Post-Installation Security Procedures
The problem with POP, IMAP and some other well-known protocols, such as TELNET and FTP, is the user name and password are sent from the client to the server in clear text. This means someone can tap the communication between the server and the client and get user names and passwords. It is also possible to make a brute force attack on the server trying to guess user names and passwords. We can take care of brute force attacks by running a server that checks for such things. Some POP and IMAP servers close the account after five bad passwords are entered; the account is opened only after a waiting period or it may have to be opened manually. There is an interesting solution to clear text passwords. Some of the services support challenge-response passwords as well as the trivial passwords.
For example, we can get a clear TELNET connection with the SKEY package. The SKEY package gives the user a “One Time Password”; even if someone taps the line and gets the password, he can't use this password again to enter the server. Another tool is stunnel which was reviewed by David Bandel in the July 1999 LJ. stunnel gives the ability to connect from client to server in a secure encrypted way for several purposes, such as SMTP, POP and more.
One could fill a book writing about sendmail security. I would like to mention only a few of many more things about sendmail. The first thing is there are alternatives out there that claim to be much more secure then sendmail. It might be worthwhile to test one of these applications. One more thing about sendmail is that with a very simple program a hacker can try to get many user names from our system by using the VRFY protocol command. The VRFY and the EXPN protocol commands should be disabled in the /etc/sendmail.cf file. To disable these commands, we should use the following line in the sendmail.cf file:
O PrivacyOptions=authwarnings\ noexpn novrfy
This option will prevent sendmail from answering to VRFY and EXPN commands. It will also cause sendmail to complain about weak security settings. One last thing I like to do with sendmail is to remove the version number from its HELO string, so the version number will not be known to the outside.
Much work needs to be done when it comes to security. We should check every day to see what new hacks have appeared and which software should be upgraded for security reasons. When installing a new application, we should always look at the security settings and set them as tight as possible. It will not make our system 100% cracker proof, but it will make it much harder for the cracker to get into our system.
Eddie Harari can be reached via e-mail at firstname.lastname@example.org.
|When BirdCam Goes Mainstream||Oct 27, 2016|
|Nightfall on Linux||Oct 26, 2016|
|Daily Giveaway - Fun Prizes from Red Hat!||Oct 25, 2016|
|Installing and Running a Headless Virtualization Server||Oct 25, 2016|
|Ubuntu MATE, Not Just a Whim||Oct 21, 2016|
|Non-Linux FOSS: Screenshotting for Fun and Profit!||Oct 20, 2016|
- Nightfall on Linux
- When BirdCam Goes Mainstream
- Installing and Running a Headless Virtualization Server
- Secure Desktops with Qubes: Compartmentalization
- Daily Giveaway - Fun Prizes from Red Hat!
- Ubuntu MATE, Not Just a Whim
- Build Your Own Raspberry Pi Camera
- Polishing the wegrep Wrapper Script
- Nasdaq Selects Drupal 8
- Returning Values from Bash Functions