Hardening your toaster
Having done a basic install of QMT on Centos 5.4, I wanted to add a number of security-related features to protect my server.
SSH
Create a normal system user and set a password:
adduser -g wheel <username> passwd <username>
The above already added the user to the group wheel, so that you can later become root using su -.
Edit /etc/ssh/sshd_config and set the option PermitRootLogin to no.
Now, restart sshd by running:
service sshd restart
The system will no longer allow remote login for root, but the user you created earlier will be able to become root.
Denyhosts
In order to automatically block IP addresses from using ssh that have had a number of bad login attempts (I constantly get loads of dictionary based break in attempts from single IP addresses), you can add the denyhosts service.
I downloaded the package denyhosts-2.6-3.el5.rf.noarch.rpm from denyhosts.sourceforge.net and installed using rpm -i denyhosts-2.6-3.el5.rf.noarch.rpm.
I modified my settings in /etc/denyhosts.conf and then enabled the service like this:
chkconfig denyhosts on service denyhosts start
The system will now add all IP addresses that have offended the rules you specified in the config file to /etc/hosts.deny.
Stopping unused services
Personally, I want my users to make use of SSL wherever possible. Therefore, I stopped the service pop3 (unless you use an imap client on localhost, like squirrelmail, you can disable imap4 as well).
To disable a service <service>, cd to /var/qmail/supervise and run:
svc -d <service>
To keep a service from running again on restart of QMT:
touch <service/down>
touch <service/log/down>
Adapt firewall rules
Whichever services you disable, it makes sense to also disable the corresponding port in the firewall. In my case, I edited the firewall.sh script that was part of the installation (/usr/src/qtms-install/firewall.sh) and disabled pop3 and imap4, before running the script again using:
sh firewall.sh
This way, I can keep people outside my toaster from using unencrypted POP3 and IMAP, while webmail (horde in my case) can still use unencrypted IMAP (saves resources).
Enforce use of SSL for management websites
In order to ensure that setting up a new mail user, setting a password, etc. all only happen over an encrypted connection, I added the following at the top of /etc/httpd/conf/qcontrol.conf
RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*/qcontrol.*)$ https://%{SERVER_NAME}$1 [L,R]
This enables automatic URL rewriting from http://xxxx
to https://xxxx
.
In the <Directory> block, I also added SSLRequireSSL. This ensures that the content in that directory is not accessible without an encrypted connection.
The same was necessary for the toaster.conf file in the same directory. Adding the header:
RewriteEngine on RewriteCond %{SERVER_PORT} !^443$'' RewriteRule ^(.*/admin-toaster.*|.*/stats-toaster.*|.*/qlogs-toaster.*|.*/images-toaster.*|.*/scripts.*|.*/qmailadmin.*|.*/mail.*)$ https://%{SERVER_NAME}$1 [L,R]
Also, on every directory section, add the SSLRequireSSL option too.
Implement fail2ban
Fail2Ban is a program that monitors system logs for evidence of intrusion attempts, and automatically adds rules to the iptables firewall to block hosts that are the source of such attempts. It is very configurable, and is particularly useful for blocking 'brute-force' password-guessing attempts, such as attacks by SSH grinders or scripts trying to guess SMTP authentication credentials.
See http://wiki.qmailtoaster.com/index.php/Fail2Ban for tips on installation and configuration.
Add your own tips
If you find any additional things that can help make QMT more secure or spotted any mistakes, please feel free to edit this page!