Manual
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 76
| Download | |
| Open PDF In Browser | View PDF |
Bern University of Applied Sciences BTI7301 - PROJECT 1 Mail Server Set-Up & Security-Hardening Script User Manual Authors: Fridolin Zurlinden Ismael Riedo Jan Henzi Tutor: Dr. Simon Kramer January 23, 2019 Abstract This paper gives you an overview understanding, what is this hardening script about and what happens on the server when you execute it. It escorts you through every step of the installation. Starting with the run options, then firewall, DNS, internal user management, SSH, mail, and at the end the web part. It demonstrates the contrast between a non-hardened and a hardened server by this script. Gives you a full manual how to configure your email client and it concludes everything with some future works ideas. User Manual Internet Server Set-Up & Security-Hardening Script Contents Abstract List of Figures 5 1 Introduction 1.1 Prerequisits . . . . . . . . . . . . 1.1.1 Ubuntu 18.04 Server . . . 1.1.2 Domain . . . . . . . . . . 1.1.3 Minimal Linux knowledge 1.2 Architecture overview . . . . . . . . . . . 6 7 7 7 7 8 . . . . . . . . . . . . . . . . . . . . . . . 9 9 10 10 11 12 13 15 16 18 19 19 20 20 22 23 23 25 26 26 31 31 32 33 . . . . . . . . . . 34 34 37 37 39 40 40 42 42 44 45 . . . . . . . . . . . . . . . . . . . . . . . . . 2 Walkthrough 2.1 Code directory tree . . . . . . . . . . . . . 2.2 Overview . . . . . . . . . . . . . . . . . . 2.2.1 Complete run . . . . . . . . . . . . 2.2.2 Rerun run . . . . . . . . . . . . . . 2.2.3 Overview process diagram . . . . . 2.3 Firewall . . . . . . . . . . . . . . . . . . . 2.3.1 Firewall process diagram . . . . . 2.4 DNS . . . . . . . . . . . . . . . . . . . . . 2.4.1 DNS architecture diagram . . . . . 2.4.2 DNS process diagram . . . . . . . 2.4.3 Multiple domains . . . . . . . . . . 2.5 User management . . . . . . . . . . . . . . 2.5.1 Actions . . . . . . . . . . . . . . . 2.5.2 User management process diagram 2.6 SSH . . . . . . . . . . . . . . . . . . . . . 2.6.1 Configuration . . . . . . . . . . . . 2.6.2 SSH process diagram . . . . . . . . 2.7 E-Mail . . . . . . . . . . . . . . . . . . . . 2.7.1 Configurations . . . . . . . . . . . 2.7.2 E-Mail process diagram . . . . . . 2.7.3 Multiple e-mail addresses . . . . . 2.8 Web . . . . . . . . . . . . . . . . . . . . . 2.8.1 Web architecture diagram . . . . . 3 Hardening Tests 3.1 Firewall . . . . . . . . . . . . . . . 3.2 DNS . . . . . . . . . . . . . . . . . 3.2.1 Domain name resolver . . . 3.2.2 Authoritative DNS . . . . . 3.3 SSH . . . . . . . . . . . . . . . . . 3.3.1 SSH daemon . . . . . . . . 3.4 E-Mail . . . . . . . . . . . . . . . . 3.4.1 E-Mail server configuration 3.4.2 E-Mail header . . . . . . . . 3.5 Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Page 3 of 76 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Manual Internet Server Set-Up & Security-Hardening Script 4 E-Mail Client configuration 4.1 Mail on macOS Mojave . . . . 4.1.1 Mail server config . . . . 4.1.2 Mail SMTP settings . . 4.1.3 Mail IMAP TLS setting . . . . 5 Future Work 5.1 Extended functionalities . . . . . 5.1.1 Multiple domains . . . . . 5.1.2 Multiple e-mail addresses 5.1.3 Web application server . . 5.2 More Hardening . . . . . . . . . 5.3 Containerization . . . . . . . . . 5.4 Code Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 47 47 48 49 . . . . . . . 50 50 50 50 50 50 51 51 6 Conclusion 52 7 License 7.1 MIT license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 53 8 Glossary 54 Bibliography 57 Appendices 58 Contents Page 4 of 76 User Manual Internet Server Set-Up & Security-Hardening Script List of Figures 1.1 Architecture overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 Setup process diagram . . . . . . . Firewall process diagram . . . . . . Architecture DNS . . . . . . . . . . DNS process diagram . . . . . . . User management process diagram SSH process diagram . . . . . . . . Email process diagram . . . . . . . Architecture Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 15 18 19 22 25 31 33 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 Firewall (without DNS) BEFORE . . . . . Firewall (with DNS) BEFORE . . . . . . . Firewall setup AFTER . . . . . . . . . . . Name resolver BEFORE . . . . . . . . . . Name resolver details BEFORE . . . . . . Name resolver AFTER . . . . . . . . . . . Name resolver details AFTER . . . . . . . Authoritative DNS test BEFORE . . . . . Authoritative DNS test AFTER . . . . . . SSH daemon BEFORE . . . . . . . . . . SSH daemon AFTER . . . . . . . . . . . . Mail BEFORE (emailsecuritygrader.com) . Mail BEFORE (hardenize.com) . . . . . . Mail AFTER (emailsecuritygrader.com) . Mail AFTER (hardenize.com) . . . . . . . Mail header BEFORE . . . . . . . . . . . Mail header AFTER . . . . . . . . . . . . Web BEFORE . . . . . . . . . . . . . . . . Web AFTER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 35 36 37 37 38 38 39 39 40 41 42 42 43 43 44 44 45 46 4.1 4.2 4.3 Mail server config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail SMTP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mail IMAP TLS setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 48 49 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Figures Page 5 of 76 8 User Manual Internet Server Set-Up & Security-Hardening Script 1 Introduction In this document, we descripted a full installation of follow components: Firewall, DNS, SSH, Email and Web. As well, we show you all possibilities you can take within the provided script. We let you understand that the components are hardened and give you some thoughts about the future. Everything start with the walkthrough chapter, a complete walkthrough through the scripts explained based on the output. You can quickly and clearly follow up what is happening where and how. There is an overview code directory tree, which indicates all the scripts which are made. After it starts with all the components, which will be installed. • Overview: This Section is about the main script, which bundles all components. The user also has the possibility to create his individual setup and if necessary to perform uninstallation and modifications on a second run. • Firewall:The firewall can be extended with additional rules with the help of a configuration file. The file can be found in the “files” directory under the name “fw.conf”. • DNS: In the DNS part, two DNS servers will be installed. Both are from nlnetlabs: unbound and NSD. Unbound is used as resolver, to handle all requests from this server and NSD is used as authoritative name server. Such a separation increases security. • User management: Since some services also require Unix users, scripts have been written to make it easier to create and assign users to services. Both the mail part and the SSH part need such users. • SSH: The SSH part is not only about making the server more secure by forbidding the root user to log in, but also about equipping new or existing users with right and ssh keys so that a login is still possible via specific users. • Email: A secure mail server with postfix is set up in the email part. Unix users are also required here. • Web: In the web part nginx and apache are used. The nginx is used as reverse proxy and the apache as frontend webserver. Results are important, so the hardening Tests section is about giving you a feeling about what one can expect from a successful complete run of the script. Based on common hardening pages and tools, tests were made to show how secure the server is, before the script and after a complete run of the scripts. • Firewall: The firewall tests were performed with nmap. The results of the firewall test can seem a bit irritating at first: more ports are open than before. However, this makes sense, because certain ports are needed by the services. What is open or closed before also depends on the host of the server. • DNS: It was important not only to make a DNS secure, but also to make it independent. With the own resolver this was very successful and so the user of the scripts has a DNS detached from big companies like Google or Cloudflare. • SSH: Apart from forbidding the root user from logging in, we also made sure that after the SSH configuration only algorithms are used that are currently considered as secure. • Mail: With secure protocols and antispam measures, the mail server was configured so that it received very good marks during the tests. We tested it with https://emailsecuritygrader.com and https://www.hardenize.com. CHAPTER 1. INTRODUCTION Page 6 of 76 User Manual Internet Server Set-Up & Security-Hardening Script • Web: Also the web part could be tested via https://www.hardenize.com . There we also achieved very good values. In addition, you will find a small step-by-step guide (currently only macOS guide) to set up the email client to work with your server. Moreover, in the conclusion we discuss about extended functionalities like multiple domains / e-mail addresses, more hardening possibilities, containerization and code migration. At the very end, you find all configured config files of each component. 1.1 Prerequisits In order to start a complete run of the scripts, it is worth making some things ready in advance so that the run can go clean and fast. 1.1.1 Ubuntu 18.04 Server You need your own Ubuntu Server (Version 18.04), which is an accessible from the internet. You need root access. 1.1.2 Domain You need your own domain. A free test domain can easily be found with a small search in any web search engine. 1.1.3 Minimal Linux knowledge The script is in command line only, so you need some minimal Linux knowledge. You should know how to navigate and execute a command inside the terminal. CHAPTER 1. INTRODUCTION Page 7 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 1.2 Architecture overview Here you see a simple architecture overview, how your server will look like, if you install all the components. Figure 1.1: Architecture overview CHAPTER 1. INTRODUCTION Page 8 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2 Walkthrough 2.1 Code directory tree . dns dns.sh dns_nsd.sh dns_unbound.sh nsd configBackwardsZoneDNS_nsd.sh configDNS_nsd.sh configForwardZoneDNS_nsd.sh finalisationDNS_nsd.sh installDNS_nsd.sh testDNS_nsd.sh unbound configDNSAccess_unbound.sh configDNSHardening_unbound.sh configDNSListening_unbound.sh finalisationDNS_unbound.sh installDNS_unbound.sh testDNS_unbound.sh uninstall_dns.sh files fw.conf -> fw/fw.conf fw controllTraffic.sh enableUfw.sh fw.conf fw.sh specificConfigurations.sh uninstall_fw.sh mail alias.sh checkDomain.sh clientCertificate.sh dkim.sh dmarc.sh dnsRecords.sh dovecot.sh hardeningMail.txt mail.sh restart.sh spf.sh tls.sh uninstall_mail.sh setup.sh ssh config.sh restart.sh ssh.sh sshkeys.sh utils checkPackage.sh chooseIp.sh getAllIpv4.sh getAllIpv6.sh getIpv4.sh getIpv6.sh logging.sh removeFolder.sh removePackage.sh revIpv4.sh summary.sh user.sh valid_ipv4.sh web apache configureApache.sh enableApache.sh nginx configureNginx.sh enableNginx.sh nginxCertConfig.sh uninstall_web.sh web.sh DNS The DNS setup is based on two complety independent servers: • nsd as authoritative nameserver (queries from the internet to this domain). • unbound as local dns resolver (queries from this host). Firewall The firewall configuration is loaded from this file (files/fw.conf). Standard ports are already defined, additional ports can be specified in this file. Anti-spam measures Following DNS based anti-spam measures are configured for the mailserver. They makes sure spam mail is recognized during recieving and all sent mails, reach their destination without being classified as spam from the recieving side: • DKIM • DMARC • SPF Entrypoint This is the main entrypoint for the setup (./setup.sh). From here on the user is guided through the whole setup process. Webserver As webserver two components interact together: • Nginx is used as a reverse proxy to terminate SSL connections and provide a secure HTTPS connection. • Apache is used as a web server to provide webpages, could later also be used as application server (see section 5.1.3). CHAPTER 2. WALKTHROUGH Page 9 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.2 Overview 2.2.1 Complete run In this section we make a full configuration with the administartions script “setup.sh”. We describe every step. First, we will install the ufw (uncomplicated firewall), which will then be configured by the script. 1 2 3 < INFO > - Tue Jan 8 first run . Will *** QUESTION *** Do [ y / n ]? y < INFO > - Tue Jan 8 11:14:31 UTC 2019 - No Modification Flag found . Seems to be the start hardening now . you wish to perform a complete run ( Firewall , DNS , SSH , Mail , Web ) 11:14:39 UTC 2019 - Complete run set to true 4 5 [...] At the end of the whole configuration a modification flag is set, which is checked at a rerun. So you have the option modify and delete at a later time (visible in the next section). 1 2 [...] 3 4 5 < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Set modification Flag . < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Done . Finished with configurations CHAPTER 2. WALKTHROUGH Page 10 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.2.2 Rerun run If you run the script again at a later time, there are some small changes in the possibilities. New you will have the option “Modify”, which makes it possible to configure all or certain components again (in the example only the firewall was configured again), or also the option “Delete”, with which you could remove certain components. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 *** QUESTION u ]? m < INFO > - Wed *** QUESTION [ y / n ]? n < INFO > - Wed < INFO > - Wed *** QUESTION < INFO > - Wed *** QUESTION < INFO > - Wed *** QUESTION < INFO > - Wed *** QUESTION < INFO > - Wed *** QUESTION < INFO > - Wed *** Modification Flag found . Please choose option : modify / uninstall [ m / Jan 9 08:45:33 UTC 2019 - Modification choosen *** Do you wish to perform a complete run ( Firewall , DNS , SSH , Mail , Web ) Jan Jan *** Jan *** Jan *** Jan *** Jan *** Jan 9 9 Do 9 Do 9 Do 9 Do 9 Do 9 08:45:34 08:45:34 you wish 08:45:36 you wish 08:45:37 you wish 08:45:37 you wish 08:45:40 you wish 08:45:43 UTC 2019 UTC 2019 to perform UTC 2019 to perform UTC 2019 to perform UTC 2019 to perform UTC 2019 to perform UTC 2019 - Complete run set to false . Start the specific selection for single parts . action on fw [ y / n ]? y Action for fw set to true action on dns [ y / n ]? n Action for dns set to false ( will skip it ) . action on ssh [ y / n ]? n Action for ssh set to false ( will skip it ) . action on mail [ y / n ]? n Action for mail set to false ( will skip it ) . action on web [ y / n ]? n Action for web set to false ( will skip it ) . 