SLUUG Wiki

User Tools

Site Tools

Trace: security
build:security

This is an old revision of the document!

Table of Contents

Security

After rebuilding Bud due to successful attacks, a number of suggestions were made, and some of them implemented to improve security:

Passwords & Groups

  • Require complex passwords
  • Require PKA for all admin users
  • Create a wheel group to restrict su access

groupadd –system wheel

  • Remove sudo entirely
  • Provide a script to automate certification generation, providing defaults for standard data

SSL Key Generation Script

/usr/local/sbin/openssk-gencrt

Postfix and Apache both use the SSL certificates in /etc/ssl/ for secure communications and TLS authenication. The guide for creating the keys is at openssl.htm (http://www.nomoa.com/bsd/openssl.htm)

  • Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.original and change/add defaults to be specific to SLUUG:
    • countryName_default = US
    • stateOrProvinceName_default = Missouri
    • localityName_default = St. Louis
    • 0.organizationName_default = St. Louis Unix User's Group
    • commonName_default = Sysadmin
    • emailAddress = postmaster@sluug.org
  • Generate the private server key with passphrase.
openssl genrsa -des3 -out /etc/ssl/private/server.key 1024
  • Remove the passphrase (cannot use a passphrase with a server)
openssl rsa -in pass.key -out server.key
  • Generate the certificate request with defaults from the modified openssl.cnf. For the "Common Name" enter the servers fqdn e.g. bud.sluug.org
openssl req -new -key /etc/ssl/private/<name>.key -out /etc/ssl/private/<name>.csr

Self sign the certificate request to produce the certificate. 

openssl x509 -req -days 3650   -in /etc/ssl/private/<name>.csr   -signkey /etc/ssl/private/<name>.key   -out /etc/ssl/<name>.crt

Next copy the key and cert created to the /etc/ssl/private/postfix.key and /etc/ssl/postfix.crt and change group so postfix can read it. 

cp /etc/ssl/private/server.key /etc/ssl/private/postfix.key
cp /etc/ssl/postfix.crt /etc/ssl/postfix.crt
chown :postfix /etc/ssl/private/postfix.key
chown :postfix /etc/ssl/postfix.crt

The above commands were combined in a shell script

  • Launch openssl-keygen with the desired Certificate Name as an argument
openssl-gencrt <Certificate Name>
  • The defaults for SLUUG are provided - a <cr> will accept them; some information is required.
  • Enter a passphrase for the key - it will be removed in the second step

Defaults

  • Country: [US]
  • Locale: [St. Louis]
  • Organization: [St. Louis Unix User Group

Required

  • Common name (Server fqdn):
  • Any of the defaults may be overridden at creation time
build/security.1181764631.txt.gz · Last modified: 2007/06/13 14:57 by 206.197.251.253

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki