######
passwd succesfully changedand there u go
root pass is diff from admin pass .
suppose u wanna change the root pass rather then the admin pass:
after u login type in
su root
enter ur root pass
then type in passwd root
and do the above steps from
new login pass onwards
l8r
®acker

How can I use SFTP ?

[QUOTE]Originally posted by racker :)
Great list both of u
[B]heres a few urls:
http://www.packetstorm.com
I think you mean http://packetstorm.securify.com:D
In http://www.hack2k.com You can find some resources too, but they don't have files description.

Originally posted by Pingu
Here's one to add:

use a different password for admin and root. This needs to be done through a SSH session, since the RAQ's Control Panel gives admin and root the same password...

Does this apply to Linux boxes too or just RAQs?

Only applied to the RaQ's which use Admin as management account for the GUI and root is the standard almighty god account on Linux/Unix Distro's..

moz.

Originally posted by Technics



quote:
Originally posted by huck
A couple of things about MySQL. Make sure you kill off the anonymous user or restrict all access to localhost only. MySQL's default installation allows connections of an anonymous user from anywhere. Why they don't change this is beyond me.

How do you do this?


I've been playing around with mySQL and I think I may have figured it out. I suggest you do this on a test install of mySQL before you do it on any system that you care about..



connect to mysql using the administrator user that you gave it when you installed mysql.
$ mysql -u adminuser -p mysql
The space between the -p and the mysql is important. The presence of the space means that mysql is the database name, not your password.
when prompted, enter your password
at the mysql prompt, type
show databases;
Don't forget the semicolon.
one of the databases on the output should be mysql
type select * from user; to see your user table. There may be one or more users with no value in the User column. My guess (and it is only that, a guess) is that these rows represent your anonymous users. For me, I had an anonymous user in each of my two sites on my RaQ.
to remove anonymous users, type the sql command
delete from user where User="";
type select * from user; to see your user table. The anonymous users should be gone.

Hi Mike,

one of the points you make is to add SSL for the admin pages...

Any chance of telling us how to achieve this for all of the admin pages using a self generated cert?

thanks a lot,

Matt
ps thanks for your SQL info too

Originally posted by MattKD
Hi Mike,

one of the points you make is to add SSL for the admin pages...

Any chance of telling us how to achieve this for all of the admin pages using a self generated cert?



Go here http://www.cobalt.com/support/resources/manuals.html and download the manual specific to your RaQ.

In the RaQ3 manual, chapter 4, pages 98 through 105 have excellent instructions on how to generate your self-signed certificate.

Once you have a self-signed certificate, just access your main site using https://www.yourdomain.com

Originally posted by Mike the newbie



Once you have a self-signed certificate, just access your main site using https://www.yourdomain.com




Mea culpa... use this URL instead:

Once you have a self-signed certificate, just access your main site using https://www.yourdomain.com/admin

2) put the main site for the RAQ3 on its own IP address and use that site only for administration of the box, i.e., don't host any sites on that IP, don't use that site for email.

7) use APOP for any admin-level email.

can you explain how to do this...

ad 2: if you have multiple IP's assigned to your RaQ, simple choose one that you just use for your main site, and the others for your vsites.

ad 7: POP protocol sends passwords unencrypted. If you enable APOP for a site & user a APOP-enabled mail programm - like Eudora; not Outlook (Express) - uses a different (encrypted) authentication method when fetching mail - thus not reveiling your password to any sniffer

Originally posted by TheGman


- put the main site for the RAQ3 on its own IP address and use that site only for administration of the box, i.e., don't host any sites on that IP, don't use that site for email.
quote:

- use APOP for any admin-level email.


can you explain how to do this...


I apologize for the delay in responding, things have been hectic around here. :)


When I set up my RaQ, I created the main site only for admin purposes. The host name of the main site is "config", so the fully specified hostname would be config.mydomain.com. In DNS I create an A record pointing to config.mydomain.com. When I want to administor the RaQ, I use the URL https://config.mydomain.com/admin (this presumes that you have generated a security certificate).

Once you have a dedicated IP address for RaQ admin, then you can start turning off the services for that site that you will not need, and you can set up a tight firewall on that IP address that only allows connection from certain IP addresses (for example, your home static IP address, or ISP's network if you have a dynamic IP address), and only allows connections to certain ports on the admin site. Be careful you do not lock yourself out! :(


To enable APOP, simply turn APOP on in the control panel screen. You will have to use an email client that supports APOP. I like Calypso (www.calypsoemail.com) as it is a very reliable email client and it handles multiple email accounts excellently.

Originally posted by iplexx
ad 2: if you have multiple IP's assigned to your RaQ, simple choose one that you just use for your main site, and the others for your vsites.

ad 7: POP protocol sends passwords unencrypted. If you enable APOP for a site & user a APOP-enabled mail programm - like Eudora; not Outlook (Express) - uses a different (encrypted) authentication method when fetching mail - thus not reveiling your password to any sniffer


oops... thanks for the assist, iplexx. I didn't see your reply before I responded.

Originally posted by Mike the newbie
oops... thanks for the assist, iplexx. I didn't see your reply before I responded.

no prob
your explanation is anyway better than mine :D

anyone have any other suggestions?

Install SSH! And us WinSCP for SSH FTP, software works great!

You can even log in as root via SSH by the way of FTP

http://winscp.vse.cz/eng/

Thanks James!
I have been using the command line program PSCP for so long...

Hey, maybe I am not so old at all. I mean I have often been called an old dinosaur using the command prompt for just about everything ...

Originally posted by ASPCode.net
Thanks James!
I have been using the command line program PSCP for so long...

Hey, maybe I am not so old at all. I mean I have often been called an old dinosaur using the command prompt for just about everything ...

No Problem!

Yeah, everyone should know what commands are in the command line. The point and click era has breed a bunch of newbies who have no idea what commands are actually being executed in the background.

It sure makes life easier and faster though.

I started my computing days in DOS on a 8mhz XT, when everything had to be typed in command mode. A lot has changed since then.

does anyone use portsentry + logcheck?
do you recommend using the combination??



as far as shutting down services you don't use. i never will touch asp, should i uninstall completely, or should i just disable it in the raq4 control panel?

just thought some of the newer raq folks might like this post.


as well. some of you might find these white papers userful

http://www.enteract.com/~lspitz/papers.html

i installed portsentry and logcheck a week ago on my raq3 server with 512ram and they work great ... and i am less worry since then :)

besides the security side, my memory usage seems to drop from average of 40% to 30% even the traffic is increasing. on the other hand, the cpu load is averaging 0.2 instead of 0.1.

yeah, i went with them 2 weeks ago and i've been fairly happy with them. i have seen some disturbing complaints about portsentry.

like, is it true that portsentry basically binds itself to open ports, still leaving them open?

i've seen a few people recommending not using portsentry and using a different firewall from sourceforge.

anyone?

another thing.


APOP for your admin email, or any email for that matter.


http://www.pocomail.com/ is an amazing email client that support POP, APOP, and IMAP. and, it's 100 times more secure than any microsoft schtuff....


use it!



or don't.