17 18 [...] 19 20 21 < INFO > - Wed Jan < INFO > - Wed Jan 9 08:45:55 UTC 2019 - Set modification Flag . 9 08:45:55 UTC 2019 - Done . Finished with configurations Explanation of [...] At this point specific components are configured, which are explained separately in this document. This section is only about the administration script, which triggers the whole processes. CHAPTER 2. WALKTHROUGH Page 11 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.2.3 Overview process diagram Initialize all Flags (Firewall, DNS, Mail, SSH, WEB, Uninstall) start Check if first run no Uninstall or Modify? Firewall Flag = 1? yes Uninstall Flag = 1? yes Start Uninstall Firewall yes yes Setup Firewall? no Choose if you want a full setup no yes Set all Flags to 1 Start Firewall Configurations no Set Uninstall Flag to 1 DNS Flag = 1? yes Uninstall Flag = 1? yes Start Uninstall DNS no yes Set FW Falg to 1 Set FW Falg to 0 Setup DNS? Start DNS Configurations no no no yes Set DNS Falg to 1 Set DNS Falg to 0 Setup SSH? SSH Flag = 1? yes Uninstall Flag = 1? yes Skip no yes Set SSH Falg to 1 Set SSH Falg to 0 Setup Mail? Start SSH Configurations no no no yes Set Mail Falg to 1 Set Mail Falg to 0 Setup Web? Mail Flag = 1? yes Uninstall Flag = 1? yes Start Uninstall Mail no no yes Set Web Falg to 1 Set Web Falg to 0 DNS Flag = 1? yes Start Mail Configurations no no Start DNS Configurations Done Set Flags Web Flag = 1? yes Uninstall Flag = 1? yes Start Uninstall Web Set first run done Flag Start Web Configurations End no DNS Flag = 1? yes no Start DNS Configurations Figure 2.1: Setup process diagram CHAPTER 2. WALKTHROUGH Page 12 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.3 Firewall In this section we make a full Firewall configuration. We describe every step. First, we will install the ufw (uncomplicated firewall), which will then be configured by the script. 1 2 3 4 < INFO > - Tue Jan 8 11:14:39 UTC 2019 - Starting Firewall Configurations . < INFO > - Tue Jan 8 11:14:39 UTC 2019 - Will install ’ ufw ’ now . Please wait ... .............. < INFO > - Tue Jan 8 11:14:52 UTC 2019 - Package ’ ufw ’ is installed now . After the successful installation it goes on with a basic security. This includes enabling all traffic out and blocking all traffic in. So that nobody is locked out of his own server right at the beginning, seperat ssh on port 22 is enabled and configured as the only access from outside at this time. 1 2 3 4 5 6 < INFO > - Tue Jan 8 11:14:53 UTC 2019 - Ufw is enabled now .- Tue Jan 8 11:14:53 UTC 2019 - UFW enable done . < INFO > - Tue Jan 8 11:14:53 UTC 2019 - Start Firewall Hardening . ( close all non relevant ports ) < INFO > - Tue Jan 8 11:14:54 UTC 2019 - All incoming and outgoing traffic is handeled now . - Tue Jan 8 11:14:54 UTC 2019 - Traffic controll done . < INFO > - Tue Jan 8 11:14:54 UTC 2019 - Activate SSH Connection for host ’ XYZ ’. After setting up the base security, special configurations are loaded, which the user can add by himself. He does this by adding the necessary rules to the config-file “fw.conf” in the folder “files”. The user has the possibility to say whether he wants to allow (ALLOW) or deny (DENY) a certain access. Listed in the output are the minimum accesses needed for a comlete run of the scripts. These configurations are already present in the configuration file by default. At the very end a list of the now activated rules will be displayed. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 < INFO > - Tue Jan configurations < INFO > - Tue Jan # SSH < INFO > - Tue Jan < INFO > - Tue Jan # DNS < INFO > - Tue Jan < INFO > - Tue Jan # MAIL < INFO > - Tue Jan < INFO > - Tue Jan # SECURE SMTP < INFO > - Tue Jan < INFO > - Tue Jan # IMAP < INFO > - Tue Jan < INFO > - Tue Jan # IMAP TLS < INFO > - Tue Jan < INFO > - Tue Jan # HTTP HTTPS < INFO > - Tue Jan < INFO > - Tue Jan < INFO > - Tue Jan - Tue Jan 8 < INFO > - Tue Jan Status: active 8 11:14:55 UTC 2019 - Looking for Firewall Config file for specific 8 11:14:55 UTC 2019 - File Found . /root/files/fw.conf 8 11:15:19 UTC 2019 - Working on ’ allow 22/ tcp ’. 8 11:15:19 UTC 2019 - Working on ’ allow 22/ udp ’. 8 11:15:20 UTC 2019 - Working on ’ allow 53/ tcp ’. 8 11:15:20 UTC 2019 - Working on ’ allow 53/ udp ’. 8 11:15:20 UTC 2019 - Working on ’ allow 25/ tcp ’. 8 11:15:20 UTC 2019 - Working on ’ allow 25/ udp ’. 8 11:15:21 UTC 2019 - Working on ’ allow 465/ tcp ’. 8 11:15:21 UTC 2019 - Working on ’ allow 465/ udp ’. 8 11:15:21 UTC 2019 - Working on ’ allow 143/ tcp ’. 8 11:15:21 UTC 2019 - Working on ’ allow 143/ udp ’. 8 11:15:21 UTC 2019 - Working on ’ allow 993/ tcp ’. 8 11:15:22 UTC 2019 - Working on ’ allow 993/ udp ’. 8 11:15:22 UTC 2019 8 11:15:22 UTC 2019 8 11:15:22 UTC 2019 11:15:22 UTC 2019 8 11:15:22 UTC 2019 - Working on ’ allow 80/ tcp ’. - Working on ’ allow 443/ tcp ’. - Done Specific configurations . Specific Configurations of UFW done . - Firewall Configurations done . 28 29 To Action From CHAPTER 2. WALKTHROUGH Page 13 of 76 User Manual 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 -22/ tcp 22/ udp 53/ tcp 53/ udp 25/ tcp 25/ udp 465/ tcp 465/ udp 143/ tcp 143/ udp 993/ tcp 993/ udp 80/ tcp 443/ tcp 22/ tcp ( v6 ) 22/ udp ( v6 ) 53/ tcp ( v6 ) 53/ udp ( v6 ) 25/ tcp ( v6 ) 25/ udp ( v6 ) 465/ tcp ( v6 ) 465/ udp ( v6 ) 143/ tcp ( v6 ) 143/ udp ( v6 ) 993/ tcp ( v6 ) 993/ udp ( v6 ) 80/ tcp ( v6 ) 443/ tcp ( v6 ) Internet Server Set-Up & Security-Hardening Script -----ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ALLOW ---Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere Anywhere ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) ( v6 ) 59 60 61 - Tue Jan 8 11:15:22 UTC 2019 - UFW Configurations done . - Tue Jan 8 11:15:22 UTC 2019 - Actions on Firewall Done CHAPTER 2. WALKTHROUGH Page 14 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.3.1 Firewall process diagram Here we have process diagram of how the script works with all possible outcomes. start Start Firewall Configuration Enable Firewall check if already active no Activate yes Deny Incoming Traffic Done Activation Allow Outgoing Traffic Load Specific Configurations Activate All Specific Rules Done Firewall Configurations End Figure 2.2: Firewall process diagram CHAPTER 2. WALKTHROUGH Page 15 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.4 DNS In this section we make a full DNS configuration. We describe every step. First we install unbound , a DNS resolver which will be used from now for all DNS requests from this server. 1 2 3 4 5 6 7 8 9 10 11 12 13 < INFO > - Tue Jan 8 11:15:22 UTC 2019 - Starting DNS Configurations . * NOTE * We install two DNS Server , one for internal DNS requests ( for this server and / or home clients ) and one authoritative DNS Server for your domain * PART 0: We install the basic configuration for unbound - we come back to it later < INFO > - Tue Jan 8 11:15:22 UTC 2019 - Install DNS < INFO > - Tue Jan 8 11:15:24 UTC 2019 - Will install ’ unbound ’ now . Please wait ... ............ < INFO > - Tue Jan 8 11:15:36 UTC 2019 - Package ’ unbound ’ is installed now . < INFO > - Tue Jan 8 11:15:37 UTC 2019 - Configure DNS Hardening ( Hide version , use root - hints file , use trust - anchored zones for DNSSEC requests ) < INFO > - Tue Jan 8 11:15:37 UTC 2019 - Configure DNS Ports , IPs < INFO > - Tue Jan 8 11:15:37 UTC 2019 - Server will listen with localhost on port 53 < INFO > - Tue Jan 8 11:15:37 UTC 2019 - Configure DNS Access < INFO > - Tue Jan 8 11:15:37 UTC 2019 - Configure this Client < INFO > - Tue Jan 8 11:15:37 UTC 2019 - Server will use localhost as DNS After we continue with the authoritative Name Server: NSD, have ready your domain (highlighted). 1 * PART 1: We start with the authoritative Name Server : NSD 2 3 4 5 !! CAUTION !! you need your own domain - IF NOT the server wont be functional DO NOT use a domain which does not belong to you , it may be illegal * NOTE * If you want to test it only , you can get a free domain like . tk or . ga - just search in your favorite web search engine ( duckduckgo , google etc ..) 6 7 Press enter to continue 8 9 10 *** QUESTION *** do you have your own domain ? ( y / n / abort ) y < INFO > - Tue Jan 8 11:15:59 UTC 2019 - 11 12 *** QUESTION *** please enter your domain : examplerun.cf 13 14 *** QUESTION *** is examplerun . cf correct ? ( y / n / abort ) y 15 16 < INFO > - Tue Jan 8 11:16:15 UTC 2019 - We will configure the authoritative DNS Server with the domain : examplerun.cf Once the domain is set, check if the follow output is your extern IP, if yes continue. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 *** QUESTION *** is this 104.248.137.212 abort ) y < INFO > - Tue Jan 8 11:16:48 UTC 2019 with this : 104.248.137.212 < INFO > - Tue Jan 8 11:16:48 UTC 2019 < INFO > - Tue Jan 8 11:16:48 UTC 2019 .......... < INFO > - Tue Jan 8 11:16:57 UTC 2019 < INFO > - Tue Jan 8 11:16:59 UTC 2019 ........ < INFO > - Tue Jan 8 11:17:06 UTC 2019 < INFO > - Tue Jan 8 11:17:06 UTC 2019 < INFO > - Tue Jan 8 11:17:06 UTC 2019 < INFO > - Tue Jan 8 11:17:06 UTC 2019 < INFO > - Tue Jan 8 11:17:06 UTC 2019 < INFO > - Tue Jan 8 11:17:11 UTC 2019 - your external IP address ? ( y ( default ) / n / We will configure the authoritative DNS Server Install authoritative DNS for : examplerun.cf Will install ’ nsd ’ now . Please wait ... Package ’ nsd ’ is installed now . Will install ’ ldnsutils ’ now . Please wait ... Package ’ ldnsutils ’ is installed now . Configure NSD Configure Forward Zone Configure Backward Zone Final steps Test NSD CHAPTER 2. WALKTHROUGH Page 16 of 76 User Manual Internet Server Set-Up & Security-Hardening Script Now you can change, as described, your domain (Glue Records). 1 2 3 4 5 6 PART 2: You have a full functional authoritative Name Server BUT your domain hoster does not know it ! !! VERY IMPORTANT !! GO to your domain hoster , change the name server for your domain to : ns1.examplerun.cf with IP: 104.248.137.212 ns2.examplerun.cf with IP: 104.248.137.212 !! VERY IMPORTANT !! DO the same for the Glue Records , with the same name server and IPs NOTE : It may take some time to change it - if you have difficulties with this part use your favorite web search engine 7 8 If you are done , press enter to continue In the last part, if you use the server in your home/work network you can make the domain resolver we installed (unbound) accessible for your local clients. Mostly it is not the case so you can continue with “enter”. At the end we test to resolve a ipv4 and a ipv6 address. 1 2 3 4 5 6 7 PART 3: *** QUESTION *** Do you rent this server or is it in your internal network area ? If you dont know what it means just press enter . ( intern / < enter > ( default ) ) < INFO > - Tue Jan 8 11:17:40 UTC 2019 - Test local DNS < INFO > - Tue Jan 8 11:17:40 UTC 2019 - Test ipv4 address www . google . com . 3600 IN A 216.58.210.4 < INFO > - Tue Jan 8 11:17:40 UTC 2019 - Test ipv6 address ipv6 . google . com . 604800 IN CNAME ipv6 . l . google . com . ipv6 . l . google . com . 3600 IN AAAA 2 a00 :1450:4005:800::200 e 8 9 Successfully installed NSD and Unbound And we are done with the DNS part! CHAPTER 2. WALKTHROUGH Page 17 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.4.1 DNS architecture diagram For a better understanding of how a domain name will be resolved, here is a small diagram which indicates how those two servers are separated. Figure 2.3: Architecture DNS CHAPTER 2. WALKTHROUGH Page 18 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.4.2 DNS process diagram Here we have process diagram of how the script works with all possible outcomes. start Install default unbound configuration Asks if IPAdress is correct >1 Gets first IP Choose IP Check if IP > 1 availble Make optionlist with all IPs yes Make optionlist with all IPs Info for user >1 =1 no Check if IP > 1 availble Reverse IPv4 =1 Message for user Has domain no Choose IP Reconfiger Unbound Local Area Install NSD yes abort Ask domainname end Info for user Domain Name abort no Domainname correct yes Check if IP > 0 availble =0 end >0 Usage Unbound Local Area localhost local area Figure 2.4: DNS process diagram 2.4.3 Multiple domains After installation you can use multiple sub domains of your domain. All domains will be resolved, as it is configured with a wild-card: (in this example) *.examplerun.cf. As the script was designed for someone with basic understanding of computer technology, to have multiple domains on the same server is not possible. CHAPTER 2. WALKTHROUGH Page 19 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.5 User management The usermanagment is used whenever a list of users on the unix system must be selected for a service. In the following subsections you find a brief overview of all the available actions. 2.5.1 Actions Here you find a short example for each action, inputs are highlighted. Help The help text displays at the start of the function end everytime the command help ist entered. 