Fwd: CentOS6 & Kolab3.2 Fresh install

Stuart Naylor StuartIanNaylor at inbox.com
Mon Aug 11 21:33:27 CEST 2014


On Monday 11 August 2014 22:17:11 jonte+kolab at yojimbo.org wrote:


Hi Stuart, Security is an elusive goal. The real difficulty is to present it in an easily understood 
form. From what I understand from Torsten and Jeroen who created the SElinux package one of 
the design goals is to be able to leave SElinux running. This in itself is a big win since SElinux 
prevents applications from being miss configured, but since it's hard to read the logs what most 
people do when they encounter a problem with there web or email process is to turn off the 
security for everything else. mod_security is the same, the logs are very detailed, but for a new 
person it's just not worth trying to understand whats wrong and how fix it. Once you figure out 
which rule you need to turn off most people can't judge if the rule is important or not. In other 
words, is the application broken or the rule just overreaching? I left some things out from the 
update last night, https://docs.kolab.org/howtos/secure-kolab-server.html is a good page, protect 
everything with encryption. Don't open ports 119,143 and make sure you require TLS for port 389 
access and allow it for port 25 but require it for relaying out bound emails. Make sure you support 
I would like to play with dogtag, as client certificates is an very good way to tighten up access, 
but it's probably not low hanging fruit for everybody.  Fail2ban is a good way to slow down brute 
force attacks and works very well for a range of logs ( web,imap,ssh ).  Jonte. On 11/08/2014, at 
4:47 AM, Stuart Naylor wrote: > Jonte some great info there for this noob >   > Being a noob I 
always get caught by security be it selinux, firewall or apache security. > Would be great to have 
"setup-kolab-security" that does the security layer after you have a proven install. >   > Stuart 
_______________________________________________ users mailing list users at lists.kolab.org 
h



It was just a feeling that it would be great to be able to install and setup kolab without security 
concerns then be able to toggle a kolab security profile.

That was my only thought as being a Debian/Ubuntu guy many times apparmor has puzzled the 
hell out of me and often I have just turned it off.
This has allowed me to setup and try things easily and quickly before production where its 
essential to these security considerations.

kolab-security [On/Off] just makes it easy for noob or expert alike to apply these.

I think its superb that you have added some docs on this and if its OK I will start writing a bash 
script kolab-security that will do this for you.

If you have any idea's in the manner this should work prob a kolab-security.conf file.

I several years ago I used to use ClearOS and the have snort in an IDS/IPS arrangement which 
being public is pretty essential.

More of a suricata fan one time. I was doing some remote checking and not sure what I did but it 
blacklisted my IP.

I think I had a moment of password memory fog of using an old password, can't remember 
actually :).

It was quite a drive to the client and sometimes it is just good to be able to turn on and off this 
functionality.

Fail2ban really good idea and the mod_security, I think yeah should be part of the script.

Also really SSL is essential nowadays so I am ex M$ and my bash scripts are usually a bit ropey 
hacks without elegance.

Maybe they might just work as a datum as there is much to security but from what you have 
highlighted much could be achieved relatively easily.

It will also help this kolab noob start to get a bigger picture of kolab.

Many Thanks

Stuart.

____________________________________________________________
FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop!
Check it out at http://www.inbox.com/earth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20140811/3dad4f55/attachment-0001.html>


More information about the users mailing list