Fwd: CentOS6 & Kolab3.2 Fresh install

jonte+kolab at yojimbo.org jonte+kolab at yojimbo.org
Mon Aug 11 14:17:11 CEST 2014



Hi Stuart,

Security is an elusive goal. The real difficulty is to present it in an easily understood form. From what I understand from Torsten and Jeroen who created the SElinux package one of the design goals is to be able to leave SElinux running. This in itself is a big win since SElinux prevents applications from being miss configured, but since it's hard to read the logs what most people do when they encounter a problem with there web or email process is to turn off the security for everything else.

mod_security is the same, the logs are very detailed, but for a new person it's just not worth trying to understand whats wrong and how fix it. Once you figure out which rule you need to turn off most people can't judge if the rule is important or not. In other words, is the application broken or the rule just overreaching?

I left some things out from the update last night, https://docs.kolab.org/howtos/secure-kolab-server.html is a good page, protect everything with encryption.
Don't open ports 119,143 and make sure you require TLS for port 389 access and allow it for port 25 but require it for relaying out bound emails. Make sure you support

I would like to play with dogtag, as client certificates is an very good way to tighten up access, but it's probably not low hanging fruit for everybody. 
Fail2ban is a good way to slow down brute force attacks and works very well for a range of logs ( web,imap,ssh ). 

Jonte.

On 11/08/2014, at 4:47 AM, Stuart Naylor wrote:

> Jonte some great info there for this noob :)
>  
> Being a noob I always get caught by security be it selinux, firewall or apache security.
> Would be great to have "setup-kolab-security" that does the security layer after you have a proven install.
>  
> Stuart


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20140811/ef173837/attachment.html>


More information about the users mailing list