1 2 3 4 5 6 7 8 9 10 11 12 < INFO > - Mon Jan 14 09:44:29 UTC 2019 - Doing user handling for SSH configuration Usage : This function helps you manage the users on this system and select the ones you wish to provision for the ssh service . Following actions are available : help : Display this help display : Show all unix users on this system add : Add a unix user to this system ( this implies the select action ) delete : Remove a unix user from this system ( this implies the unselect action ) select : Add an existing unix user to the list of users which will be provisioned for the service ssh unselect : Remove a user from the list of users which will be provisioned for the service ssh show : Show the list of users which will be provisioned for the service ssh quit : Exit this function Display Show all unix users on the system: 1 2 < INFO > - Mon Jan 14 09:44:29 UTC 2019 - Number of users selected : 0 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) display 3 4 5 6 < INFO > - Mon Jan 14 09:44:42 UTC 2019 - Displaying users for this system root sync Add Add a unix user to the system (this implies the select action) 1 2 < INFO > - Mon Jan 14 09:44:42 UTC 2019 - Number of users selected : 0 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) add 3 4 5 < INFO > - Mon Jan 14 09:45:07 UTC 2019 - Adding user for this system *** QUESTION *** please enter the desired username to be added ? alice 6 7 8 9 id : ’ alice ’: no such user Adding user ’ alice ’ ... Adding new group ’ alice ’ (1000) ... CHAPTER 2. WALKTHROUGH Page 20 of 76 User Manual 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Internet Server Set-Up & Security-Hardening Script Adding new user ’ alice ’ (1000) with group ’ alice ’ ... Creating home directory ’/ home / alice ’ ... Copying files from ’/ etc / skel ’ ... Enter new UNIX password : Retype new UNIX password : passwd : password updated successfully Changing the user information for alice Enter the new value , or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct ? [ Y / n ] y < INFO > - Mon Jan 14 09:45:22 UTC 2019 - Successfully added user alice , adding it to the list for ssh 25 26 27 28 *** QUESTION *** Do you want to add sudo privileges for the user alice ? ( y / N ) y < INFO > - Mon Jan 14 09:45:28 UTC 2019 - Adding sudo privileges for user alice < INFO > - Mon Jan 14 09:45:28 UTC 2019 - Successfuly added sudo privileges for user alice Show Show the list of users which will be provisioned for the service 1 2 3 4 < INFO > - Mon Jan 14 09:45:28 UTC 2019 - Number of users selected : 1 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) alice < INFO > - Mon Jan 14 09:45:46 UTC 2019 - Displaying selected users for service ssh < INFO > - Mon Jan 14 09:45:46 UTC 2019 - alice Unselect Remove a user from the list of users which will be provisioned for the service 1 2 3 4 5 < INFO > - Mon Jan 14 09:45:46 UTC 2019 - Number of users selected : 1 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) unselect < INFO > - Mon Jan 14 09:45:56 UTC 2019 - Unselecting user for service ssh *** QUESTION *** please enter the desired username to be removed from selection ? alice < INFO > - Mon Jan 14 09:45:59 UTC 2019 - Removed alice from selection for ssh Select Add an existing unix user to the list of users which will be provisioned for the service 1 2 3 4 5 < INFO > - Mon Jan 14 09:45:59 UTC 2019 - Number of users selected : 0 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) select < INFO > - Mon Jan 14 09:46:07 UTC 2019 - Selecting user for service ssh *** QUESTION *** please enter the desired username to be selected ? alice < INFO > - Mon Jan 14 09:46:09 UTC 2019 - Selected alice for ssh CHAPTER 2. WALKTHROUGH Page 21 of 76 User Manual Internet Server Set-Up & Security-Hardening Script Delete Remove a unix user from the system (this implies the unselect action) 1 2 3 4 5 6 7 8 9 < INFO > - Mon Jan 14 09:46:13 UTC 2019 - Number of users selected : 1 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) delete < INFO > - Mon Jan 14 09:46:20 UTC 2019 - Removing user for this system *** QUESTION *** please enter the desired username to be deleted ? sync Removing files ... Removing user ’ sync ’ ... Warning : group ’ nogroup ’ has no more members . Done . < INFO > - Mon Jan 14 09:46:23 UTC 2019 - Successfully deleted user sync Quit Exit the function 1 2 < INFO > - Mon Jan 14 09:46:46 UTC 2019 - Number of users selected : 1 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) quit 2.5.2 User management process diagram Here we have process diagram of how the script works with all possible outcomes. start Enter username User exists No Create user Yes Yes Enter additional user No Add sudo privileges Yes No end Add to sudo group Figure 2.5: User management process diagram CHAPTER 2. WALKTHROUGH Page 22 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.6 SSH 2.6.1 Configuration This is an example of the SSH configuration part, all inputs are highlighted in yellow. User management ssh Here is a minimal example for the ssh user handling, for further information see section 2.5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 - Mon Jan 14 09:44:29 UTC 2019 - Perform actions on SSH - Mon Jan 14 09:44:29 UTC 2019 - Perform install on SSH < INFO > - Mon Jan 14 09:44:29 UTC 2019 - Doing user handling for SSH configuration Usage : This function helps you manage the users on this system and select the ones you wish to provision for the ssh service . Following actions are available : help : Display this help display : Show all unix users on this system add : Add a unix user to this system ( this implies the select action ) delete : Remove a unix user from this system ( this implies the unselect action ) select : Add a existing unix user to the list of users which will be provisioned for the service ssh unselect : Remove a user from the list of users which will be provisioned for the service ssh show : Show the list of users which will be provisioned for the service ssh quit : Exit this function 15 16 17 < INFO > - Mon Jan 14 09:44:42 UTC 2019 - Number of users selected : 0 *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) add 18 19 20 < INFO > - Mon Jan 14 09:45:07 UTC 2019 - Adding user for this system *** QUESTION *** please enter the desired username to be added ? alice 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 id : ’ alice ’: no such user Adding user ’ alice ’ ... Adding new group ’ alice ’ (1000) ... Adding new user ’ alice ’ (1000) with group ’ alice ’ ... Creating home directory ’/ home / alice ’ ... Copying files from ’/ etc / skel ’ ... Enter new UNIX password : Retype new UNIX password : passwd : password updated successfully Changing the user information for alice Enter the new value , or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct ? [ Y / n ] y < INFO > - Mon Jan 14 09:45:22 UTC 2019 - Successfully added user alice , adding it to the list for ssh 40 41 42 43 *** QUESTION *** Do you want to add sudo privileges for the user alice ? ( y / N ) y < INFO > - Mon Jan 14 09:45:28 UTC 2019 - Adding sudo privileges for user alice < INFO > - Mon Jan 14 09:45:28 UTC 2019 - Successfuly added sudo privileges for user alice 44 45 < INFO > - Mon Jan 14 09:46:46 UTC 2019 - Number of users selected : 1 CHAPTER 2. WALKTHROUGH Page 23 of 76 User Manual 46 Internet Server Set-Up & Security-Hardening Script *** QUESTION *** what action do you like to choose ? ( help / display / add / delete / select / unselect / show / quit ) quit SSH key generation For every user a personal ssh key-pair is generated, the user has to enter the passphrase. When the setup is complete the user can download all his keys, certificates and passphrases from the server. 1 2 3 4 < INFO > - Mon Jan 14 < INFO > - Mon Jan 14 < INFO > - Mon Jan 14 < INFO > - Mon Jan 14 passphrases and 09:46:55 09:46:55 09:46:55 09:46:55 save your UTC 2019 UTC 2019 UTC 2019 UTC 2019 keys to - Leaving user management - Generating SSH keys for users - Generating SSH key for user alice - IMPORTANT - make sure you remember ALL the some secure location - IMPORTANT 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 < INFO > - Mon Jan 14 09:46:55 UTC 2019 - IMPORTANT - !!! passphrase MUST be minimum 5 characters long !!! - IMPORTANT Generating public / private rsa key pair . Enter passphrase ( empty for no passphrase ) : ******** Enter same passphrase again : ******** Your identification has been saved in / home / alice /. ssh / id_rsa . Your public key has been saved in / home / alice /. ssh / id_rsa . pub . The key fingerprint is : SHA256 :82 nk2iy0lS6n + KJdIIfGeR / TBbkglLoxihMZVMdYif0 alice@examplerun . cf The keys randomart image is : + - - -[ RSA 4096] - - - -+ ....*+o. .. . o.+o . .. o ... . .. o .+o E ... o .*++ S o. o ...+ o.Bo. . .o+= ..o+=o ..oo+=o + - - - -[ SHA256 ] - - - - -+ < INFO > - Mon Jan 14 09:57:45 UTC 2019 - IMPORTANT - This is your private key , this is the only thing you need right to save . All of your certificate and keys are saved to your home . You need this key to download them . - IMPORTANT ----- BEGIN RSA PRIVATE KEY - - - - Proc - Type : 4 , ENCRYPTED DEK - Info : AES -128 - CBC ,8 B 5 B F D 4 8 5 A 8 0 5 B A 2 5 3 1 6 C 2 1 C 2 6 6 C C D C F 30 31 32 33 34 B C h 9 X 2 L o 6 j x Z B t V R p rl i A h Cp / TVX +60 EPxBu59sUVWukOnB8CKy / bqEhkOb6DVsh ... VrxQPgOeipL3zr54Zq9SY6NC2BCu5OygDHWXsKwrBTnx0Hi262jo6bX7Kqmog4qX ----- END RSA PRIVATE KEY - - - - - SSH hardening & cleanup At the end the user keys are moved to the corresponding user home and the SSH configuration is hardenend [5]: • Root login is not permited • Passwort login is not permited • X11 is not permited • Only secure alogrithms are permited CHAPTER 2. WALKTHROUGH Page 24 of 76 User Manual 1 2 Internet Server Set-Up & Security-Hardening Script < INFO > - Mon Jan 14 09:57:45 UTC 2019 - Cleaning up .. < INFO > - Mon Jan 14 09:57:45 UTC 2019 - Hardening SSH daemon config 3 4 < INFO > - Mon Jan 14 09:57:45 UTC 2019 - Hardening sshd config ( disable X11Forwarding , enable domainname lookup , disable root login , enabling only strong algorithms ) 5 6 < INFO > - Mon Jan 14 09:57:45 UTC 2019 - Hardening complete 7 8 < INFO > - Mon Jan 14 09:57:45 UTC 2019 - Finishing up , restarting services 9 10 < INFO > - Mon Jan 14 09:57:45 UTC 2019 - Restarting all components for SSH 11 12 13 < INFO > - Mon Jan 14 09:57:45 UTC 2019 - SSH daemon configuration complete . - Mon Jan 14 09:57:45 UTC 2019 - Actions on SSH Done 2.6.2 SSH process diagram Here we have a process diagram of how the script works with all possible outcomes. start User management Hardening SSH Config Generate SSH Keys Install SSH Guard Set Permissions Restart Services End Figure 2.6: SSH process diagram CHAPTER 2. WALKTHROUGH Page 25 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.7 E-Mail 2.7.1 Configurations This is an example of the Email configuration part, all inputs are highlighted in yellow. Package installation First all the neccessary packages are installed, this includes: • postfix • mailutils • letsencrypt • dovecot • opendkim • opendmarc • zip 1 2 < Mail > - Mon Jan 14 11:29:52 UTC 2019 - Perform install on Mail < INFO > - Mon Jan 14 11:29:52 UTC 2019 - Setting up MX and SPF records in dns 3 4 < INFO > - Mon Jan 14 11:29:52 UTC 2019 - Appending DNS records for the mailserver to zonefile 5 6 < INFO > - Mon Jan 14 11:29:52 UTC 2019 - Reloading zone files .. 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 < INFO > - Mon Jan 14 11:29:52 mailutils , dovecot ) < INFO > - Mon Jan 14 11:30:15 ... ...... < INFO > - Mon Jan 14 11:30:21 < INFO > - Mon Jan 14 11:30:21 Please wait ... ....... < INFO > - Mon Jan 14 11:30:27 installed now . < INFO > - Mon Jan 14 11:30:28 ........ < INFO > - Mon Jan 14 11:30:36 < INFO > - Mon Jan 14 11:30:36 ............... < INFO > - Mon Jan 14 11:30:51 < INFO > - Mon Jan 14 11:30:51 ... .. . . . . . . . . . . . ... .... . < INFO > - Mon Jan 14 11:31:11 < INFO > - Mon Jan 14 11:31:11 ... .............. < INFO > - Mon Jan 14 11:31:24 < INFO > - Mon Jan 14 11:31:25 ........ < INFO > - Mon Jan 14 11:31:33 < INFO > - Mon Jan 14 11:31:33 ... ...... < INFO > - Mon Jan 14 11:31:38 UTC 2019 - Installing mailserver packages ( postfix , UTC 2019 - Will install ’ postfix - pcre ’ now . Please wait UTC 2019 - Package ’ postfix - pcre ’ is installed now . UTC 2019 - Will install ’ postfix - policyd - spf - python ’ now . UTC 2019 - Package ’ postfix - policyd - spf - python ’ is UTC 2019 - Will install ’ mailutils ’ now . Please wait ... UTC 2019 - Package ’ mailutils ’ is installed now . UTC 2019 - Will install ’ letsencrypt ’ now . Please wait ... UTC 2019 - Package ’ letsencrypt ’ is installed now . UTC 2019 - Will install ’ dovecot - core ’ now . Please wait UTC 2019 - Package ’ dovecot - core ’ is installed now . UTC 2019 - Will install ’ dovecot - imapd ’ now . Please wait UTC 2019 - Package ’ dovecot - imapd ’ is installed now . UTC 2019 - Will install ’ opendkim ’ now . Please wait ... UTC 2019 - Package ’ opendkim ’ is installed now . UTC 2019 - Will install ’ opendkim - tools ’ now . Please wait UTC 2019 - Package ’ opendkim - tools ’ is installed now . CHAPTER 2. WALKTHROUGH Page 26 of 76 User Manual 33 34 35 36 37 38 < INFO > - Mon .......... < INFO > - Mon < INFO > - Mon ...... < INFO > - Mon Internet Server Set-Up & Security-Hardening Script Jan 14 11:31:39 UTC 2019 - Will install ’ opendmarc ’ now . Please wait ... Jan 14 11:31:48 UTC 2019 - Package ’ opendmarc ’ is installed now . Jan 14 11:31:48 UTC 2019 - Will install ’ zip ’ now . Please wait ... Jan 14 11:31:54 UTC 2019 - Package ’ zip ’ is installed now . Client certificates The setup allows only logins with personal certificates, the following are generated here. This is a minimal configuration for the user managment, for further information see section 2.5 1 2 3 4 5 6 7 8 9 10 11 12 < INFO > - Mon Jan 14 11:31:54 UTC 2019 - Configure Mail Hardening ( TLS , SPF , DKIM , DMARC , dovecot , client certificate login ) Usage : This function helps you manage the users on this system and select the ones you wish to provision for the mail service . Following actions are available : help : Display this help display : Show all unix users on this system add : Add a unix user to this system ( this implies the select action ) delete : Remove a unix user from this system ( this implies the unselect action ) select : Add a existing unix user to the list of users which will be provisioned for the service mail unselect : Remove a user from the list of users which will be provisioned for the service mail show : Show the list of users which will be provisioned for the service mail quit : Exit this function 13 14 15 < INFO > - Mon Jan 14 11:34:31 UTC 2019 - Number of users selected : 0 *** QUESTION *** what action do you like to choose ? ( display / add / delete / select / unselect / show / quit ) select 16 17 < INFO > - Mon Jan 14 11:34:33 UTC 2019 - Selecting user for service mail 18 19 *** QUESTION *** please enter the desired username to be selected ? alice 20 21 < INFO > - Mon Jan 14 11:34:35 UTC 2019 - Selected alice for mail 22 23 24 25 < INFO > - Mon Jan 14 11:34:35 UTC 2019 - Number of users selected : 1 *** QUESTION *** what action do you like to choose ? ( display / add / delete / select / unselect / show / quit ) quit < INFO > - Mon Jan 14 11:34:39 UTC 2019 - Leaving user management Postfix configuration In this setup postfix acts as the SMTP Server to send an recieve mail. The script now configures all the neccessary postfix components [4]: • User mappings (alias, canonical) • Service users • TLS (letsencrypt) • Anti spam measures (SPF, DKIM, DMARC) CHAPTER 2. WALKTHROUGH Page 27 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 1 2 < INFO > - Mon Jan 14 11:34:39 UTC 2019 - Mapping users to mail addresses 3 4 < INFO > - Mon Jan 14 11:34:39 UTC 2019 - Adding users to alias and canonical file 5 6 < INFO > - Mon Jan 14 11:34:39 UTC 2019 - Adding supplementary postmaster user for dmarc reporting 7 8 < INFO > - Mon Jan 14 11:34:39 UTC 2019 - Setting up TLS with letsencrypt 9 10 < INFO > - Mon Jan 14 11:34:39 UTC 2019 - Running letsencrypt to obtain a certificate 11 12 13 14 15 16 17 18 19 20 21 < INFO > - Mon Jan 14 11:34:40 UTC 2019 - Will install ’ certbot ’ now . Please wait ... ... < INFO > - Mon Jan 14 11:34:42 UTC 2019 - Package ’ certbot ’ is installed now . Saving debug log to / var / log / letsencrypt / letsencrypt . log Plugins selected : Authenticator standalone , Installer None Obtaining a new certificate Performing the following challenges : http -01 challenge for mail . examplerun . cf Waiting for verification ... Cleaning up challenges 22 23 24 25 26 27 28 29 30 31 IMPORTANT NOTES : - Congratulations ! Your certificate and chain have been saved at : / etc / letsencrypt / live / mail . examplerun . cf / fullchain . pem Your key file has been saved at : / etc / letsencrypt / live / mail . examplerun . cf / privkey . pem Your cert will expire on 2019 -04 -14. To obtain a new or tweaked version of this certificate in the future , simply run certbot again . To non - interactively renew * all * of your certificates , run " certbot renew " 32 33 34 35 36 37 - Your account credentials have been saved in your Certbot configuration directory at / etc / letsencrypt . You should make a secure backup of this folder now . This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal . 38 39 - If you like Certbot , please consider supporting our work by : 40 41 42 Donating to ISRG / Lets Encrypt : Donating to EFF : https : // letsencrypt . org / donate https : // eff . org / donate - le 43 44 < INFO > - Mon Jan 14 11:34:50 UTC 2019 - Configuring TLS for postfix 45 46 < INFO > - Mon Jan 14 11:34:51 UTC 2019 - TLS configuration for postfix complete 47 48 < INFO > - Mon Jan 14 11:34:51 UTC 2019 - Restarting postfix service 49 50 < INFO > - Mon Jan 14 11:34:53 UTC 2019 - Setting up SPF ( anti spam measure ) 51 52 < INFO > - Mon Jan 14 11:34:53 UTC 2019 - Adding SPF configuration to unbound 53 54 < INFO > - Mon Jan 14 11:34:53 UTC 2019 - Adding SPF configuration to postfix config 55 56 < INFO > - Mon Jan 14 11:34:53 UTC 2019 - Setting up DKIM ( anti spam measure ) 57 58 < INFO > - Mon Jan 14 11:34:53 UTC 2019 - Creating users for DKIM 59 60 < INFO > - Mon Jan 14 11:34:53 UTC 2019 - Configuring opendkim 61 62 63 64 opendkim - genkey : generating private key opendkim - genkey : private key written to 2019011411. private opendkim - genkey : extracting public key CHAPTER 2. WALKTHROUGH Page 28 of 76 User Manual 65 Internet Server Set-Up & Security-Hardening Script opendkim - genkey : DNS TXT record written to 2019011411. txt 66 67 < INFO > - Mon Jan 14 11:34:54 UTC 2019 - Reloading systemd units 68 69 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Generating DNS records for opendkim 70 71 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Setting up DMARC ( anti spoofing measure ) 72 73 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configurting opendmarc 74 75 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Reloading systemd units 76 77 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Adding DNS records for opendmarc 78 79 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Integrating opendmarc into postfix Dovecot configuration Dovecot acts as the IMAP server to enable clients to fetch mail from the server. The authentication is done via client certificates [11]. At the end the generated certificates for the user can be downloaded over a secure SSH connection. This includes: • Dovecot SSL (letsencrypt) • Authentication via certificates • Preparation of artifacts (ZIP file with certificates) and download command 1 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring dovecot as imap server 2 3 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring dovecot 4 5 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring dovecot service 6 7 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring dovecot SSL 8 9 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring dovecot SSL 10 11 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring external auth extension 12 13 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring postfix for client certificates 14 15 < INFO > - Mon Jan 14 11:34:55 UTC 2019 - Configuring client certificate authentication 16 17 < INFO > - Mon Jan 14 11:34:57 UTC 2019 - Generating certificate authority , please enter a passphrase when promted : 18 19 20 21 22 23 24 25 26 27 28 29 Enter New CA Key Passphrase : ****** Re - Enter New CA Key Passphrase : ****** Generating RSA private key , 4096 bit long modulus ........................................................................ ........................................................................ ........................................................................ ....................................++ .. . . . . . . . . . . . .....++ e is 65537 (0 x010001 ) Enter pass phrase for / root / src / EasyRSA -3.0.5/ pki / private / ca . key : ****** / root / src 30 31 32 33 < INFO > - Mon Jan 14 11:35:07 UTC 2019 - Generating key and certificate for user alice < INFO > - Mon Jan 14 11:35:07 UTC 2019 IMPORTANT - make sure you remember ALL the passphrases! You can download your certificate and key after the setup. - IMPORTANT CHAPTER 2. WALKTHROUGH Page 29 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 34 35 36 37 38 Signature ok subject = CN = alice , emailAddress = alice@examplerun . cf Getting CA Private Key Enter pass phrase for / etc / ssl / private / examplerun . cf . ca . key : 39 40 41 < INFO > - Mon Jan 14 11:35:13 UTC 2019 IMPORTANT - certificate and key for the user "alice" are saved to his home. later over a secure SSH connection - IMPORTANT He can download it 42 43 44 45 46 47 48 49 50 51 < INFO > - Mon Jan 14 11:35:13 UTC 2019 - Cleaning up .. < INFO > - Mon Jan 14 11:35:13 UTC 2019 - Creating zip file for alice user artifacts adding : id_rsa ( deflated 24%) adding : id_rsa . pub ( deflated 20%) adding : alice . examplerun . cf . clientcert . pem ( deflated 27%) < INFO > - Mon Jan 14 11:35:13 UTC 2019 - This is your command to download your files to your local directory ( rsync needs to be installed on your client ) : rsync -e \ssh -i PATH TO YOUR SSH PRIVATE KEY" --remove-source-files -av alice@examplerun.cf:/home/ali ce/alice artifacts.zip ./ < INFO > - Mon Jan 14 11:35:13 UTC 2019 - Finishing up , restarting services 52 53 < INFO > - Mon Jan 14 11:35:13 UTC 2019 - Restarting all components of the mailserver 54 55 56 < INFO > - Mon Jan 14 11:35:17 UTC 2019 - Mailserver configuration complete . < Mail > - Mon Jan 14 11:35:17 UTC 2019 - Actions on Mail Done CHAPTER 2. WALKTHROUGH Page 30 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.7.2 E-Mail process diagram Here we have process diagram of how the script works with all possible outcomes. start Domain or subdomain Domain Write MX entry Install mail packages Genereate certificate authority User management Genereate client certificates Create alias files Resatrt service Configure Mailserver End Subdomain Choose subdomain No no Subdomain part of domain Yes Figure 2.7: Email process diagram 2.7.3 Multiple e-mail addresses With the user management you can create multiple users. All of them will get their own mail address. In this version of the script it is not possible to have multiple mail addresses per user. See subsection 5.1.2. CHAPTER 2. WALKTHROUGH Page 31 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 2.8 Web The web part was developed in addition to the mandatory requirements. It runs through without the user having to do anything. For these reasons (especially the second one), the descriptions are also rather small. The code snippets here above show how a clean run without errors looks like. In the web part, as in all other parts, everything necessary will be installed first. 1 2 3 4 5 6 7 8 9 10 11 12 13 < INFO > - Tue Jan < INFO > - Tue Jan ........... < INFO > - Tue Jan < INFO > - Tue Jan .... < INFO > - Tue Jan < INFO > - Tue Jan Please wait ... ....... < INFO > - Tue Jan now . < INFO > - Tue Jan .............. < INFO > - Tue Jan 8 11:24:21 UTC 2019 - Starting WEB Configurations . 8 11:24:21 UTC 2019 - Will install ’ nginx ’ now . Please wait ... 8 11:24:32 UTC 2019 - Package ’ nginx ’ is installed now . 8 11:24:33 UTC 2019 - Will install ’ certbot ’ now . Please wait ... 8 11:24:36 UTC 2019 - Package ’ certbot ’ is installed now . 8 11:24:36 UTC 2019 - Will install ’ python - certbot - nginx ’ now . 8 11:24:43 UTC 2019 - Package ’ python - certbot - nginx ’ is installed 8 11:24:43 UTC 2019 - Will install ’ apache2 ’ now . Please wait ... 8 11:24:57 UTC 2019 - Package ’ apache2 ’ is installed now . As the next step after installation, the nginix is configured. 1 2 3 < INFO > - Tue Jan 8 < INFO > - Tue Jan 8 < INFO > - Tue Jan 8 https , secuirty 11:24:57 11:24:57 11:24:57 headers , UTC 2019 UTC 2019 UTC 2019 no server - Starting nginx Configurations . - Nginx is already activated . - Start Nginx Hardening . ( TLS , redirect http - > token , timeouts ) With openssl a certificate will be created in a next step. The certificate is then used for ssl termination. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 < INFO > - Tue Jan 8 11:24:57 UTC 2019 - Start openssl to generate a ssl pem file . Generating DSA parameters , 4096 bit long prime .............+.......+.....+.........+.............. +++++++++++++++++++++++++++++++++++++++++++++++++++* .............+..+.+.................+.....+...+..... .........+......+.......+........................... < INFO > - Tue Jan 8 11:25:08 UTC 2019 - Done . Your file is located here : / etc / ssl / dh4096 . pem . Will start certbot . Saving debug log to / var / log / letsencrypt / letsencrypt . log Plugins selected : Authenticator nginx , Installer nginx Obtaining a new certificate Performing the following challenges : http -01 challenge for examplerun . cf http -01 challenge for www . examplerun . cf Waiting for verification ... Cleaning up challenges 16 17 18 19 20 21 22 23 24 25 26 IMPORTANT NOTES : - Congratulations ! Your certificate and chain have been saved at : / etc / letsencrypt / live / examplerun . cf / fullchain . pem Your key file has been saved at : / etc / letsencrypt / live / examplerun . cf / privkey . pem Your cert will expire on 2019 -04 -08. To obtain a new or tweaked version of this certificate in the future , simply run certbot again . To non - interactively renew * all * of your certificates , run " certbot renew " - If you like Certbot , please consider supporting our work by : 27 28 29 Donating to ISRG / Lets Encrypt : Donating to EFF : https : // letsencrypt . org / donate https : // eff . org / donate - le CHAPTER 2. WALKTHROUGH Page 32 of 76 User Manual Internet Server Set-Up & Security-Hardening Script Nginx will then be hardened [12]: • Enable secure SSL protocols only (>=TLSv1.2) • Secure cipher sets (no known vulnerabilities) • Redirect all connections from HTTP to HTTPS • Turn off server tokens 1 2 3 4 5 6 7 8 < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Will remove default sites of nginx < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Will start to setup nginx . conf file < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Done . Your file is located under ’/ etc / nginx / nginx . conf ’. < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Will start specific Configurations < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Done . Your file is located under ’/ etc / nginx / conf . d / examplerun . cf . conf ’. < INFO > - Tue Jan 8 11:25:19 UTC 2019 - Will check Syntax and activate . nginx : the configuration file / etc / nginx / nginx . conf syntax is ok nginx : configuration file / etc / nginx / nginx . conf test is successful In the next and last step the apache will be configured. This setup places apache behind nginx as pure webserver. All connections are passed through nginx where SSL is terminated. Later on it would be possible to extend this setup with a WAF like ModSecurity which would provide an aditional security layer. See section 5.2. 1 2 3 4 5 6 7 8 < INFO > < INFO > < INFO > < INFO > < INFO > < INFO > < INFO > Syntax - Tue - Tue - Tue - Tue - Tue - Tue - Tue OK Jan Jan Jan Jan Jan Jan Jan 8 8 8 8 8 8 8 11:25:19 11:25:19 11:25:19 11:25:19 11:25:19 11:25:19 11:25:19 UTC UTC UTC UTC UTC UTC UTC 2019 2019 2019 2019 2019 2019 2019 - Starting apache Configurations . Apache is already activated . Found enabled default site , removing symlink Will Setup a default mini webpage . Will Setup a seperate ports . conf file . Will Setup avaible sites . Will check Syntax and activate . 2.8.1 Web architecture diagram For a better understanding of how the proxy server interacts with the web server, see this small diagram. Figure 2.8: Architecture Web CHAPTER 2. WALKTHROUGH Page 33 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3 Hardening Tests 3.1 Firewall The firewall is an important factor in security. Open or incorrectly configured ports can quickly make a server vulnerable, especially if you have other components running on it. The firewall was tested with nmap [3] BEFORE script It should also be mentioned that the “before” run looks worse than the “after” run at first sight (more open ports). This is because ports needed for the components must be opened. The rest of the traffic is safely closed for this, so the server owner has control over it. Figure 3.1: Firewall (without DNS) BEFORE CHAPTER 3. HARDENING TESTS Page 34 of 76 User Manual Internet Server Set-Up & Security-Hardening Script Figure 3.2: Firewall (with DNS) BEFORE CHAPTER 3. HARDENING TESTS Page 35 of 76 User Manual Internet Server Set-Up & Security-Hardening Script AFTER script Figure 3.3: Firewall setup AFTER CHAPTER 3. HARDENING TESTS Page 36 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3.2 DNS 3.2.1 Domain name resolver As you have a brand new server you are most probably have use a domain name resolver from a big company like Google, Cloudfare etc. But after the script you have your own resolver which is even better than the one which is by default configured. BEFORE script Before running the script you get a C from https://cmdns.dev.dns-oarc.net/ [8] Figure 3.4: Name resolver BEFORE Figure 3.5: Name resolver details BEFORE CHAPTER 3. HARDENING TESTS Page 37 of 76 User Manual Internet Server Set-Up & Security-Hardening Script AFTER script After the script you have your own domain name resolver and a straight A. Figure 3.6: Name resolver AFTER Figure 3.7: Name resolver details AFTER CHAPTER 3. HARDENING TESTS Page 38 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3.2.2 Authoritative DNS To setup a authoritative DNS is not easy, and mistakes are easily made. BEFORE script Before running the script if you do by hand, misconfiguration can happen. As you can see from https://mxtoolbox.com/ [6]. Figure 3.8: Authoritative DNS test BEFORE After script If you do it with the script, everything will be fine. Figure 3.9: Authoritative DNS test AFTER CHAPTER 3. HARDENING TESTS Page 39 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3.3 SSH 3.3.1 SSH daemon You recieve a server with a default SSH daemon setup from your provider or have one at home with a default configuration from your Unix/Linux distro. BEFORE script Here we are testing a server with a default setup from https://digitalocean.com (the results might differ, depending where your server is hosted). Before the SSH daemon is hardened we recieve the following result, some of the “Key Exchange Algorithms” and “MAC Algorithms” are weak [10]. Figure 3.10: SSH daemon BEFORE CHAPTER 3. HARDENING TESTS Page 40 of 76 User Manual Internet Server Set-Up & Security-Hardening Script AFTER script After the script is run and the SSH daemon is hardened only secure algorithms are used. Figure 3.11: SSH daemon AFTER CHAPTER 3. HARDENING TESTS Page 41 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3.4 E-Mail To run a E-Mail server is not easy at all. Even professional providers which should setup your email server for you do mostly mistakes. A insecure email server is also very attractive for hackers. 