Table of Contents

Security

After rebuilding Bud due to successful attacks, a number of suggestions were made, they were implemented as folows:

Passwords & Groups

daemon, bin, sys, games, man, mail, news, uucp, proxy, www-date, backup, list, irc, gnats, nobody,

groupadd –system wheel

SSL

Postfix, Courier IMAP, and Apache all use their own SSL certificates in /etc/ssl/ for secure communications and TLS authenication. The configuration files for each application will have to reflect the name of the certificate file. See the documentation for individual applications or existing systems for the naming convention.

The guide for creating the keys is at openssl.htm. Additional information might be at the OpenSSL web site.

SSL Configuration

This is done once for the system.

SSL Key Generation - Manual Method

This entire section is duplicated below in the SSL Key Generation - Script Method section. Do one or the other, not both.

This is repeated for each application that needs it.

openssl genrsa -des3 -out /etc/ssl/private/temp.key 1024
openssl rsa -in /etc/ssl/private/temp.key -out /etc/ssl/private/<name>.key
rm /etc/ssl/private/temp.key
openssl req -new -key /etc/ssl/private/<name>.key -out /etc/ssl/private/<name>.csr
openssl x509 -req -days 3650   -in /etc/ssl/private/<name>.csr   -signkey /etc/ssl/private/<name>.key   -out /etc/ssl/<name>.crt
chown :postfix /etc/ssl/private/postfix.key
chown :postfix /etc/ssl/postfix.crt

SSL Key Generation - Script Method

This entire section is duplicated above in the SSL Key Generation - Script Method section. Do one or the other, not both.

This is repeated for each application that needs it.

The above commands are in a script named openssl-gencrt to simplify certificate creation:

openssl-gencrt <name>

Defaults

Required