securing localhost (apache, postfix)....

I’ve such like theoretical question. I’ve apache, mysql, postfix, cups runnin on localhost. For cups, mysql no need to open it up to the internet so blocked outgoing data to interface enp4s0 (which is my ethernet connection). So I’d like to know how to secure postfix(or rather courier which actually manage the communication outside), apache. I’ve currently iptables set to protect me from DDos

You do not explain how you are connected to the Internet. When that is a router/modem of your home network where you are also the manager of, I would primarily block on that router. I, e.g. have no incomming ports open on the router. That makes securing your systems already a much more relaxed task.

BTW, I do not know if you know, but

netstat -tulp

run as root will provide you with a list of listening ports and the processes (programs) that are listening. A good starting point to see what you have running in the system that could be open to access.

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0                     *:*                          LISTEN      1/init              
tcp        0      0 *:mysql                                            *:*                          LISTEN      2409/mysqld         
tcp        0      0 *:www-http                                        *:*                         LISTEN      26235/httpd2-prefor
tcp        0      0 localhost:ipp                                      *:*                        LISTEN      1/init              
udp        0      0                     *:*                                          1/init              
udp        0      0 localhost:ipp                                   *:*                                            1/init    

so obviously it’s my localhost, apache server , mysql and yes I’m connected through rooter and I’ve firewall there and rooter management bounded to LAN port1 1 (I’d say quite secure but who knows how many backdoors) and my ISP probably’ ve ssh to that rooter cause they update firmware from time to time (I’ve IPTV and IP telephone on that rooter). But you know your machine better than the rooter so good to be paranoid

and that’s little off topic but it occured to me that I may do some security audit on my rooter Vigor 2700 if you don’t know bout some good unix tool for that?

I admit that much depends on your ISP. It is not only the price per month that counts :wink:

My ISP can not enter my router, And firmware updates are anounced on their website and when they are important also in their newsletter. But I have to apply them because only I can manage the router.

I guess that for testing your router you must do a portscan from outside.

What I normaly do from the inside:

  • When it is configurable in the application, configure that only local addresses (or even a few specific systems) are allowed. Apache and daemons started through xinet e.g.
  • Check the netstat to see what is running and listening and either switch them off or class them as “must run and thus check now and then”.
  • The router (as mentioned above).

Now typing this, I realise that I do not mention the firewall on the systems. That can of course also be a usefull tool, but I do not use it.

When you consider security,
Consider security in depth, and depth can be designed in different ways. One way is networking and you’ve described one method which is opening/closing ports.

Other possible networking options include

  • localmachine and running a firewall on a separate machine
  • firewalls aren’t all created equally. IP Tables only recently started supported Stateful Inspection although I’ve yet to investigate what it means here because the term is often mangled by marketing but if the technical definition is implemented, it’s significant Proxy firewalls are far better than “window screen” firewalls like IP Tables, but introduce latency
  • Isolation, eg firewall zones
  • Various filtering by different types of devices

Filtering leads into another significant area of security, not just blocking/unblocking traffic but blocking traffic content.
You should harden(patching and configuration) your applications and machines, and limit the number of unnecessary services to decrease attack surface.
And, you can take further steps to prevent malicious payloads from even reaching your Apache server through devices like proxies that have filtering and analytical features.


So also in home enviroment you’d better run some proxy server and forward all incoming traffic thru that proxy?