3.4.1 E-Mail server configuration BEFORE script If you use a basic email configuration, your email server will mostly look like this (graded from: https://www.hardenize.com [2], https://emailsecuritygrader.com [13]) (a) Rank (b) Details Figure 3.12: Mail BEFORE (emailsecuritygrader.com) Figure 3.13: Mail BEFORE (hardenize.com) CHAPTER 3. HARDENING TESTS Page 42 of 76 User Manual Internet Server Set-Up & Security-Hardening Script AFTER script But if you configure your email server with the script, it will look like this: (a) Rank (b) Details Figure 3.14: Mail AFTER (emailsecuritygrader.com) Figure 3.15: Mail AFTER (hardenize.com) CHAPTER 3. HARDENING TESTS Page 43 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3.4.2 E-Mail header As well if you don’t want to end as SPAM your email header should be perfect, if you use the basic configuration, it won’t be. BEFORE script Here how your header looks like before the script: Figure 3.16: Mail header BEFORE AFTER script And here after: Figure 3.17: Mail header AFTER CHAPTER 3. HARDENING TESTS Page 44 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 3.5 Web The web part could be tested very well with https://www.hardenize.com [2]. This is by the way the same tool/website with which the email part was checked. To test the “before” part properly, an nginx had to be installed on the server in advance. It was not included by default on the servers used for testing. This is primarily about showing what it looks like when an unconfigured web service is on the internet versus made more secure with the script from this project. BEFORE script Figure 3.18: Web BEFORE CHAPTER 3. HARDENING TESTS Page 45 of 76 User Manual Internet Server Set-Up & Security-Hardening Script AFTER script Figure 3.19: Web AFTER CHAPTER 3. HARDENING TESTS Page 46 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 4 E-Mail Client configuration After you set up your secure email server you might want to configure your e-mail client. The mailserver is only accessible through imaps and requires a TLS certificate for authentication. Therefor you need to set up your mail client with the appropriate configuration. At the moment there is only one example for “Mail on macOS Mojave”. 4.1 Mail on macOS Mojave 4.1.1 Mail server config Figure 4.1: Mail server config CHAPTER 4. E-MAIL CLIENT CONFIGURATION Page 47 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 4.1.2 Mail SMTP settings Figure 4.2: Mail SMTP settings CHAPTER 4. E-MAIL CLIENT CONFIGURATION Page 48 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 4.1.3 Mail IMAP TLS setting Figure 4.3: Mail IMAP TLS setting CHAPTER 4. E-MAIL CLIENT CONFIGURATION Page 49 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 5 Future Work 5.1 Extended functionalities For somebody with basic needs the functionalities of this script is enough. But if we expand the spectrum, there are still some exciting features missing. Why not have more than one domains on the same server? Why not have multiple e-mail addresses? Why not choose your own address? This could be important for somebody who has a small company for example. 5.1.1 Multiple domains The base to have multiple domains is already set. With NSD you have a perfect authoritative name server for multiple domains. NSD is not a hobby product, it is a very professional one. It is even used for some root domains (see: https://en.wikipedia.org/wiki/NSD). The function to make one domain zone is already here, so we “only” need to make more of it and guide the user through a new process. 5.1.2 Multiple e-mail addresses Of course it would be interesting to have more than one email address per user. As well, if you want to create an email address it would be nice if you can choose your own local-part (everything before the @) of your address. Postfix is capable of all this things, but it won’t do it by it self. This part sounds quite easy, but it is a complex process which is not defined and scripted yet. 5.1.3 Web application server Instead of using Apache only as a plain web server it could be extended to act a PHP or CGI application server with a database. This could be helpful if the user would like to run small applications next to static website content. 5.2 More Hardening After installing all components with the script, you have a decent hardened server. Still, it could be more secure! There are things we could not configure for you in this project like: • TLS 1.3 : An update of TLS 1.2, faster and more secure. For more information about TLS 1.3, please check a the comparative study paper (TLS1.2vs1.3.pdf) from our colleges Kandiah Rajina and Doukmak Anna. You can find the PDF in the same directory. • DNSSEC : To secure your domain, but it needs some interaction with your top-level domain registrar. • E-Mail MTA-STS: For more security in sending and receiving emails. DANE: (needs DNSSEC) is a bridge between DNSSEC and TLS. As well we would have liked to provide you some more components like: • XMPP-IM WebRTC: For real-time communication. • Tor Node: For growing the Tor network. CHAPTER 5. FUTURE WORK Page 50 of 76 User Manual Internet Server Set-Up & Security-Hardening Script • Snort-IDS: For network intrusion detection and prevention. • WAF: To add an existing layer of security to the webserver. Especially when the webserver acts as an application server. All of those are candidates for future work. It may be done in a second project from our university... or you? 5.3 Containerization The idea of containerization is to put every component into a Docker container. The main benefit would be that every component runs separated in a isolated environment. • More modular: With a Docker container setup every component (DNS, SSH, Mail, Web) would run in a separate container, which would make the setup more modular. Note: The firewall is not useful in a container. It needs to be configured on the Docker host to redirect the necessary ports to the right container. • Platform independent: With the use of Docker containers the project could be set up on any platform which supports a Docker Engine. This includes most of the modern Unix/Linux distributions and even Windows Systems. Inside of the containers there would still run a Ubuntu image. 5.4 Code Migration Our script collection is exclusively implemented with bash. So we are close to the operating system and can directly fall back on commands of the operating system. Using other scripting languages or perhaps even a high-level language (object-oriented) would probably be a pay off. With code migration it is always a kind of ’trade off’ between what one likes, becoming more modern and/or simplifying. • Python: Also close to the linux operating system. Certain subrutienes would be simpler or smaller in python and in general python is better readable and therefore easier to maintain. • Ansible: A very good example of modernization and machine independence. Ansible is very contemporary and migration to one or more ansible playbooks from our code would certainly be possible. When it comes to code migration, it must be mentioned that the primary focus is not on creating new code parts, but on refactoring and migrating existing code. Of course, you can create new code in parallel, but you won’t be able to avoid rewriting or moving existing code. CHAPTER 5. FUTURE WORK Page 51 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 6 Conclusion Every user who exchanges information over the internet should have the privilge to do this in a secure an anonymous matter. We built this script to provide every user, a maximal secure server, with a minimal need of information. Altough we tried to cover as much aspects and components as possible we saw, during our work, that there is much more to do. The further work which could build on top of our project are written down in chapter 5. After all, we learnt a lot for the future and are hoping to make the internet a little more secure for everyone of its users. CHAPTER 6. CONCLUSION Page 52 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 7 License For all the work accomplished in this project we were inspired by a lot of resources. Especially by the book “Linux Hardening in Hostile Networks: Server Security from TLS to Tor” [9], which provided a lot of examples for our work. Furthermore a lot of very well written websites and online guides were used: • Dovecot and Postfix client certificate authentication [11] • DMARC Setup [1] • Configuring HTTPS servers [12] Nevertheless we paid close attention not to copy any code nor modify any of the components we use. Therefore all the outcome we produced in this project is our own work. We decided to use the MIT license which has a wide acceptance in the open source community and fits our needs for license without warranty. 7.1 MIT license Copyright 2018 Ismael Riedo, Jan Henzi, Fridolin Zurlinden, Bern University of Applied Sciences Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ”Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED ”AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. CHAPTER 7. LICENSE Page 53 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 8 Glossary Ansible Ansible is open source software that automates software provisioning, configuration management, and application deployment. Ansible connects via SSH, remote PowerShell or via other remote APIs. . SOURCE: https://en.wikipedia.org/wiki/Ansible (software). 51 Apache The Apache HTTP Server, colloquially called Apache, is free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. SOURCE: https://en.wikipedia.org/wiki/Apache HTTP Server. 9 DANE DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC) SOURCE: https://en.wikipedia.org/wiki/DNS-based Authentication of Named Entities. 50 DKIM DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails, (email spoofing), a technique often used in phishing and email spam. SOURCE: https://en.wikipedia.org/wiki/DomainKeys Identified Mail. 9, 27 DMARC DMARC (Domain-based Message Authentication, Reporting and Conformance) is an emailvalidation system designed to detect and prevent email spoofing, the use of forged sender addresses often used in phishing and email spam. . SOURCE: https://en.wikipedia.org/wiki/DMARC. 9, 27 DNS The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. SOURCE: https://en.wikipedia.org/wiki/Domain Name System. 9, 16 DNSSEC The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality. SOURCE: https://en.wikipedia.org/wiki/Domain Name System Security Extensions. 50 Docker Docker is a computer program that performs operating-system-level virtualization, also known as “containerization”. It was first released in 2013 and is developed by Docker, Inc. SOURCE: https://en.wikipedia.org/wiki/Docker (software). 51 Glue Records Glue Records, or Nameserver Glue, relate a nameserver on the internet to an IP address. This relationship is set up at the domain registrar for the main domain on which the nameservers were created. SOURCE: https://www.liquidweb.com/kb/what-are-glue-records/. 17 Glossary Page 54 of 76 User Manual Internet Server Set-Up & Security-Hardening Script IMAP In computing, the Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection.[1] IMAP is defined by RFC 3501. SOURCE: https://en.wikipedia.org/wiki/Internet Message Access Protocol. 29 ModSecurity ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server, Microsoft IIS and NGINX. It is a free software released under the Apache license 2.0. SOURCE: https://en.wikipedia.org/wiki/ModSecurity. 33 MTA-STS MTA-STS (full name SMTP Mail Transfer Agent Strict Transport Security) is a new standard that aims to improve the security of SMTP by enabling domain names to opt into strict transport layer security mode that requires authentication (valid public certificates) and encryption (TLS). SOURCE: https://www.hardenize.com/blog/mta-sts. 50 Nginx Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and first publicly released in 2004.[9] A company of the same name was founded in 2011 to provide support and Nginx plus paid software. Nginx is free and open-source software, released under the terms of a BSD-like license. SOURCE: https://en.wikipedia.org/wiki/Nginx. 9 nsd In Internet computing, NSD (for ”name server daemon”) is an open-source Domain Name System (DNS) server. It was developed by NLnet Labs of Amsterdam in cooperation with the RIPE NCC, from scratch as an authoritative name server (i.e., not implementing the recursive caching function by design). SOURCE: https://en.wikipedia.org/wiki/NSD. 9 Python Python is an interpreted, high-level, general-purpose programming language. Created by Guido van Rossum and first released in 1991, Python has a design philosophy that emphasizes code readability, notably using significant whitespace. It provides constructs that enable clear programming on both small and large scales. SOURCE: https://en.wikipedia.org/wiki/Python (programming language). 51 SMTP Simple Mail Transfer Protocol (SMTP) is an Internet standard for email transmission. First defined by RFC 821 in 1982, it was updated in 2008 with Extended SMTP additions by RFC 5321; which is the protocol in widespread use today. SOURCE: https://en.wikipedia.org/wiki/Simple Mail Transfer Protocolm. 27 SPF Sender Policy Framework (SPF) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam. SOURCE: https://en.wikipedia.org/wiki/Sender Policy Framework. 9, 27 SSH Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.[1] Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH. SOURCE: https://en.wikipedia.org/wiki/Secure Shell. 23 SSL Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL),[1] are cryptographic protocols designed to provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers. SOURCE: https://en.wikipedia.org/wiki/Transport Layer Security. 29 Glossary Page 55 of 76 User Manual Internet Server Set-Up & Security-Hardening Script TLS Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL),[1] are cryptographic protocols designed to provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers. SOURCE: https://en.wikipedia.org/wiki/Transport Layer Security. 