Results 1 to 7 of 7

Thread: securing localhost (apache, postfix)....

  1. #1
    Join Date
    Apr 2013
    Location
    Modra, Slovakia
    Posts
    265

    Default securing localhost (apache, postfix)....

    I've such like theoretical question. I've apache, mysql, postfix, cups runnin on localhost. For cups, mysql no need to open it up to the internet so blocked outgoing data to interface enp4s0 (which is my ethernet connection). So I'd like to know how to secure postfix(or rather courier which actually manage the communication outside), apache. I've currently iptables set to protect me from DDos
    13.2 KDE 64bit tumbleweed
    Lenovo G500s, Thinkpad R500

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,721

    Default Re: securing localhost (apache, postfix)....

    You do not explain how you are connected to the Internet. When that is a router/modem of your home network where you are also the manager of, I would primarily block on that router. I, e.g. have no incomming ports open on the router. That makes securing your systems already a much more relaxed task.

    BTW, I do not know if you know, but
    Code:
    netstat -tulp
    run as root will provide you with a list of listening ports and the processes (programs) that are listening. A good starting point to see what you have running in the system that could be open to access.
    Henk van Velden

  3. #3
    Join Date
    Apr 2013
    Location
    Modra, Slovakia
    Posts
    265

    Default Re: securing localhost (apache, postfix)....

    Code:
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
    tcp        0      0 robertobalu.com.chi:ipp                     *:*                          LISTEN      1/init              
    tcp        0      0 *:mysql                                            *:*                          LISTEN      2409/mysqld         
    tcp        0      0 *:www-http                                        *:*                         LISTEN      26235/httpd2-prefor
    tcp        0      0 localhost:ipp                                      *:*                        LISTEN      1/init              
    udp        0      0 robertobalu.com.chi:ipp                     *:*                                          1/init              
    udp        0      0 localhost:ipp                                   *:*                                            1/init
    so obviously it's my localhost, apache server , mysql and yes I'm connected through rooter and I've firewall there and rooter management bounded to LAN port1 1 (I'd say quite secure but who knows how many backdoors) and my ISP probably' ve ssh to that rooter cause they update firmware from time to time (I've IPTV and IP telephone on that rooter). But you know your machine better than the rooter so good to be paranoid
    13.2 KDE 64bit tumbleweed
    Lenovo G500s, Thinkpad R500

  4. #4
    Join Date
    Apr 2013
    Location
    Modra, Slovakia
    Posts
    265

    Default Re: securing localhost (apache, postfix)....

    and that's little off topic but it occured to me that I may do some security audit on my rooter Vigor 2700 if you don't know bout some good unix tool for that?
    13.2 KDE 64bit tumbleweed
    Lenovo G500s, Thinkpad R500

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,721

    Default Re: securing localhost (apache, postfix)....

    I admit that much depends on your ISP. It is not only the price per month that counts

    My ISP can not enter my router, And firmware updates are anounced on their website and when they are important also in their newsletter. But I have to apply them because only I can manage the router.

    I guess that for testing your router you must do a portscan from outside.

    What I normaly do from the inside:
    • When it is configurable in the application, configure that only local addresses (or even a few specific systems) are allowed. Apache and daemons started through xinet e.g.
    • Check the netstat to see what is running and listening and either switch them off or class them as "must run and thus check now and then".
    • The router (as mentioned above).

    Now typing this, I realise that I do not mention the firewall on the systems. That can of course also be a usefull tool, but I do not use it.
    Henk van Velden

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: securing localhost (apache, postfix)....

    When you consider security,
    Consider security in depth, and depth can be designed in different ways. One way is networking and you've described one method which is opening/closing ports.

    Other possible networking options include
    - localmachine and running a firewall on a separate machine
    - firewalls aren't all created equally. IP Tables only recently started supported Stateful Inspection although I've yet to investigate what it means here because the term is often mangled by marketing but if the technical definition is implemented, it's significant Proxy firewalls are far better than "window screen" firewalls like IP Tables, but introduce latency
    - Isolation, eg firewall zones
    - Various filtering by different types of devices

    Filtering leads into another significant area of security, not just blocking/unblocking traffic but blocking traffic content.
    You should harden(patching and configuration) your applications and machines, and limit the number of unnecessary services to decrease attack surface.
    And, you can take further steps to prevent malicious payloads from even reaching your Apache server through devices like proxies that have filtering and analytical features.

    IMO,
    TSU

  7. #7
    Join Date
    Apr 2013
    Location
    Modra, Slovakia
    Posts
    265

    Default Re: securing localhost (apache, postfix)....

    So also in home enviroment you'd better run some proxy server and forward all incoming traffic thru that proxy?
    13.2 KDE 64bit tumbleweed
    Lenovo G500s, Thinkpad R500

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •