A Server (Almost) of Your Own
There have been many automated attacks against SSH. At the very least, you must use strong passwords, or your system will be compromised. The apg utility simplifies this task. It generates random, non-dictionary “words” that you can pronounce. There are apg packages for most popular Linux distributions.
Make sure to look in the on-line Resources for this article for more information. SSH security is not specific to the VPS environment—it is also an important issue in standard virtual hosting. With a VPS, however, you do have the flexibility to protect yourself properly. The resources page is at /article/9380.
The mail server, also known as the Mail Transfer Agent (MTA), is a program that delivers and receives e-mail messages. The MTA will receive all the mail that others send you. Likewise, any messages you send to others will leave your VPS through the MTA.
The default MTA on your VPS is Sendmail. This sophisticated, powerful program has advantages for complex e-mail configurations. Unfortunately, it also is difficult to configure and tends to have a lot of security problems.
Therefore, we replace Sendmail with Postfix. Postfix is efficient, very secure and, most important, easy to configure. Before proceeding with the installation, shut down Sendmail, and make sure that it will not start again on reboot. Then, install Postfix:
[root@myvps ~]# /etc/init.d/sendmail stop Shutting down sendmail: [ OK ] Shutting down sm-client: [ OK ] [root@myvps ~]# chkconfig --del sendmail [root@myvps ~]# up2date --install postfix
Note that using the up2date command to install packages is specific to Red Hat and related distributions. You may be presented with a configuration screen the first time that you run up2date. You can simply press Enter to accept the default values. In addition, up2date is sometimes very slow and can even fail for transient reasons. You can try the command again if it does not work the first time.
The main Postfix configuration file is /etc/postfix/main.cf. Save a copy of this file to read later, because it contains many helpful comments. Then, replace /etc/postfix/main.cf with the code from Listing 1. You should modify your new main.cf to specify the domain names that you will be hosting on your VPS.
# Example "main.cf" file for Postfix on a VPS. # # Note that lines that begin with whitespace # continue the previous line. # # LOCAL PATHNAME INFORMATION queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix # QUEUE AND PROCESS OWNERSHIP mail_owner = postfix # Host name is usually the domain name on a VPS. myhostname = first.domain mydomain = first.domain # Where locally-posted mail will come from. myorigin = $myhostname # Listen on all interfaces. inet_interfaces = all # This server is the final destination for these domains. mydestination = localhost, localhost.localdomain, $myhostname, localhost.$mydomain, $mydomain, second.domain # IMPORTANT -- accept mail for relaying ONLY from # the local machine. mynetworks_style = host # Where your aliases are. alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases # This user should receive any mail whose recipient # could not otherwise be matched. luser_relay = firstname.lastname@example.org # IMPORTANT -- local recipient checking must be # turned off for the "luser_relay" directive to # work. local_recipient_maps = # Error code to reject mail with when the local # recipient is not known. unknown_local_recipient_reject_code = 550 # Your server's greeting banner. IMPORTANT -- it # MUST start with your server's hostname, and the # reverse DNS lookup on the server's IP address MUST # match this hostname, or your outgoing mail could # be rejected as SPAM. smtpd_banner = $myhostname ESMTP # See the "main.cf" that came with your Postfix # distribution for discussion on the rest of the # directives in this file. debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.1.5/samples readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
Replace all occurrences of first.domain in Listing 1 with your own fully qualified domain name, such as openlight.com. The reverse DNS lookup of your VPS's IP address must return this domain! Otherwise, your outbound messages may be rejected as spam.
If you are hosting an additional domain name, substitute it instead of the second.domain entry. Otherwise, delete second.domain before using Listing 1. If you wish, you can also, replace maila in Listing 1 with the user name of your choice.
Now, append an entry to the /etc/aliases file to specify the user who will receive root's mail. Here is an example:
Next, create accounts for the other e-mail users. Append any aliases for these users to /etc/aliases. The following example entry will cause user mailb to receive all messages sent to email@example.com:
Note that if you have an additional domain name, messages to firstname.lastname@example.org will also go to mailb. For a small organization, this is probably the right default behavior, because all domain names that you will be hosting are almost certainly related. For example, if you are hosting an additional domain for your product, then tech-support questions about the product should likely go to the same person, regardless of which domain name appears in the e-mail address.
When you are finished, update the alias database file, and start Postfix:
[root@myvps ~]# postalias /etc/aliases [root@myvps ~]# /etc/init.d/postfix start Starting postfix: [ OK ]
Check the log file /var/log/maillog for any errors.
You can update the aliases file even while Postfix is running, just run postalias /etc/aliases again when you are finished.
You should now verify that Postfix is doing what you expect. Connect to port 25 on your VPS using telnet, as shown in Listing 2. Enter just the text highlighted in bold—the rest of the text is the system's responses. Of course, you should type the IP address of your VPS in place of MY.VPS.IP.ADDRESS, and your actual domain name instead of first.domain.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The Humble Hacker?
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- The US Government and Open-Source Software
- New Container Image Standard Promises More Portable Apps
- Open-Source Project Secretly Funded by CIA
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide