build:security
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
build:security [2007/06/13 12:09] 206.197.251.253 |
build:security [2008/02/11 02:52] (current) 4.245.76.22 |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Security ====== | ====== Security ====== | ||
| - | After rebuilding Bud due to successful attacks, a number of suggestions were made, and some of them implemented to improve security: | + | After rebuilding Bud due to successful attacks, a number of suggestions were made, they were implemented as folows: |
| - | ===== Passwords & Groups ===== | + | ====== Passwords & Groups ====== |
| * Require complex passwords | * Require complex passwords | ||
| + | * Change all valid shells for daemon accounts to /bin/false | ||
| + | daemon, bin, sys, games, man, mail, news, uucp, proxy, www-date, backup, list, irc, gnats, nobody, | ||
| * Require PKA for all admin users | * Require PKA for all admin users | ||
| * Create a wheel group to restrict su access | * Create a wheel group to restrict su access | ||
| - | groupadd --system wheel | + | groupadd --system wheel |
| * Remove sudo entirely | * Remove sudo entirely | ||
| + | * Provide a script to automate certification generation, providing defaults for standard data | ||
| - | ===== openssl Configuration Changes ===== | + | ====== SSL ====== |
| + | //[[postfix|Postfix]], [[imap|Courier IMAP]], and [[apache|Apache]] all use their own SSL certificates in /etc/ssl/ for secure communications and TLS authenication. The configuration files for each application will have to reflect the name of the certificate file. See the documentation for individual applications or existing systems for the naming convention.// | ||
| - | ===== SSL Key Generation ===== | + | The guide for creating the keys is at [[http://www.nomoa.com/bsd/openssl.htm|openssl.htm]]. Additional information might be at the [[http://www.openssl.org/|OpenSSL web site]]. |
| - | //from the Omnitec Wiki// | + | ===== SSL Configuration ===== |
| - | Postfix and Apache both use the SSL certificates in /etc/ssl/ for secure communications and TLS authenication. | + | This is done once for the system. |
| - | The guide for creating the keys is at openssl.htm (http://www.nomoa.com/bsd/openssl.htm) | + | * Backup ''/etc/ssl/openssl.cnf'' to ''/etc/ssl/openssl.cnf.original'' and change/add defaults in the req_distinguished_name section of openssl.cnf to be specific to SLUUG. The ''commonName_default'' and '' organizationalUnitName_default'' are different for each system. |
| + | * ''countryName_default = US'' | ||
| + | * ''stateOrProvinceName_default = Missouri'' | ||
| + | * ''localityName_default = St. Louis'' | ||
| + | * ''0.organizationName_default = St. Louis Unix ''User's Group | ||
| + | * ''emailAddress = postmaster@sluug.org'' | ||
| + | * ''commonName_default = bud.sluug.org'' | ||
| + | * ''organizationalUnitName_default = bud.sluug.org'' | ||
| - | Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.original and change/add defaults to be specific to SLUUG: | + | ===== SSL Key Generation - Manual Method ===== |
| - | * countryName_default = US | + | |
| - | * localityName_default = St. Louis | + | |
| + | ** This entire section is duplicated below in the [[#ssl_key_generation_-_script_method|SSL Key Generation - Script Method]] section. Do one or the other, not both.** | ||
| - | The commands, in order, to produce the certificate is : | + | This is repeated for each application that needs it. |
| - | Generate the private "sluug" server key with sluug passphrase. | + | * Generate the private server key with passphrase. Enter anything for the passphrase (4 to 8191 characters), but will have to enter it for the next step that removes it. |
| <code rootshell> | <code rootshell> | ||
| - | sudo `which openssl` genrsa -des3 -out /etc/ssl/private/server.key 1024 | + | openssl genrsa -des3 -out /etc/ssl/private/temp.key 1024 |
