SecurityFAQ

AdministrationFAQ | InstallationFAQ | SecurityFAQ | TroubleshootingFAQ | Tweaking FAQs


back to SME Server FAQs


* I think I found a bug. What should I do?

First, if you feel your bug is a security issue, in SME Server or in the contribs.org website, please send an email to security@lists.contribs.org. Otherwise, please check the Bug reporting and confirmation forum here to see if it has already been reported. If your bug is not listed yet, you might open a thread there, to gather any pertinent feedback. If it is accepted as an actual bug, someone will open an item in the Bug Tracker tool, or suggest that you do.


* How to change ssh protocol version, login timeout and listening port

SME standard protocol version is 1, login timeout 600 sec and ssh port is 22. If you are paranoid like me, you can change these values with a custom template to whatever suits your needs. In the sample the protocol is changed to 2, login timeout to 60 sec, port to 222. Check /etc/ssh/sshd_config and make a backup of it. Check if /etc/e-smith/templates-custom/etc/ssh/sshd_config is already existent. If yes, you can skip the first step. Issue following commands on the console:

'1. mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config'
'2. touch /etc/e-smith/templates-custom/etc/ssh/sshd_config/10Port'
'3. touch /etc/e-smith/templates-custom/etc/ssh/sshd_config/16Protocol'
'4. touch /etc/e-smith/templates-custom/etc/ssh/sshd_config/20LoginGraceTime'
'5. echo "Port 222" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/10Port'
'6. echo "Protocol 2" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/16Protocol'
'7. echo "LoginGraceTime 60" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/20LoginGraceTime'
'8. /sbin/e-smith/expand-template /etc/ssh/sshd_config'
'9. /sbin/e-smith/signal-event remoteaccess-update'

Recheck /etc/ssh/sshd_config and compare with your backup, if the desired entries are there. Don't forget to adjust your ssh settings, if using Putty or WinSCP or whatever.

ldkeen


* Is SME secure? Is this a firewall?

You're cheating, this is really two questions :-)

  1. - Yes. All nonessential network services have been removed, necessary network services have been replaced with more secure versions, and the system configured to allow access to these services only to hosts on the internal network. Regular user accounts, and server functions that use accounts, are restricted to only the minimum access required to perform. Only the administrator can configure the system, or have access to the shell. Remote acces to the server is denied by default.
  2. - Yes. Since version 4.1, SME Server, in Server and Gateway mode has contained a complete firewall system. All unsolicited external network traffic is denied, unless SME is specifically configured otherwise. In Private Server and Gateway mode, all unsolicited external traffic is ignored (i.e. the ports are stealthed), although SME can log this traffic if you wish. To an external port scan, it looks like there's nothing there.




* The "Leak Test" of www.grc.com indicated that SME's firewall was penetrated. What does this mean?

The grc.com test launches outgoing connection attempts through your server and posts a statement indicating whether or not it succeeded. The rules of firewalling defined by SME authorize all outgoing connections. The server is always well protected against the external world.


* How can I see all the network packets refused or filtered by SME's firewall?

By default, there is no report on the refused packets. However, there are three levels of logging available for SME. To activate the level desired, enter the command:

'/sbin/e-smith/db configuration setprop masq Logging xxxx'
where 'xxxx' is one of the following 3 strings -
all - all the blocked packages are brought back
most - all the blocked packages are brought back, excluded packages SMB and RIP
none - (default option) no blocked package is brought back


Then run the update:
'/sbin/e-smith/signal-event remoteaccess-update'

Now a log of blocked packets is visible in server-manager - View Log Files. Note that this log also receives entries from other processes.


* "Nessus" detected several vulnerabilities on smtp port 25 . Should I be concerned?

We checked several vulnerabilities listed by Nessus in detail as soon as they were brought to our attention. We found that they were in fact false alarms.
SME smtp server is protected from the exact buffer overflow attempts mentioned in the reports from Nessus. Moreover, smtp server runs under a user account without privileges, in a restricted environment which protects the system against compromising attempts.


* Can SME Server be used as a mail relay?

Since e-smith 3.1, relaying attempts are blocked. Therefore, if you did not modify configuration, you will be able to send your messages from your LAN towards the whole world and to receive mails from anywhere, and bound to your local domains.


* Why does SME fail the mail relaying tests from some Web sites?

Relaying tests carried out by Web sites only test email reception, not its emission. The SME message agent will seem to fail this kind of test, but will not retransmit the message. These failures are therefore false alarms. The messages either will be turned over to the shipper, or transmitted to the administrator, according to your configuration in the page "Other email settings" in the Server Manager.

You can find more detail on mail relaying and the relaying tests at these sites:
http://www.faqts.com/knowledge-base/view.phtml/aid/1198/fid/206/lang/en
http://www.mail-abuse.net
http://www.abuse.net/relay.html


The relaying test of abuse.net carries out a complete test, by sending a message to your server to discover open mail relays. It is the only effective method to detect open relays.


* How about viruses? Does SME protect against viruses?

Currently, no. However, there are several contributions that make it possible to protect your server, any files or documents stored in ibays, and/or any email sent or received by your server.


* rootkithunter complains about vulnarabilities, what goes?

RKHunter could be wrong. It very likely is wrong if it is depending just on version numbers to infer that software is vulnerable.

It also searches for real evidence that a system has been compromised, looking for various telltale signs, such as known cracking tools, and hidden temporary directories.

Charlie Brady

rkhunter is such a load of #$&%#$!! All it does is scan your system for packages and compares it to a list of version numbers. If it doesn't match the latest version then it says you are vulnerable. What it shoul really be called is "checkforlatestversion". That is all it really does.

Shad Lords


* How to enforce good choice passwords?

Issue on console

/sbin/e-smith/config setprop passwordstrength User strong
/sbin/e-smith/config setprop passwordstrength Ibays strong
/sbin/e-smith/config setprop passwordstrength Admin strong

Charlie Brady