27 Tor Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name ”The Onion Router”. Tor directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. SOURCE: https://en.wikipedia.org/wiki/Tor (anonymity network). 50 ufw The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall. By default UFW is disabled. SOURCE: https://help.ubuntu.com/community/UFW. 13 unbound Unbound is a validating, recursive, and caching DNS resolver product from NLnet Labs. It is distributed free of charge in open-source form under the BSD license. SOURCE: https://en.wikipedia.org/wiki/Unbound (DNS server). 9 WAF A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations. SOURCE: https://en.wikipedia.org/wiki/Web application firewall. 33, 51 WebRTC WebRTC (Web Real-Time Communication) is a free, open-source project that provides web browsers and mobile applications with real-time communication (RTC) via simple application programming interfaces (APIs). It allows audio and video communication to work inside web pages by allowing direct peer-to-peer communication, eliminating the need to install plugins or download native apps.Supported by Google, Microsoft, Mozilla, and Opera, WebRTC is being standardized through the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF). SOURCE: https://en.wikipedia.org/wiki/WebRTC. 50 wild-card In software, a wildcard character is a kind of placeholder represented by a single character, such as an asterisk (*), which can be interpreted as a number of literal characters or an empty string. It is often used in file searches so the full name need not be typed. SOURCE: https://en.wikipedia.org/wiki/Wildcard character. 19 Glossary Page 56 of 76 User Manual Internet Server Set-Up & Security-Hardening Script Bibliography [1] Global Cyber Alliance. DMARC Setup. 2016. url: https://dmarcguide.globalcyberalliance. org (visited on 10/24/2018). [2] Hardenize. Hardenize. 2018. url: https://www.hardenize.com (visited on 10/25/2018). [3] Gordon ”Fyodor” Lyon Insecure.Com LLC. The Official Nmap Project Guide to Network Discovery and Security Scanning. 2011. url: https://nmap.org/book/port- scanning- tutorial. html (visited on 10/25/2018). [4] Todd Knarr Linode. Configure SPF and DKIM With Postfix on Debian 8. 2018. url: https: / / www . linode . com / docs / email / postfix / configure - spf - and - dkim - in - postfix - on debian-8/ (visited on 10/25/2018). [5] Michael Boelen Linux Audit. OpenSSH security and hardening. 2018. url: https : / / linux audit.com/audit-and-harden-your-ssh-configuration/ (visited on 10/25/2018). [6] MXToolbox. MX Lookup. 2018. url: https://mxtoolbox.com/ (visited on 10/25/2018). [7] NLnet Labs. unbound & nsd. 2018. url: https://github.com/NLnetLabs (visited on 10/25/2018). [8] OARC, Inc. Check My DNS. 2017. url: https://www.dns-oarc.net/oarc/services/cmdns (visited on 10/25/2018). [9] Kyle Rankin. Linux Hardening in Hostile Networks: Server Security from TLS to Tor. Addison Wesley, 2017. [10] Rebex. Rebex. 2018. url: https://sshcheck.com (visited on 10/25/2018). [11] Giel van Schijndel. Dovecot and Postfix client certificate authentication. 2017. url: https:// blog . mortis . eu / blog / 2017 / 06 / dovecot - and - postfix - with - client - cert - auth . html (visited on 10/24/2018). [12] Igor Sysoev and Brian Mercer. Configuring HTTPS servers. 2018. url: http://nginx.org/en/ docs/http/configuring_https_servers.html (visited on 10/25/2018). [13] Vircom. Email Security Grader. 2018. url: https://emailsecuritygrader.com/ (visited on 10/25/2018). Bibliography Page 57 of 76 User Manual Internet Server Set-Up & Security-Hardening Script Appendices Page 58 of 76 User Manual Internet Server Set-Up & Security-Hardening Script configFiles/dns/unbound/unbound.conf 1 include : " / etc / unbound / unbound . conf . d /*. conf " configFiles/dns/unbound/access.conf 1 server : configFiles/dns/unbound/hardening.conf 1 2 3 4 # ## SOURCE : https :// calomel . org / unbound_dns . html ### server : # enable to not answer id . server and hostname . bind queries . hide - identity : yes 5 # enable to not answer version . server and version . bind queries . hide - version : yes 6 7 8 9 10 11 12 13 # # # # # 14 Read the root hints from this file . Default is nothing , using built in hints for the IN class . The file has the format of zone files , with root nameserver names and addresses only . The default may become outdated , when servers change , therefore it is good practice to use a root - hints file . get one from https :// www . internic . net / domain / named . root root - hints : " / var / lib / unbound / root . hints " 15 16 17 18 19 20 # Will trust glue only if it is within the servers authority . # Harden against out of zone rrsets , to avoid spoofing attempts . # Hardening queries multiple name servers for the same data to make # spoofing significantly harder and does not mandate dnssec . harden - glue : yes 21 22 23 24 25 26 # # # # # Require DNSSEC data for trust - anchored zones , if such data is absent , the zone becomes bogus . Harden against receiving dnssec - stripped data . If you turn it off , failing to validate dnskey data for a trustanchor will trigger insecure mode for that zone ( like without a trustanchor ) . Default on , which insists on dnssec data for trust - anchored zones . harden - dnssec - stripped : yes # # # # # # Use 0 x20 - encoded random bits in the query to foil spoof attempts . http :// tools . ietf . org / html / draft - vixie - dnsext - dns0x20 -00 While upper and lower case letters are allowed in domain names , no significance is attached to the case . That is , two names with the same spelling but different case are to be treated as if identical . This means calomel . org is the same as CaLoMeL . Org which is the same as CALOMEL . ORG . use - caps - for - id : yes 27 28 29 30 31 32 33 34 35 36 37 38 39 # the time to live ( TTL ) value lower bound , in seconds . Default 0. # If more than an hour could easily give trouble due to stale data . cache - min - ttl : 3600 40 41 42 43 # the time to live ( TTL ) value cap for RRsets and messages in the # cache . Items are not cached for longer . In seconds . cache - max - ttl : 86400 44 45 46 47 48 49 50 51 # # # # # # perform prefetching of close to expired message cache entries . If a client requests the dns lookup and the TTL of the cached hostname is going to expire in less than 10% of its TTL , unbound will (1 st ) return the ip of the host to the client and (2 nd ) pre - fetch the dns request from the remote dns server . This method has been shown to increase the amount of cached hits by local clients by 10% on average . prefetch : yes 52 53 54 55 # number of threads to create . 1 disables threading . This should equal the number # of CPU cores in the machine . Our example machine has 4 CPU cores . num - threads : 1 56 57 # # Unbound Optimization and Speed Tweaks ### Page 59 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 58 59 60 61 62 63 64 65 # the number of slabs to use for cache and must be a power of 2 times the # number of num - threads set above . more slabs reduce lock contention , but # fragment memory usage . msg - cache - slabs : 8 rrset - cache - slabs : 8 infra - cache - slabs : 8 key - cache - slabs : 8 66 67 68 69 70 # # # # 71 72 Increase the memory size of the cache . Use roughly twice as much rrset cache memory as you use msg cache memory . Due to malloc overhead , the total memory usage is likely to rise to double ( or 2.5 x ) the total cache memory . The test box has 4 gig of ram so 256 meg for rrset allows a lot of room for cacheed objects . rrset - cache - size : 256 m msg - cache - size : 128 m 73 74 75 76 # buffer size for UDP port 53 incoming ( SO_RCVBUF socket option ) . This sets # the kernel buffer larger so that no messages are lost in spikes in the traffic . so - rcvbuf : 1 m 77 78 79 80 81 # # # # Should additional section of secure message also be kept clean of unsecure data . Useful to shield the users of this validator from potential bogus data in the additional section . All unsigned data in the additional section is removed from secure messages . val - clean - additional : yes # # # # # If nonzero , unwanted replies are not only reported in statistics , but also a running total is kept per thread . If it reaches the threshold , a warning is printed and a defensive action is taken , the cache is cleared to flush potential poison out of it . A suggested value is 10000000 , the default is 0 ( turned off ) . We think 10 K is a good value . unwanted - reply - threshold : 10000 82 83 84 85 86 87 88 89 90 91 92 93 # Reduce EDNS reassembly buffer size . # Suggested by the unbound man page to reduce fragmentation reassembly problems edns - buffer - size : 1472 configFiles/dns/unbound/listening.conf 1 2 3 server : # set dns listening for ipv4 interface : 127.0.0.1 4 5 6 # set dns listening for ipv6 interface : ::1 7 8 9 # port to answer queries from port : 53 10 11 12 # Enable IPv4 , " yes " or " no ". do - ip4 : yes 13 14 15 # Enable IPv6 , " yes " or " no ". do - ip6 : yes 16 17 18 # Enable UDP , " yes " or " no ". do - udp : yes 19 20 21 # Enable TCP , " yes " or " no ". do - tcp : yes configFiles/dns/unbound/qname–minimisation.conf 1 2 3 server : # Send minimum amount of information to upstream servers to enhance # privacy . Only sends minimum required labels of the QNAME and sets Page 60 of 76 User Manual 4 Internet Server Set-Up & Security-Hardening Script # QTYPE to NS when possible . 5 6 7 # See RFC 7816 " DNS Query Name Minimisation to Improve Privacy " for # details . 8 9 qname - minimisation : yes configFiles/dns/unbound/root–auto–trust–anchor–file.conf 1 2 3 4 server : # The following line will configure unbound to perform cryptographic # DNSSEC validation using the root trust anchor . auto - trust - anchor - file : " / var / lib / unbound / root . key " configFiles/dns/nsd/nsd.conf 1 2 3 4 5 server : # uncomment to specify specific interfaces to bind ( default all ) . ip - address : 104.248.137.212 # ip - address : 6 7 8 # port to answer queries on . default is 53. port : 53 9 10 11 # Number of NSD servers to fork . server - count : 1 12 13 14 # listen only on IPv4 connections ip4 - only : yes 15 16 17 # don ’ t answer VERSION . BIND and VERSION . SERVER CHAOS class queries hide - version : yes 18 19 20 # identify the server ( CH TXT ID . SERVER entry ) . identity : " " 21 22 logfile : " / var / log / nsd . log " 23 24 25 26 27 # The directory for zonefile : files . zonesdir : " / etc / nsd / zones " pidfile : " / etc / nsd / nsd . pid " username : nsd 28 29 30 31 32 33 34 pattern : name : examplerun . cf zonefile : examplerun . cf . forward pattern : name : 212.137.248.104. in - addr . arpa zonefile : examplerun . cf . backward configFiles/dns/nsd/examplerun.cf.backward 1 2 3 $ORIGIN 212.137.248.104. in - addr . arpa . $TTL 1800 4 5 6 7 8 9 10 11 @ IN SOA ns1 . examplerun . cf . ns2 . examplerun . cf . ( 2019010917 ; serial number 28800 ; Refresh 7200 ; Retry 1209600 ; Expire 86400 ; Min TTL ) 12 13 NS ns1 . examplerun . cf . Page 61 of 76 User Manual NS 14 15 Internet Server Set-Up & Security-Hardening Script ns2 . examplerun . cf . ; PTR IN IN 16 17 PTR PTR examplerun . cf . mail . examplerun . cf . configFiles/dns/nsd/examplerun.cf.forward 1 2 3 $ORIGIN examplerun . cf . $TTL 86400 ; default zone domain ; default time to live 4 5 6 7 8 9 10 11 12 @ IN SOA ns1 . examplerun . cf . ns2 . examplerun . cf . ( 2019010917 ; serial number 28800 ; Refresh 7200 ; Retry 1209600 ; Expire 86400 ; Min TTL ) 13 NS NS MX 14 15 16 ns1 . examplerun . cf . ns2 . examplerun . cf . 10 mail . examplerun . cf . 17 18 19 examplerun . cf . IN CAA 0 issue " letsencrypt . org " examplerun . cf . IN CAA 0 iodef " mailto : pos tmas ter@e xamp leru n . cf " 20 21 22 23 24 25 26 IN A 104.248.137.212 IN TXT " v = spf1 mx a ˜ all " ns1 IN A 104.248.137.212 ns2 IN A 104.248.137.212 www IN A 104.248.137.212 * IN A 104.248.137.212 27 28 29 30 31 32 33 34 35 36 mail IN A 104.248.137.212 IN TXT " v = spf1 mx a ˜ all " 2019010917. _domainkey IN TXT ( " v = DKIM1 \059 h = sha256 \059 k = rsa \059 s = email \059 p = " " MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6N + Xk5S5yT9WNMgbIS7CvNKdWFKpSR7Tfo6trV0Ml6O6BHsFiSp5U5 " " kbQ / vrK / xgx9c4k5BIOk / yL / jd / O / BqjTGDnC / pL89SL1Ne5Z + v W 1 h 4 F E w 9 g m w k 3 e t s c U P 0 C Y Z Z s 5 P g v D l B P g f W y i t r j y + p Y l x sF B O R XZ P l r pQ R F n NY p S R / e A X W F 3 R E l i O 7 N q u S S e c 9 8 5 d p b Z W Q /3 MHm " " W8ZVwv5oDfh / k M Q 9 7 2 7 q M x p O E D 0 Z Q y m l 2 k P p d H K 8 7 R g 9 z G O J D J s 8 8 0 R C 3 l s d +6 tukf7fYyj51TvpRtndLPrbutKdFgi3eMMDkQXam + d8f3YHQoiMF7lR0pD2oOcH5glELX7gc6MwIDAQAB " ) _adsp . _domainkey IN TXT " dkim = all " _dmarc IN TXT " v = DMARC1 \059 p = quarantine \059 sp = quarantine \059 adkim = r \059 aspf = r \059 fo =1\059 rf = afrf \059 rua = mailto : p ostma ster @exa mpler un . cf " configFiles/ssh/sshd.config 1 # $OpenBSD : sshd_config , v 1.101 2017/03/14 07:19:07 djm Exp $ 2 3 4 # This is the sshd server system - wide configuration file . # sshd_config (5) for more information . See 5 6 # This sshd was compiled with PATH =/ usr / bin :/ bin :/ usr / sbin :/ sbin 7 8 9 10 11 # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible , but leave them commented . Uncommented options override the default value . 