Jump to: navigation, search

This page discusses the security mechanisms and the configurations we use to prevent malicious attacks. Note that the information here will be limited to prevent exposing possible vulnerabilities.

Intrusion Prevention Mechanisms[edit]

We use:

To Do[edit]

Encryption[edit]

TODO: use some short of encryption for the content of our users.

Suggestion: Allow users to opt-in to a service where their entire inbox is encrypted with their GPG key regardless if the sender of the original e-mail used GPG.

Configurations[edit]

TODO

  • Use non-default ports for ssh / imap? / ...
  • Block remote root login
  • Only allow ssh login using Private Keys
  • Renew (rotate) server ssh keys and use ECDHA/ECDSA
  • Automated security updates without human intervention
  • Setup reminders about expiring certificates
  • Webmin (w/ someone monitoring)
  • monit with good rules and e-mails to Xestra

Webserver[edit]

E-Mail[edit]

  • Prevent outbound spoofing ( check if From: matches authenticated username )
  • Notify user with the spam filter if incoming e-mail is spoofed (invalid SPF / IP not in From: domain MX)
  • Install Roundcube Spam Plugin.
  • Use BlackHole MX.
  • Train SpamAssassin / Spam Filter with SpamFeed.Me.
  • Download remote images in the server and replace the remote links with server links.