| </code> | </code> | ||
| - | Generate the certificate request with defaults in a modified openssl.cnf. For the "Common Name" enter the servers fqdn ie mx1.omnitec.net | + | * Remove the passphrase (cannot use a passphrase with a server) |
| <code rootshell> | <code rootshell> | ||
| - | sudo `which openssl` req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr -config ./openssl.cnf | + | openssl rsa -in /etc/ssl/private/temp.key -out /etc/ssl/private/<name>.key |
| + | </code> | ||
| + | * No longer need the temporary key. | ||
| + | <code rootshell> | ||
| + | rm /etc/ssl/private/temp.key | ||
| + | </code> | ||
| + | * Generate the certificate request with defaults from the modified openssl.cnf. When running the signing request, you will be asked a number of questions about the identification of the organization and system. Since these were already set in openssl.cnf, you should only need to verify the default value and press Carriage Return to take the default for all of them. For example, for the "Common Name" enter the servers fqdn e.g. bud.sluug.org | ||
| + | <code rootshell> | ||
| + | openssl req -new -key /etc/ssl/private/<name>.key -out /etc/ssl/private/<name>.csr | ||
| </code> | </code> | ||
| - | Self sign the certificate request to produce the servers certificate. | + | * Self sign the certificate request to produce the certificate. |
| <code rootshell> | <code rootshell> | ||
| - | sudo `which openssl` x509 -req -days 3650 -in /etc/ssl/private/server.csr -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt | + | openssl x509 -req -days 3650 -in /etc/ssl/private/<name>.csr -signkey /etc/ssl/private/<name>.key -out /etc/ssl/<name>.crt |
| </code> | </code> | ||
| - | Next copy the key and cert created to /etc/ssl/private/postfix.key and /etc/ssl/postfix.crt and change group so postfix can read it. | + | * Change group and permissions as needed so the application can read it's own certificate. For example, for postfix: |
| <code rootshell> | <code rootshell> | ||
| - | cp /etc/ssl/private/server.key /etc/ssl/private/postfix.key | ||
| - | cp /etc/ssl/postfix.crt /etc/ssl/postfix.crt | ||
| chown :postfix /etc/ssl/private/postfix.key | chown :postfix /etc/ssl/private/postfix.key | ||
| chown :postfix /etc/ssl/postfix.crt | chown :postfix /etc/ssl/postfix.crt | ||
| </code> | </code> | ||
| + | |||
| + | ===== SSL Key Generation - Script Method ===== | ||
| + | |||
| + | **This entire section is duplicated above in the [[#ssl_key_generation_-_manual_method|SSL Key Generation - Script Method]] section. Do one or the other, not both.** | ||
| + | |||
| + | This is repeated for each application that needs it. | ||
| + | |||
| + | The above commands are in a script named ''openssl-gencrt'' to simplify certificate creation: | ||
| + | |||
| + | * Copy ''/usr/local/sbin/openssl-gencrt'' from another system if not already done. | ||
| + | |||
| + | * Launch ''openssl-keygen'' with the desired Certificate Name as an argument | ||
| + | <code rootshell> | ||
| + | openssl-gencrt <name> | ||
| + | </code> | ||
| + | |||
| + | * The defaults for SLUUG are provided - a <cr> will accept them; only the common name is required to be entered. | ||
| + | * Defaults may be overridden if required | ||
| + | * NOTE: A passphrase is required for the key - it is removed in the second step | ||
| + | |||
| + | ===== Defaults ===== | ||
| + | * Country: [US] | ||
| + | * Locale: [St. Louis] | ||
| + | * Organization Name: [St. Louis Unix User Group | ||
| + | |||
| + | |||
| + | ===== Required ===== | ||
| + | * OU Name: Server fqdn | ||
| + | * Common name: Function (e.g. Postfix) | ||
| + | |||
| + | * Any of the defaults may be overridden at creation time | ||
build/security.1181754557.txt.gz · Last modified: 2007/06/13 12:09 by 206.197.251.253
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
