Jump to: navigation, search

Difference between revisions of "Security and Privacy"

Difference between revisions of "Security and Privacy"

(Added some censors)
(Some e-mail spam protection.)
Line 37: Line 37:
 
* Notify user with the spam filter if incoming e-mail is spoofed (invalid SPF / IP not in From: domain MX)
 
* Notify user with the spam filter if incoming e-mail is spoofed (invalid SPF / IP not in From: domain MX)
 
* Update the Exim 4.80 server to the latest version due to many [http://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/version_id-137217/Exim-Exim-4.80.html vulnerabilities]. You may use the Debian Jessie version of Exim 4.84-8.
 
* Update the Exim 4.80 server to the latest version due to many [http://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/version_id-137217/Exim-Exim-4.80.html vulnerabilities]. You may use the Debian Jessie version of Exim 4.84-8.
 +
* Install [http://www.tralios.de/Software/roundcube-report/ Roundcube Spam Plugin].
 +
* Use [https://blackholemx.abusix.com/ BlackHole MX].
 +
* Train SpamAssassin / Spam Filter with [https://spamfeedme.abusix.com/delicious_courses.html SpamFeed.Me].

Revision as of 11:14, 3 May 2015

This page discusses the security mechanisms and the configurations we use to prevent malicious attacks. Note that the information here will be limited to prevent exposing possible vulnerabilities.

Intrusion Prevention Mechanisms

We use:

To Do

Encryption

TODO: use some short of encryption for the content of our users.

Suggestion: Allow users to opt-in to a service where their entire inbox is encrypted with their GPG key regardless if the sender of the original e-mail used GPG.

Configurations

TODO

  • Use non-default ports for ssh / imap? / ...
  • Block remote root login
  • Only allow ssh login using Private Keys
  • Renew (rotate) server ssh keys and use ECDHA/ECDSA
  • Automated security updates without human intervention
  • Setup reminders about expiring certificates
  • Webmin (w/ someone monitoring)
  • monit with good rules and e-mails to Xestra

Webserver

  • Currently we have an amazingly insecure HTTPS setup with many security issues. In this link there is how to fix everything along with all the problems. A "good" server must get an A- at least on this test.
  • We run an "old" version of Apache (2.2.22) which has public [and private ;-) ] vulnerabilities. An upgrade is recommended. You may use the Debian Jessie version of Apache.

Additionally, our Root CA uses MD5 signatures which is long now obsolete and considered insecure.

E-Mail

  • Prevent outbound spoofing ( check if From: matches authenticated username )
  • Notify user with the spam filter if incoming e-mail is spoofed (invalid SPF / IP not in From: domain MX)
  • Update the Exim 4.80 server to the latest version due to many vulnerabilities. You may use the Debian Jessie version of Exim 4.84-8.
  • Install Roundcube Spam Plugin.
  • Use BlackHole MX.
  • Train SpamAssassin / Spam Filter with SpamFeed.Me.