12 13 14 # Port 22 # AddressFamily any Page 62 of 76 User Manual 15 16 Internet Server Set-Up & Security-Hardening Script # ListenAddress 0.0.0.0 # ListenAddress :: 17 18 19 20 # HostKey / etc / ssh / ssh_host_rsa_key # HostKey / etc / ssh / ssh_host_ecdsa_key # HostKey / etc / ssh / ssh_host_ed25519_key 21 22 23 # Ciphers and keying # RekeyLimit default none 24 25 26 27 # Logging # SyslogFacility AUTH # LogLevel INFO 28 29 # Authentication : 30 31 32 33 34 35 # LoginGraceTime 2 m PermitRootLogin no # StrictModes yes # MaxAuthTries 6 # MaxSessions 10 36 37 # P u b k e y A u t h e n tication yes 38 39 40 # Expect . ssh / authorized_keys2 to be disregarded by default in future . # Au th or iz ed Ke ysFile . ssh / authorized_keys . ssh / authorized_keys2 41 42 # A u t h o r i z e d P r i n ci p a l sF i l e none 43 44 45 # A u t h o r i z e d K e y sCom mand none # A u t h o r i z e d K e y s C o m m a n d U s e r nobody 46 47 48 49 50 51 52 53 # For this to work you will also need host keys in / etc / ssh / ssh_known_hosts # H o s t b a s e d A u t he n ti ca t io n no # Change to yes if you don ’ t trust ˜/. ssh / known_hosts for # H o s t b a s e d A u t he n ti ca t io n # I g n o r e U s e r K n ownHosts no # Don ’ t read the user ’ s ˜/. rhosts and ˜/. shosts files # IgnoreRhosts yes 54 55 56 57 # To disable tunneled clear text passwords , change to no here ! Pa s s w o r d A u t h e nt ica ti on no # P e r m i t E m p t y P asswords no 58 59 60 61 # Change to yes to enable challenge - response passwords ( beware issues with # some PAM modules and threads ) C h a l l e n g e R e s p o n s e A u t h e n t i c a t i o n no 62 63 64 65 66 67 # Kerberos options # K e r b e r o s A u t h e nti ca ti on no # K e r b e r o s O r L o c alPa sswd yes # K e r b e r o s T i c k e tCle anup yes # K e rb e r o sG e t AFSToken no 68 69 70 71 72 73 # GSSAPI options # G S S A P I A u t h e n tication no # G S S A P I C l e a n u p C re d e n ti a l s yes # G S S A P I S t r i c t A c c e p t o r C h e c k yes # GSSAP IKeyEx change no 74 75 76 77 78 79 80 # # # # # # Set this to ’yes ’ to enable PAM authentication , account processing , and session processing . If this is enabled , PAM authentication will be allowed through the C h a l l e n g e R e s p o n s e A u t h e n t i c a t i o n and P a s s w o r d A u t he nti ca ti on . Depending on your PAM configuration , PAM authentication via C h a l l e n g e R e s p o n s e A u t h e n t i c a t i o n may bypass the setting of " PermitRootLogin yes Page 63 of 76 User Manual 81 82 83 84 Internet Server Set-Up & Security-Hardening Script # If you just want the PAM account and session checks to run without # PAM authentication , then enable this but set P ass wo rd Aut he nt ic ati on # and C h a l l e n g e R e s p o n s e A u t h e n t i c a t i o n to ’no ’. UsePAM yes 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 # A l l o w A g e n t F o rwarding yes # Al lo wT cp Fo rw arding yes # GatewayPorts no X11Forwarding no # X11DisplayOffset 10 # X11UseLocalhost yes # PermitTTY yes PrintMotd no # PrintLastLog yes # TCPKeepAlive yes # UseLogin no # P e r m i t U s e r E n v iron ment no # Compression delayed # C l ie n t A li v e Interval 0 # C l ie n t A li v e CountMax 3 # UseDNS no # PidFile / var / run / sshd . pid # MaxStartups 10:30:100 # PermitTunnel no # ChrootDirectory none # VersionAddendum none 107 108 109 # no default banner path # Banner none 110 111 112 # Allow client to pass locale environment variables AcceptEnv LANG LC_ * 113 114 115 # override default of no subsystems Subsystem sftp / usr / lib / openssh / sftp - server 116 117 118 119 120 121 122 123 # Example of overriding settings on a per - user basis # Match User anoncvs # X11Forwarding no # Al lo wTcpForwarding no # PermitTTY no # ForceCommand cvs server Hos tKeyAl gorithms ssh - ed25519 - cert - v01@openssh . com , ssh - rsa - cert - v01@openssh . com , ssh ed25519 , ssh - rsa , ecdsa - sha2 - nistp521 - cert - v01@openssh . com , ecdsa - sha2 - nistp384 - cert v01@openssh . com , ecdsa - sha2 - nistp256 - cert - v01@openssh . com , ecdsa - sha2 - nistp521 , ecdsa - sha2 - nistp384 , ecdsa - sha2 - nistp256 124 125 126 127 KexAlgorithms curve25519 - sha256@libssh . org , ecdh - sha2 - nistp521 , ecdh - sha2 - nistp384 , ecdh sha2 - nistp256 , diffie - hellman - group - exchange - sha256 MACs hmac - sha2 -512 - etm@openssh . com , hmac - sha2 -256 - etm@openssh . com , umac -128 - etm@openssh . com , hmac - sha2 -512 , hmac - sha2 -256 , umac -128 @openssh . com Ciphers chacha20 - poly1305@openssh . com , aes256 - gcm@openssh . com , aes128 - gcm@openssh . com , aes256 - ctr , aes192 - ctr , aes128 - ctr configFiles/mail/main.cf 1 # See / usr / share / postfix / main . cf . dist for a commented , more complete version 2 3 4 5 6 7 # Debian specific : Specifying a file name will cause the first # line of that file to be used as the name . The Debian default # is / etc / mailname . # myorigin = / etc / mailname 8 9 10 smtpd_banner = $myhostname ESMTP $mail_name ( Ubuntu ) biff = no 11 Page 64 of 76 User Manual 12 13 Internet Server Set-Up & Security-Hardening Script # appending . domain is the MUA ’ s job . ap pe n d _d o t _m y domain = no 14 15 16 # Uncomment the next line to generate " delayed mail " warnings # de la y_ wa rn in g_time = 4 h 17 18 readme_directory = no 19 20 21 22 # See http :// www . postfix . org / COMPATIBILITY_README . html -- default to 2 on # fresh installs . co mp a t ib i l it y _level = 2 23 24 25 26 27 28 29 # TLS parameters sm tp d _ tl s _ ce r t_file = / etc / letsencrypt / live / mail . examplerun . cf / fullchain . pem sm tp d_ tl s_ ke y_file = / etc / letsencrypt / live / mail . examplerun . cf / privkey . pem smtpd_use_tls = yes s m t p d _ t l s _ s e s s i o n _ c a c h e _ d a t a b a s e = btree : $ { data_directory }/ smtpd_scache s m t p _ t l s _ s e s s i o n _ c a c h e _ d a t a b a s e = btree :/ var / lib / postfix / sm tp _t ls_ se ss io n_c ac he 30 31 32 # See / usr / share / doc / postfix / TLS_README . gz in the postfix - doc package for # information on enabling SSL in the smtp client . 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 s m t p d _ r e l a y _ r e s t r ic t i o ns = permit_mynetworks , permit_sasl_authenticated , permit_tls_all_clientcerts , re j e c t _ u n a u t h _ d e s t i n a t i o n myhostname = mail . examplerun . cf alias_maps = hash :/ etc / aliases alias_database = hash :/ etc / aliases myorigin = / etc / mailname mydestination = $myhostname , $mydomain , mail . examplerun . cf , localhost . examplerun . cf , localhost relayhost = mynetworks = 127.0.0.0/8 [:: ffff :127.0.0.0]/104 [::1]/128 ma il bo x_ si ze _limit = 0 re ci p i en t _ de l imiter = + inet_interfaces = all inet_protocols = all se n d e r _ c a n o n i cal _map s = hash :/ etc / postfix / canonical mydomain = examplerun . cf s m t p _ t l s _ s e c u r it y _l e ve l = may s m t p _ t l s _ n o t e _ s t a r t t l s _ o f f e r = yes smt p_tls_ loglevel = 1 # ## https :// access . redhat . com / articles /1468593 s m t p d _ t l s _ m a n d a t o r y _ p r o t o c o l s = ! SSLv2 , ! SSLv3 , ! TLSv1 , ! TLSv1 .1 sm tp d _ tl s _ pr o tocols = ! SSLv2 , ! SSLv3 , ! TLSv1 , ! TLSv1 .1 s m t p _ t l s _ m a n d a t o r y _ p r o t o c o l s = ! SSLv2 , ! SSLv3 , ! TLSv1 , ! TLSv1 .1 sm tp _t ls _p ro tocols = ! SSLv2 , ! SSLv3 , ! TLSv1 , ! TLSv1 .1 s m t p _ t l s _ e x c l u d e _ ci p h e rs = EXP , MEDIUM , LOW , DES , 3 DES , SSLv2 s m t p d _ t l s _ e x c l u de _ c i p h e r s = EXP , MEDIUM , LOW , DES , 3 DES , SSLv2 tl s_ h i gh _ c ip h erlist = kEECDH :+ kEECDH + SHA : kEDH :+ kEDH + SHA :+ kEDH + CAMELLIA : kECDH :+ kECDH + SHA : kRSA :+ kRSA + SHA :+ kRSA + CAMELLIA :! aNULL :! eNULL :! SSLv2 :! RC4 :! MD5 :! DES :! EXP :! SEED :! IDEA :!3 DES :! SHA tl s _ p r e e m p t _ c ip her li st = yes smtp_tls_ciphers = high smt pd_tls _ciphers = high policyd - spf_time_limit = 3600 s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s = reject_unauth_pipelining , reject_non_fqdn_recipient , reject_unknown_recipient_domain , permit_mynetworks , check_policy_service unix : private / policyd - spf , reject_rbl_client zen . spamhaus . org , reject_rbl_client bl . spamcop . net # START OpendKIM & OpenDMARC milter_protocol = 6 mi l t e r _ d e f a u l t_a ctio n = accept smtpd_milters = local :/ opendkim / opendkim . sock , local :/ opendmarc / opendmarc . sock non _smtpd _milters = local :/ opendkim / opendkim . sock , local :/ opendmarc / opendmarc . sock # END OpendKIM & OpenDMARC smtpd_tls_CAfile = / etc / ssl / certs / examplerun . cf . ca . crl . pem Page 65 of 76 User Manual 71 Internet Server Set-Up & Security-Hardening Script tl s _ a p p e n d _ d e fau lt_C A = no configFiles/mail/master.cf 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 # # Postfix master process configuration file . For details on the format # of the file , see the master (5) manual page ( command : " man 5 master " or # on - line : http :// www . postfix . org / master .5. html ) . # # Do not forget to execute " postfix reload " after editing this file . # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # ( yes ) ( yes ) ( no ) ( never ) (100) # ========================================================================== smtp inet n y smtpd # smtp inet n y 1 postscreen # smtpd pass y smtpd # dnsblog unix y 0 dnsblog # tlsproxy unix y 0 tlsproxy # submission inet n y smtpd # -o syslog_name = postfix / submission -o s m t p d _ t l s _ s e cu r i t y_ l e v el = encrypt -o s m t p d _ s asl _a ut h_ ena bl e = yes -o s mt p d _t l s_ask_ccert = yes # -o s m t p d _ t l s _s e c u ri t y _ le v e l = encrypt # -o s m t p d _ sas l_ au th _en ab le = yes # -o s m t pd _ tls_auth_only = yes # -o s m t p d _ r e j e c t _ u n l i s t e d _ r e c i p i e n t = no # -o s m t p d _ c l i e n t _ r e s t r i c t i o n s = $ m u a _c l i e nt _ r e st r i c ti o n s # -o s m t p d _ h el o_ r es t ri ct i on s = $m ua _h el o_r es tr ict io ns # -o s m t p d _ s e n d e r _ r e s t r i c t i o n s = $ m u a _s e n d er _ r e st r i c ti o n s # -o s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s = # -o s m t p d _ r e l ay _ r e st r i c ti o n s = permit_sasl_authenticated , reject # -o m i l t e r _ m a cr o _ d ae m o n _n a m e = ORIGINATING # smtps inet n y smtpd # -o syslog_name = postfix / smtps # -o s m t p d _ tl s_wr apper mode = yes # -o s m t p d _ sas l_ au th _en ab le = yes # -o s m t p d _ r e j e c t _ u n l i s t e d _ r e c i p i e n t = no # -o s m t p d _ c l i e n t _ r e s t r i c t i o n s = $ m u a _c l i e nt _ r e st r i c ti o n s # -o s m t p d _ h el o_ r es t ri ct i on s = $m ua _h el o_r es tr ict io ns # -o s m t p d _ s e n d e r _ r e s t r i c t i o n s = $ m u a _s e n d er _ r e st r i c ti o n s # -o s m t p d _ r e c i p i e n t _ r e s t r i c t i o n s = # -o s m t p d _ r e l ay _ r e st r i c ti o n s = permit_sasl_authenticated , reject # -o m i l t e r _ m a cr o _ d ae m o n _n a m e = ORIGINATING # 628 inet n y qmqpd pickup unix n y 60 1 pickup cleanup unix n y 0 cleanup qmgr unix n n 300 1 qmgr # qmgr unix n n 300 1 oqmgr tlsmgr unix y 1000? 1 tlsmgr rewrite unix y trivial - rewrite bounce unix y 0 bounce defer unix y 0 bounce trace unix y 0 bounce verify unix y 1 verify flush unix n y 1000? 0 flush proxymap unix n proxymap proxywrite unix n 1 proxymap smtp unix y smtp relay unix y smtp -o syslog_name = postfix / $service_name # -o smtp_helo_timeout =5 -o smtp_connect_timeout =5 showq unix n y showq error unix y error retry unix y error Page 66 of 76 User Manual 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 Internet Server Set-Up & Security-Hardening Script discard unix y discard local unix n n local virtual unix n n virtual lmtp unix y lmtp anvil unix y 1 anvil scache unix y 1 scache # # ==================================================================== # Interfaces to non - Postfix software . Be sure to examine the manual # pages of the non - Postfix software to find out what options it wants . # # Many of the following services use the Postfix pipe (8) delivery # agent . See the pipe (8) man page for information about $ { recipient } # and other message envelope options . # ==================================================================== # # maildrop . See the Postfix MAILDROP_README file for details . # Also specify in main . cf : m a i l d r o p _ d e s t i n a t i o n _ r e c i p i e n t _ l i m i t =1 # maildrop unix n n pipe flags = DRhu user = vmail argv =/ usr / bin / maildrop -d $ { recipient } # # ==================================================================== # # Recent Cyrus versions can use the existing " lmtp " master . cf entry . # # Specify in cyrus . conf : # lmtp cmd =" lmtpd -a " listen =" localhost : lmtp " proto = tcp4 # # Specify in main . cf one or more of the following : # mailb ox_transport = lmtp : inet : localhost # virtu al_transport = lmtp : inet : localhost # # ==================================================================== # # Cyrus 2.1.5 ( Amos Gouaux ) # Also specify in main . cf : c y r u s _ d e s t i n a t i o n _ r e c i p i e n t _ l i m i t =1 # # cyrus unix n n pipe # user = cyrus argv =/ cyrus / bin / deliver -e -r $ { sender } -m $ { extension } $ { user } # # ==================================================================== # Old example of delivery via Cyrus . # # old - cyrus unix n n pipe # flags = R user = cyrus argv =/ cyrus / bin / deliver -e -m $ { extension } $ { user } # # ==================================================================== # # See the Postfix UUCP_README file for configuration details . # uucp unix n n pipe flags = Fqhu user = uucp argv = uux -r -n -z - a$sender - $nexthop ! rmail ( $recipient ) # # Other external delivery methods . # ifmail unix n n pipe flags = F user = ftn argv =/ usr / lib / ifmail / ifmail -r $nexthop ( $recipient ) bsmtp unix n n pipe flags = Fq . user = bsmtp argv =/ usr / lib / bsmtp / bsmtp - t$nexthop - f$sender $recipient scalemail - backend unix n n 2 pipe flags = R user = scalemail argv =/ usr / lib / scalemail / bin / scalemail - store $ { nexthop } $ { user } $ { extension } mailman unix n n pipe flags = FR user = list argv =/ usr / lib / mailman / bin / postfix - to - mailman . py $ { nexthop } $ { user } Page 67 of 76 User Manual Internet Server Set-Up & Security-Hardening Script 129 130 131 policyd - spf unix n n user = policyd - spf argv =/ usr / bin / policyd - spf 0 spawn configFiles/mail/canonical.conf 1 2 3 test@mail . examplerun . cf test@examplerun . cf root@mail . examplerun . cf pos tmast er@e xamp lerun . cf configFiles/mail/aliases.conf 1 2 3 test : test postmaster : root configFiles/mail/opendmarc.conf 1 2 3 # This is a basic configuration that can easily be adapted to suit a standard # installation . For more advanced options , see opendkim . conf (5) and / or # / usr / share / doc / opendmarc / examples / opendmarc . conf . sample . 