Post-Installation Security Procedures
The problem with POP, IMAP and some other well-known protocols, such as TELNET and FTP, is the user name and password are sent from the client to the server in clear text. This means someone can tap the communication between the server and the client and get user names and passwords. It is also possible to make a brute force attack on the server trying to guess user names and passwords. We can take care of brute force attacks by running a server that checks for such things. Some POP and IMAP servers close the account after five bad passwords are entered; the account is opened only after a waiting period or it may have to be opened manually. There is an interesting solution to clear text passwords. Some of the services support challenge-response passwords as well as the trivial passwords.
For example, we can get a clear TELNET connection with the SKEY package. The SKEY package gives the user a “One Time Password”; even if someone taps the line and gets the password, he can't use this password again to enter the server. Another tool is stunnel which was reviewed by David Bandel in the July 1999 LJ. stunnel gives the ability to connect from client to server in a secure encrypted way for several purposes, such as SMTP, POP and more.
One could fill a book writing about sendmail security. I would like to mention only a few of many more things about sendmail. The first thing is there are alternatives out there that claim to be much more secure then sendmail. It might be worthwhile to test one of these applications. One more thing about sendmail is that with a very simple program a hacker can try to get many user names from our system by using the VRFY protocol command. The VRFY and the EXPN protocol commands should be disabled in the /etc/sendmail.cf file. To disable these commands, we should use the following line in the sendmail.cf file:
O PrivacyOptions=authwarnings\ noexpn novrfy
This option will prevent sendmail from answering to VRFY and EXPN commands. It will also cause sendmail to complain about weak security settings. One last thing I like to do with sendmail is to remove the version number from its HELO string, so the version number will not be known to the outside.
Much work needs to be done when it comes to security. We should check every day to see what new hacks have appeared and which software should be upgraded for security reasons. When installing a new application, we should always look at the security settings and set them as tight as possible. It will not make our system 100% cracker proof, but it will make it much harder for the cracker to get into our system.
Eddie Harari can be reached via e-mail at email@example.com.
- Readers' Choice Awards 2013
- Linux Kernel News - November 2013
- Advanced Hard Drive Caching Techniques
- December 2013 Issue of Linux Journal: Readers' Choice
- Mars Needs Women
- Sublime Text: One Editor to Rule Them All?
- Raspberry Pi: the Perfect Home Server
- RSS Feeds
- Web Administration Scripts
- Linux Systems Administrator
- thanks for share, great
16 hours 52 min ago
- There are factors which are
21 hours 52 min ago
- Gnome 3 ?
22 hours 37 min ago
- Reply to comment | Linux Journal
1 day 2 hours ago
- "Redis RethinkDB 4.5%" on Best NoSQL Databases
1 day 12 hours ago
- on the ground
1 day 19 hours ago
- I was able to read the whole
1 day 20 hours ago
- since i have read the title i
2 days 1 min ago
- Belanja Online Cari Voucher Diskon
2 days 7 min ago
- The kernel doesn't really
2 days 12 hours ago