Meningkatkan keamanan server berbasiskan linux redhat

Agar keamanan server linux anda cukup terjamin sebaiknya setelah instalasi selesai dan belum beroperasi sepenuhnya sebaiknya minimal melakukan langkah-langkah berikut ini (tentu saja level user yg digunakan adalah admin (wheel):
* matikan semua service2 yang tidak diperlukan seperti telnet, kudzu, irda, isdn atau apapun yg tidak diperlukan.

Notes:Ingat salah satu prinsip sekuritas yg baik adalah hanya menyediakan service yg diperlukan saja. Jadi misalnya o/s linux ini hanya akan digunakan sebagai server web, maka service seperti ftp dan named(dns) sebaiknya di nonaktifkan saja.

Caranya bisa menggunakan perintah:ntsysv atau chkcofigPenggunaan untuk chkconfig adalah:

chkconfig –list [nama service]

chkconfig –add

chkconfig –del

chkconfig [–level ] )

* Konfigurasi ulang firewall internal (iptable)Caranya ada 2, yaitu dengan perintah iptables atau mengedit file /etc/sysconfig/iptables

Penggunaan: iptables -[AD] aturan [opsion]Kalau anda bingung, ketik iptables -h atau iptables –help untuk mengeluarkan daftar perintah, Kemudian restart firewall dengan perintah:

service iptable restart

* Aktifkan autentikasi user sehingga hanya user2 tertentu yg di beri wewenang (misalnya, group: wheel) saja yg boleh menggunakan service2 tertentu.

caranya: edit file2 yg ada di /etc/pam.d/su,/etc/pam.d/sudo, /etc/pam.d/vsftpd, dll, kemudian aktifkan (hilangkan tanda komentar, berupa”#”)auth required /lib/security/$ISA/pam_wheel.so use_uid
* Tidak menggunakan telnet tetapi ssh untuk kegunaan remote.Service Telnet sebaiknya dimatikan.
* Non aktifkan penggunaan langsung user root (su) jika login pertamakali menggunakan ssh. Masuk pertama harus menggunakan “user biasa” kemudian baru boleh login sebagai root/su
caranya:edit /etc/ssh/sshd_configAktifkan baris perintah PermitRootLogin yes
* Untuk menambahkan user accoutm biasakan memberikan perint useradd dengan opsion minimal sbb-g [Nama Group]-d [Nama dir Home-nya]-c [Deskripsi mengenai user]-e [expired]-s /sbin/nologin –> sebaiknya ini adalah default untuk “shell user”, sehingga akses user sangat terbatas.

Contoh perintahnya adalah:useradd -g customer -d /inet/webhosting/anu.com -c “Web Hosting User” -e YYYY-MM-DD -s /sbin/nologin asep

Dovecot on Fedora Core System

This article explains how to setup a small mail server very fast on a Fedora Core system. After following this tutorial, you will have:
- MTA: Postfix- SMTP Authentification: Cyrus SASL- IMAP and POP3: Dovecot- Webmail: Squirrelmail
Installing packages
- Install the needed packages using YUM: Login as root and type the following command in a terminal:
# yum install postfix dovecot cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-lib squirrelmail
It doesn't matter if you have one or more packages already installed as yum will skip those and install only the missing ones.
- Change the default MTA: Type the following command in a terminal and choose postfix:
# system-switch-mail
- Add Postfix and Dovecot (and optionally httpd if you also chose to install the webmail) to startup: First, make sure they are in the services list:
# chkconfig --list grep postfix# chkconfig --list grep dovecot# chkconfig --add postfix (only if necessary)# chkconfig --add dovecot (only if necessary)
Then add them for init levels 3 and 5, just in case you will change your init level:
# chkconfig --levels 35 postfix on# chkconfig --levels 35 dovecot on# chkconfig --levels 35 httpd on
Configuring Postfix
- Edit /etc/postfix/main.cf and change the following values. These are the basic values that need editing in order to get you going really fast. Don't edit other values unless you know what you're doing:
myhostname = mail.example.com This is only an example. Replace mail.example.com with your real Internet hostname or IP address. This will be the address that receives the mails.
mydomain = example.comOptional. Replace example.com with your real domain name. This will be the domain your mails appear to be sent from. It can also be used as the destination.
inet_interfaces = allThis parameter specifies the address used for receiving mail.
mydestination = $myhostname, $mydomain, localhost, localhost.localdomainThis parameter specifies the list of domains that this machine considers itself the final destination for. You can enter here all the hostnames pointing at your IP address but DON'T specify the names of domains that this machine is backup MX host for.
home_mailbox = Maildir/This specifies the path where the mail is stored. Mailbox will store the mailto /var/spool/mail/user or /var/mail/user, while Maildir/ (the / is required) will store the mail in each user's home directory (/home/user/Maildir)
- Save the file and restart Postfix with:
# service postfix restart
- Test it: Run the following command and check /root/Maildir/new for a message. You can read it using less, cat or a text editor:
# echo "Hello" mail root
Configuring Dovecot
- Edit /etc/dovecot.conf and change the following line:
protocols = imap pop3 Don't leave the '#' in front
- Test and start Dovecot:
# echo "Hello" mail username'username' is a NON-ROOT user so you might have to create one.
- Start Apache for webmail and Dovecot:
# service httpd start # service dovecot start
- Test it: Open your favorite browser and go to http://your.hostname.com/webmail and log in with the NON-ROOT user and password. If everything worked out well, you should have a new mail in your inbox.
Enable SMTP Authentication
- Edit the /etc/postfix/main.cf file and add these lines at the bottom of the file:
smtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymoussmtpd_sasl_local_domain = $myhostnamebroken_sasl_auth_clients = yessmtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
- Start the saslauthd daemon and reload Postfix:
# service saslauthd start# service postfix reload
Everything should work fine now. Open you favorite email client (Thunderbird, KMail etc) and set your account as follows:
IncomingName: Your nameEmail address: The-NON-ROOT-user@example.comAccount password: your-linux-password-for-the-non-root-userServer type: POPIncoming server: mail.example.com
OutgoingDescription: SomethingServer address: mail.example.comPort: 25Check "My SMTP server requires authentication"Username: The-NON-ROOT-user@example.comPassword: your-linux-password-for-the-non-root-userChoose "PLAIN" for authentication type.
If you want to receive the root's mail to your non-root user maildir, edit the /etc/aliases file and uncomment the root line to look like this and reload Postfix.
root: non-root-user
That's it! Play around with the settings in main.cf and tweak them to your taste but always remember to make a backup in case something goes wrong.