4 5 6 7 8 9 10 11 12 13 # # AuthservID ( string ) ## defaults to MTA name ## # # Sets the " authserv - id " to use when generating the Authentication - Results : # # header field after verifying a message . If the string " HOSTNAME " is # # provided , the name of the host running the filter ( as returned by the # # gethostname (3) function ) will be used . # # AuthservID name 14 15 16 17 18 19 20 21 22 # # FailureReports { true | false } ## default " false " ## # # Enables generation of failure reports when the DMARC test fails and the # # purported sender of the message has requested such reports . Reports are # # formatted per RFC6591 . # # FailureReports false 23 24 25 26 27 28 29 30 # # PidFile path ## default ( none ) ## # # Specifies the path to a file that should be created at process start # # containing the process ID . # PidFile / var / run / opendmarc / opendmarc . pid 31 32 33 34 35 36 37 38 39 40 41 # # PublicSuffixList path ## default ( none ) ## # # Specifies the path to a file that contains top - level domains ( TLDs ) that # # will be used to compute the Organizational Domain for a given domain name , # # as described in the DMARC specification . If not provided , the filter will # # not be able to determine the Organizational Domain and only the presented # # domain will be evaluated . # PublicSuffixList / usr / share / publicsuffix 42 43 44 45 46 47 48 ## ## ## ## ## ## RejectFailures { true | false } default " false " If set , messages will be rejected if they fail the DMARC evaluation , or temp - failed if evaluation could not be completed . By default , no message will be rejected or temp - failed regardless of the outcome of the DMARC Page 68 of 76 User Manual 49 50 51 52 # # evaluation of the message . # # field will be added . # # RejectFailures false Internet Server Set-Up & Security-Hardening Script Instead , an Authentication - Results header 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 # # Socket socketspec ## default ( none ) ## # # Specifies the socket that should be established by the filter to receive # # connections from sendmail (8) in order to provide service . socketspec is # # in one of two forms : local : path , which creates a UNIX domain socket at # # the specified path , or inet : port [ @host ] or inet6 : port [ @host ] which creates # # a TCP socket on the specified port for the appropriate protocol family . # # If the host is not given as either a hostname or an IP address , the # # socket will be listening on all interfaces . This option is mandatory # # either in the configuration file or on the command line . If an IP # # address is used , it must be enclosed in square brackets . # Socket local :/ var / run / opendmarc / opendmarc . sock 68 69 70 71 72 73 74 # # Syslog { true | false } ## default " false " ## # # Log via calls to syslog (3) any interesting activity . # Syslog true 75 76 77 78 79 80 81 82 # # SyslogFacility facility - name ## default " mail " ## # # Log via calls to syslog (3) using the named facility . # # are the same as the ones allowed in syslog . conf (5) . # # SyslogFacility mail The facility names 83 84 85 86 87 88 89 90 91 92 93 # # Tr us te dA uthservIDs string ## default HOSTNAME ## # # Specifies one or more " authserv - id " values to trust as relaying true # # upstream DKIM and SPF results . The default is to use the name of # # the MTA processing the message . To specify a list , separate each entry # # with a comma . The key word " HOSTNAME " will be replaced by the name of # # the host running the filter as reported by the gethostname (3) function . # # Tr us te dA ut hservIDs HOSTNAME 94 95 96 97 98 99 100 101 102 103 104 105 # # UMask mask ## default ( none ) ## # # Requests a specific permissions mask to be used for file creation . This # # only really applies to creation of the socket when Socket specifies a # # UNIX domain socket , and to the HistoryFile and PidFile ( if any ) ; temporary # # files are normally created by the mkstemp (3) function that enforces a # # specific file mode on creation regardless of the process umask . See # # umask (2) for more information . # UMask 0002 106 107 108 109 110 111 112 113 114 # # UserID user [: group ] ## default ( none ) ## # # Attempts to become the specified userid before starting operations . # # The process will be assigned all of the groups and primary group ID of # # the named userid unless an alternate group is specified . # UserID opendmarc Page 69 of 76 User Manual 115 116 117 118 119 120 121 122 123 124 Internet Server Set-Up & Security-Hardening Script AutoRestart Yes AutoRestartRate 10/1 h PidFile / var / spool / postfix / opendmarc / opendmarc . pid Socket local :/ var / spool / postfix / opendmarc / opendmarc . sock AuthservID mail . examplerun . cf Tr us te dA ut hs ervIDs mail . examplerun . cf Syslog true SyslogFacility mail UMask 0002 UserID opendmarc : opendmarc configFiles/mail/opendkim.conf 1 2 3 # This is a basic configuration that can easily be adapted to suit a standard # installation . For more advanced options , see opendkim . conf (5) and / or # / usr / share / doc / opendkim / examples / opendkim . conf . sample . 4 5 6 7 8 9 # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non # privileged user ( e . g . Postfix ) UMask 007 10 11 12 13 14 15 # Sign for example . com with key in / etc / dkimkeys / dkim . key using # selector ’2007 ’ ( e . g . 2007. _domainkey . example . com ) # Domain example . com # KeyFile / etc / dkimkeys / dkim . key # Selector 2007 16 17 18 19 20 # Commonly - used options ; the commented - out versions show the defaults . # Canonicalization simple # Mode sv # SubDomains no 21 22 23 24 25 26 27 28 29 30 31 32 33 34 # Socket smtp :// localhost # # ## Socket socketspec # ## # ## Names the socket where this filter should listen for milter connections # ## from the MTA . Required . Should be in one of these forms : # ## # ## inet : port@address to listen on a specific interface # ## inet : port to listen on all interfaces # ## local :/ path / to / socket to listen on a UNIX domain socket # # Socket inet :8892 @localhost Socket local :/ var / run / opendkim / opendkim . sock 35 36 37 38 39 40 41 42 # # PidFile filename # ## default ( none ) # ## # ## Name of the file where the filter should write its pid before beginning # ## normal operations . # PidFile / var / run / opendkim / opendkim . pid 43 44 45 46 47 48 49 50 # Always oversign From ( sign using actual From and a null # malicious signatures header fields ( From and / or others ) # and the verifier . From is oversigned by default in the # because it is often the identity key used by reputation # somewhat security sensitive . OversignHeaders From From to prevent between the signer Debian pacakge systems and thus 51 52 53 54 ## ## ## R e s o l v e r C onfi gura tion filename default ( none ) Page 70 of 76 User Manual 55 56 57 58 59 60 61 ## ## ## ## ## ## ## Internet Server Set-Up & Security-Hardening Script Specifies a configuration file to be passed to the Unbound library that performs DNS queries applying the DNSSEC protocol . See the Unbound documentation at http :// unbound . net for the expected content of this file . The results of using this and the TrustAnchorFile setting at the same time are undefined . In Debian , / etc / unbound / unbound . conf is shipped as part of the Suggested unbound package 62 63 # R e s o l v e r C o n fi gura tion / etc / unbound / unbound . conf 64 65 66 67 68 69 70 # # TrustAnchorFile filename ## default ( none ) ## # # Specifies a file from which trust anchor data should be read when doing # # DNS queries and applying the DNSSEC protocol . See the Unbound documentation # # at http :// unbound . net for the expected format of this file . 71 72 TrustAnchorFile / usr / share / dns / root . key 73 74 75 76 77 78 79 80 81 82 83 # # Userid userid # ## default ( none ) # ## # ## Change to user " userid " before starting normal operation ? May include # ## a group ID as well , separated from the userid by a colon . # UserID opendkim # This is a basic configuration that can easily be adapted to suit a standard # installation . For more advanced options , see opendkim . conf (5) and / or # / usr / share / doc / opendkim / examples / opendkim . conf . sample . 84 85 86 87 88 89 90 91 92 # Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non # privileged user ( e . g . Postfix ) UMask 002 # OpenDKIM user # Remember to add user postfix to group opendkim UserID opendkim 93 94 95 96 # Map domains in From addresses to keys used to sign messages KeyTable / etc / opendkim / key . table SigningTable refile :/ etc / opendkim / signing . table 97 98 99 100 # Hosts to ignore when verifying signatures Ex te rn al Ig no reList / etc / opendkim / trusted . hosts InternalHosts / etc / opendkim / trusted . hosts 101 102 103 104 105 106 107 108 109 110 111 # Commonly - used options ; the commented - out versions show the defaults . Canonicalization relaxed / simple Mode sv SubDomains no # ADSPAction continue AutoRestart no AutoRestartRate 10/1 M Background yes DNSTimeout 5 Si gn at ur eA lg orithm rsa - sha256 112 113 114 115 116 117 118 119 120 # Always oversign From ( sign using actual From and a null From to prevent # malicious signatures header fields ( From and / or others ) between the signer # and the verifier . From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive . OversignHeaders From # ## UBUNTU 18.10 PidFile / var / spool / postfix / opendkim / opendkim . pid Page 71 of 76 User Manual 121 Socket Internet Server Set-Up & Security-Hardening Script local :/ var / spool / postfix / opendkim / opendkim . sock configFiles/mail/signing.table 1 * @examplerun . cf examplerun configFiles/mail/trusted.hosts 1 2 3 4 5 127.0.0.1 ::1 localhost examplerun . cf mail . examplerun . cf configFiles/mail/users–external.conf 1 test ::::::: configFiles/mail/dovecot.conf 1 2 # # Dovecot configuration file ! include_try / usr / share / dovecot / protocols . d /*. protocol 3 4 ! include conf . d /*. conf 5 6 7 8 9 10 11 12 13 14 15 16 17 auth default { mechanisms = plain login external user = root socket listen { client { path = / var / spool / postfix / private / auth mode = 0660 user = postfix group = postfix } } } configFiles/mail/10–auth.conf 1 2 3 4 ## # # Authentication processes ## 5 6 # d i s a b l e _ p l a i n tex t_ au th = yes 7 8 a u t h _ s s l _ u s e r n a m e _ f r o m _ c e r t = yes 9 10 auth_mechanisms = plain login external 11 12 13 ! include auth - system . conf . ext ! include auth - passwdfile . conf . ext configFiles/mail/10–ssl.conf 1 2 3 4 ## # # SSL settings ## 5 6 ssl = yes 7 8 9 ssl_cert = 6 7 8 9 10 passdb { driver = passwd - file # the PLAIN scheme prevents us from having to hash the empty string args = scheme = PLAIN username_format =% u / etc / dovecot / users - external 11 # this option requires Dovecot 2.2.28 ( or the patch ) , without it this setup # is insecure because it permits logins with the empty string as password mechanisms = external 12 13 14 15 # explicitly permit empty passwords override_fields = nopassword 16 17 18 } 19 20 21 22 23 userdb { driver = passwd - file args = username_format =% u / etc / dovecot / users - external } configFiles/fw/fw.conf 1 2 3 4 5 6 7 8 9 10 # SSH allow - tcp allow - udp # DNS allow - tcp allow - udp # MAIL allow - tcp allow - udp # SECURE SMTP 22 22 53 53 25 25 Page 73 of 76 User Manual 11 12 13 14 15 16 17 18 19 20 21 allow - tcp allow - udp # IMAP allow - tcp allow - udp # IMAP TLS allow - tcp allow - udp # HTTP HTTPS allow - tcp allow - tcp - Internet Server Set-Up & Security-Hardening Script 465 465 143 143 993 993 80 443 configFiles/web/nginx/nginx.conf 1 2 3 4 user www - data ; worker_processes auto ; pid / run / nginx . pid ; include / etc / nginx / modules - enabled /*. conf ; 5 6 7 8 9 events { w ork er _c onnections 768; # multi_accept on ; } 10 11 12 13 14 http { ## # Basic Settings ## 15 16 17 18 19 20 21 sendfile on ; tcp_nopush on ; tcp_nodelay on ; keep alive_timeout 65; t yp e s _ ha s h_max_size 2048; server_tokens off ; 22 23 24 # s e r v e r _ n a m e s _ h a s h _ b u c k e t _ s i z e 64; # s e r v e r _ na me _ in _ re di r ec t off ; 25 26 27 include / etc / nginx / mime . types ; default_type application / octet - stream ; 28 29 30 31 ## # Logging Settings ## 32 33 34 access_log / var / log / nginx / access . log ; error_log / var / log / nginx / error . log ; 35 36 37 38 ## # Gzip Settings ## 39 40 gzip on ; 41 42 43 44 45 46 47 # # # # # # gzip_vary on ; gzip_proxied any ; gzip_comp_level 6; gzip_buffers 16 8 k ; gzip_ http_version 1.1; gzip_types text / plain text / css application / json application / javascript text / xml application / xml application / xml + rss text / javascript ; 48 49 50 51 ## # Virtual Host Configs ## 52 Page 74 of 76 User Manual include / etc / nginx / conf . d /*. conf ; 53 54 Internet Server Set-Up & Security-Hardening Script } configFiles/web/nginx/conf.d/examplerun.cf.conf 1 server { listen 443 ssl ; listen [::]:443 ssl ; server_name examplerun . cf www . examplerun . cf default_server ; 2 3 4 5 s s l _ p r e f e r _ s e r v er _ c i p h e r s on ; ssl_protocols TLSv1 .1 TLSv1 .2; ssl_ciphers ECDHE - ECDSA - AES256 - GCM - SHA384 : ECDHE - RSA - AES256 - GCM - SHA384 : ECDHE ECDSA - CHACHA20 - POLY1305 : ECDHE - RSA - CHACHA20 - POLY1305 : ECDHE - ECDSA - AES128 - GCM - SHA256 : ECDHE - RSA - AES128 - GCM - SHA256 : ECDHE - ECDSA - AES256 - SHA384 : ECDHE - RSA AES256 - SHA384 : ECDHE - ECDSA - AES128 - SHA256 : ECDHE - RSA - AES128 - SHA256 ; 6 7 8 9 ssl _session_cache shared : SSL :50 m ; s s l_ session_timeout 5 m ; 10 11 12 ssl_certificate / etc / letsencrypt / live / examplerun . cf / fullchain . pem ; # managed by Certbot s s l_ certificate_key / etc / letsencrypt / live / examplerun . cf / privkey . pem ; # managed by Certbot 13 14 15 ssl_dhparam / etc / ssl / dh4096 . pem ; 16 17 add_header always ; add_header add_header add_header add_header 18 19 20 21 22 Strict - Transport - Security " max - age =31536000; includeSubDomains " X - Content - Type - Options " nosniff " always ; X - Xss - Protection " 1; mode = block " always ; X - Frame - Options " SAMEORIGIN " always ; Referrer - Policy " same - origin " always ; 23 access_log / var / log / nginx / examplerun . cf_ssl_access . log ; error_log / var / log / nginx / examplerun . cf_ssl_error . log ; 24 25 26 location / { proxy_set_header X - Real - IP $remote_addr ; proxy_set_header X - Forwarded - For $remote_addr ; proxy_set_header Host $host ; proxy_pass http ://127.0.0.1:8080; } 27 28 29 30 31 32 33 } 34 35 server { listen 80; listen [::]:80; server_name examplerun . cf www . examplerun . cf default_server ; 36 37 38 39 access_log / var / log / nginx / examplerun . cf_access . log ; error_log / var / log / nginx / examplerun . cf_error . log ; 40 41 42 return 301 https :// $host$request_uri ; 43 44 } configFiles/web/apache2/ports.conf 1 2 Listen 8080 # vim : syntax = apache ts =4 sw =4 sts =4 sr noet configFiles/web/apache2/sites–available/examplerun.cf.conf 1 2 3 < VirtualHost 127.0.0.1:8080 > ServerName examplerun . cf Page 75 of 76 User Manual 4 5 6 Internet Server Set-Up & Security-Hardening Script ServerName www . examplerun . cf ServerAdmin webmaster@examplerun . cf DocumentRoot / var / www / examplerun 7 8 # LogLevel info ssl : warn 9 10 11 12 ErrorLog $ { APACHE_LOG_DIR }/ ismu . ga_error . log CustomLog $ { APACHE_LOG_DIR }/ ismu . ga_access . log combined 13 14 # vim : syntax = apache ts =4 sw =4 sts =4 sr noet Page 76 of 76
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No Page Count : 76 Page Mode : UseOutlines Author : Title : Subject : Creator : LaTeX with hyperref package Producer : pdfTeX-1.40.18 Create Date : 2019:01:23 21:44:35+01:00 Modify Date : 2019:01:23 21:44:35+01:00 Trapped : False PTEX Fullbanner : This is pdfTeX, Version 3.14159265-2.6-1.40.18 (TeX Live 2017) kpathsea version 6.2.3EXIF Metadata provided by EXIF.tools