SEO

Well, I got my OpenBSD server working behind an OpenBSD PF firewall.
On the server, I'm running fetchmail to get my email, qmail to deliver
it, and courier-imapd-ssl to view it remotely with my laptop. Also, my
server home directory is mounted on my Mac Mini workstation via NFS.

All is good, just would like some guidance on the following:

1. Since I have to mount the home directory with the -P2 option, it is
impossible to get OS X to automatically mount the home directory. I
have to login to the Mac Mini as root, mount it, and then I'm good to
go. How can I get these two to play nice?

2. My home directory is mounted global read/write behind the firewall.
This is not good practice, I know. How do I mount it such that it
will be read/writable via the Mac, but not to the rest of the world?
I'm thinking of permissions, exports, etc.

3. I cannot get Squirrelmail to work for love or money. The message I
keep getting is "connection dropped by IMAP server." Under Linux, it
worked beautifully, first try. What could be the cause?

4. Apache doesn't recognize "index.php" for some reason. If I type
the URL http://foo.bar.com/webmail/index.php, then Apache loads it, but
if I just type http://foo.bar.com/webmail/, Apache shows (!) a listing
of the Webmail directory. This is a major security hole, I know. How
can I patch it?

5. I want to block the script kiddie dictionary attacks at my SSH at
the firewall. I know there are scripts that track the number of login
attempts from a certain IP, but I would need to get this information
from my server to my firewall so it can be blocked. Alternatively, I
could also run PF on the server and do it that way, but I'd rather do
it at the firewall. Any ideas?

Any help would be appreciated.

sealinux@gmail.com wrote:
> Well, I got my OpenBSD server working behind an OpenBSD PF firewall.
> On the server, I'm running fetchmail to get my email, qmail to deliver
> it, and courier-imapd-ssl to view it remotely with my laptop. Also, my
> server home directory is mounted on my Mac Mini workstation via NFS.
>
> All is good, just would like some guidance on the following:
>
> 1. Since I have to mount the home directory with the -P2 option, it is
> impossible to get OS X to automatically mount the home directory. I
> have to login to the Mac Mini as root, mount it, and then I'm good to
> go. How can I get these two to play nice?

As described in mount_nfs(8) and mountd(8), requiring priviliged ports
is a good idea. (Notably, it requires that an attacker gains root on
whatever clients you have, instead of penetrating a random account.)

It is a better idea to put this mount command in whatever OS X' idea of
/etc/fstab is, but if this is impossible, use see mountd(8), -n.

> 2. My home directory is mounted global read/write behind the firewall.
> This is not good practice, I know. How do I mount it such that it
> will be read/writable via the Mac, but not to the rest of the world?
> I'm thinking of permissions, exports, etc.

You should have an exports file that looks like this:

/nfs-exported -maproot=youruserid:yourgroupid:anyadditionalgroups
yourclienthostname

(Line broken for readability, it should be one long line.)

If the uids are different between machines, you might wish to use
-mapall (see exports(5)).

> 3. I cannot get Squirrelmail to work for love or money. The message I
> keep getting is "connection dropped by IMAP server." Under Linux, it
> worked beautifully, first try. What could be the cause?

Some problem with the IMAP server, obviously. I'd require more
information to say what is wrong, exactly.

> 4. Apache doesn't recognize "index.php" for some reason. If I type
> the URL http://foo.bar.com/webmail/index.php, then Apache loads it, but
> if I just type http://foo.bar.com/webmail/, Apache shows (!) a listing
> of the Webmail directory. This is a major security hole, I know. How
> can I patch it?

It's not much of a security hole, IMNSHO, since everybody can download
Squirrelmail and find out where all the files are. And even in the case
where it's some custom-developed application, it's usually easy to
brute-force the names.

That being said, it *is* annoying. Solve it by adding index.php to the
DirectoryIndex parameter in /var/www/conf/httpd.conf.

> 5. I want to block the script kiddie dictionary attacks at my SSH at
> the firewall. I know there are scripts that track the number of login
> attempts from a certain IP, but I would need to get this information
> from my server to my firewall so it can be blocked. Alternatively, I
> could also run PF on the server and do it that way, but I'd rather do
> it at the firewall. Any ideas?

This is very, very hard to get right. Most implementations suffer from
two big problems:

+ it is possible to deny service to any outside address if one
has the capability to spoof packets to appear to come from that address.
This capability is not that hard to come by for a determined attacker,
in other words a capable attacker will be able to lock you out from your
own server.
+ any sensible script kiddie that will actually go after you
personally will use a large network of machines, a so-called botnet, or
lots of spoofed IPs. In this case, blocking an IP after a couple of
attempts is not very effective.

Additionally, it makes people feel too safe. You should be using sshd
with public keys only, or with very difficult-to-guess passwords if that
is not an option.
Of course, if you are just tired of the mess in your logs, you can just
move sshd to another port.

And the script kiddie just scanning the whole internet is not much of a
threat if you have passwords that cannot be guessed by a 5-year old.

Joachim

On 2005-12-19, sealinux@gmail.com <sealinux@gmail.com> wrote:

> 5. I want to block the script kiddie dictionary attacks at my SSH at
> the firewall. I know there are scripts that track the number of login
> attempts from a certain IP, but I would need to get this information

I usually change the default SSH port to something obscure, which, at least
for me, has significantly cut down the number of hack attempts against the
external-facing SSH-enabled hosts I have. Everyone's looking for SSH servers
on tcp/22, why not tcp/xxxx? This is "security by obscurity" and protects
actually from little, but only a determined attacker is going to find a
non-standard port - perhaps find something obscure with a search through
http://www.portsdb.org (I think that's the link!)

-DMFH

----
__| |_ __ / _| |_ ____ __
dmfh @ / _` | ' \| _| ' \ _ / _\ \ /
\__,_|_|_|_|_| |_||_| (_) \__/_\_\
----