In running my periodic Nessus scans, it picked up a few medium severity vulnerabilities against Dovecot. One was “SSL Anonymous Cipher Suites Supported” and the other, “SSL Weak Cipher Suites Supported.”

Look in the Dovecot config file located in /etc/dovecot.conf under “SSL ciphers to use” and you will see:
ssl_cipher_list = ALL:!LOW:!MEDIUM

To disable these weak ciphers change this to:
ssl_cipher_list = ALL:!LOW:!MEDIUM:!MD5:!SSL2:!EXP-ADH-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-DES-CBC-SHA:!EXP-EDH-RSA-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-DES-CBC-SHA:!ADH-AES256-SHA:!ADH-AES128-SHA:!ADH-DES-CBC3-SHA:!EXP-ADH-DES-CBC-SHA:!EXP-ADH-DES-CBC-SHA:!ADH-DES-CBC3-SHA

Run the Nessus scan again and those two vulnerabilities go away

There are times where SELinux just does not want to play nice. For instance, after installing ClamAV I began running into problems where if I did not turn off SELinux while ClamAV was running, then SMTP traffic would fail. To fix this issue we must first look at the messages file under /var/log. Within this file we will see error messages like:
setroubleshoot: SELinux is preventing cleanup (postfix_cleanup_t) "search" to ./clamav (clamd_var_lib_t).

Which tells you to run the command:
sealert -l a1bc9b39-80a2-4f2e-963f-12daf766a8d4

Usually the report is very good and diagnosing and telling you which booleans to activate, however in this instance we have to create our own module.

First: Download and install selinux-policy-devel
Second: Parse through the raw audit messages. We are looking for two things; message type and comm name.
Third: Run the ausearch command and pipe it to audit2allow
For instance: ausearch -m AVC --comm cleanup | audit2allow -M ClamAV

Once the files have been generated then run: semodule -i ClamAV.pp and see if the problem has been resolved. If not, tail the messages log again to see if there is any additional SEAlerts that you should be aware of.

As a part of the sys admin’s job, it is important to take a few extra minutes to go through and properly secure a newly installed Linux server. These steps include enabling SELinux on the machine, configuring the firewall, and setting user permissions. There are however additional steps one should take in order to secure their server. One would be to tune and secure kernel parameters, set limits on kernel dumps, prevent IPv6 from loading if you company is not using it, and turning off unnecessary services.

Networking
First, lets take a look at configuring kernel parameters to prevent network based attacks. These include disallowing intruders to alter routing tables and source routed packets, preventing an intruder from configuring the server to become a router, and turning on reverse path filtering. To change these settings edit the /etc/sysctl.conf file and enter:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

If you are currently running IPv6 at your company, here are a few kernel parameters to prevent network based attacks:
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1

To make these settings effective without rebooting the server type sysctl -p

We can go a step further by disabling unused network functions such as IPv6 and prevent self assigned addressing.

To detect whether or not IPv6 is running on a server type: ifconfig | grep inet6 which will return:
inet6 addr: fe80::240:5ff:fe32:ef19/64 Scope:Link
inet6 addr: ::1/128 Scope:Host
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
To prevent IPv6 from loading, run the following command:
echo "install ipv6 /bin/true" > /etc/modprobe.d/ipv6
Then add the following lines to /etc/sysconfig/network:
NETWORKING_IPV6=no
IPV6INIT=no
This will deactivate the IPv6 protocol from running on the server.

To prevent self assigned addressing on network cards, open the /etc/sysconfig/network file and add:
NOZEROCONF=yes

Server security
Turning off the ability to create core dumps is important as intruders can use this to gather information about running services and configurations in order to exploit them. To do so, edit the /etc/security/limits.conf file and insert:
* hard core 0
We should also prevent setuid programs from creating these as well:
sysctl -w fs.suid_dumpable=0

There are also built in kernel features which can help protect against buffer overflow attacks. These features are turned on by default, however these kernel parameters should be enabled in case they have been turned off:
sysctl -w kernel.exec-shield=1
sysctl -w kernel.randomize_va_space=1
These settings ensure randomization of the stack and memory regions, which are refereed to as the ExecShield.

There are many services which are running on a default installation which include cups, sendmail, isdn, bluetooth, and many others. If these services are not being used on the server then they should be turned off and configured not to start up on a reboot. To do so we can run the following bash script:
for i in acpid autofs avahi-daemon luetooth cups firstboot gpm hidd ip6tables sendmail exim xfs xinetd yum-updatesd rhnsd pcscd readahead_early readahead_later apmd hplip isdn ip6tables mcstrans
do
service $i stop
chkconfig $i off
done

Your services will vary depending on the installation. We should also ensure that X does not run on reboot, placing the server in run level three. To do so, edit the /etc/inittab file and change id:5:initdefault: to id:3:initdefault:

You will need to install the Extra Packages for Enterprise Linux (EPEL) rpm which can be found at:
'rpm -ivh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm' for i386
or: 'rpm -ivh http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/epel-release.html' for 64bit.

Once the EPEL rpm has been installed, you will then be able to install mod_security by typing 'yum install mod_security' and restart the Apache service.

Make sure that the mod_security engine is turned on by going to
/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf and look for 'SecRuleEngine On'

One of the coolest features is masking the server signature of Apache. This can be done by editing the httpd.conf and making sure that 'ServerTokens' is set to 'Full'. Then change 'SecServerSignature' in 'modsecurity_crs_10_config.conf' to whatever you want.

First we need to create our certificates. To create a certificate authority download the openssl-perl package through Yum:
———————————————————–
yum install openssl-perl
———————————————————–

Then issue the following command to create the CA certificate.
———————————————————–
./CA.pl -newca
———————————————————–

After this process is done we need to create the certificate request and key. Once the certificate request has been generated you then need to have the pem file signed by the CA.
———————————————————–
openssl req -new -days 365 -newkey rsa:2048 -keyout newkey.key -out newreq.pem
openssl ca -out post_signed_cert.pem -infiles newreq.pem
———————————————————–

Create a directory on the Postfix server under the /etc/pki directory called postfix, place these files there, and change the permissions on the files.
———————————————————–
chmod 0400 *
———————————————————–

Add the following lines at the bottom of the main.cf file for Postfix
———————————————————–
#SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

#HELO Restrictions
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
———————————————————–

Next uncomment the submission line in the master.cf file.
———————————————————–
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
———————————————————–

We now need to tie it into Dovecot. Go to the auth default section of the configuration file and add/edit the following lines.
———————————————————–
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
———————————————————–

Restart the Postfix and Dovecot services.
———————————————————–
service postfix restart
service dovecot restart
———————————————————–

In order to test to make sure SSL/TLS is working we will need to telnet to the port and run a few commands.
———————————————————–
$ telnet localhost 25
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 smtp.example.com ESMTP Postfix
ehlo smtp.example.com
250-smtp.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
———————————————————–

What you are looking for is STARTTLS, this will tell you that SSL/TLS is activated. To make sure that the certificates are working correctly type: STARTTLS which should say 220 2.0.0 Ready to start TLS. If it says anything else then there is something wrong and you will need to go back and fix it.