Security of a small server - Looking for advice
by Didier Spaier from LinuxQuestions.org on (#4W708)
I have set up a Linode VPS as web and email server (daily backup provided). This is my first server on a not shared hosting plan so I have a lot to learn.
The web server uses Apache + PHP to serve static pages including a blog built with Pelican (purely static so far) and also a Dokuwiki wiki. I have a Letsencrypt certificate (used acme.sh to get it).
The email server uses Postfix + Dovecot + MySQL with DKIM and is only used to receive the emails on behalf of the slint.fr domain (Postfix doesn't act as a relay).
I ssh to the VPS using a SSL key (PasswordAuthentication no, PermitRootLogin no in ssh_config).
I have in /etc/rc.d/rc/local this code snippet:Code:if [ -e /etc/iptables/iptables.rules ]; then
iptables-restore < /etc/iptables/iptables.rules
fithe rules for the filter table are:Code::INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [59:11784]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT
-A TCP -p tcp -m tcp --dport 465 -j ACCEPT
-A TCP -p tcp -m tcp --dport 487 -j ACCEPT
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT
-A TCP -p tcp -m tcp --dport 995 -j ACCEPTExecutable daemon managers:Code:rc.dovecot
rc.httpd
rc.inet1
rc.inet2
rc.inetd
rc.keymap
rc.local
rc.local_shutdown
rc.loop
rc.mcelog
rc.messagebus
rc.mysqld
rc.opendkim
rc.postfix
rc.sshd
rc.syslog
rc.sysvinit
rc.udev
rc.ulogdTwo questions:
The web server uses Apache + PHP to serve static pages including a blog built with Pelican (purely static so far) and also a Dokuwiki wiki. I have a Letsencrypt certificate (used acme.sh to get it).
The email server uses Postfix + Dovecot + MySQL with DKIM and is only used to receive the emails on behalf of the slint.fr domain (Postfix doesn't act as a relay).
I ssh to the VPS using a SSL key (PasswordAuthentication no, PermitRootLogin no in ssh_config).
I have in /etc/rc.d/rc/local this code snippet:Code:if [ -e /etc/iptables/iptables.rules ]; then
iptables-restore < /etc/iptables/iptables.rules
fithe rules for the filter table are:Code::INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [59:11784]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT
-A TCP -p tcp -m tcp --dport 465 -j ACCEPT
-A TCP -p tcp -m tcp --dport 487 -j ACCEPT
-A TCP -p tcp -m tcp --dport 993 -j ACCEPT
-A TCP -p tcp -m tcp --dport 995 -j ACCEPTExecutable daemon managers:Code:rc.dovecot
rc.httpd
rc.inet1
rc.inet2
rc.inetd
rc.keymap
rc.local
rc.local_shutdown
rc.loop
rc.mcelog
rc.messagebus
rc.mysqld
rc.opendkim
rc.postfix
rc.sshd
rc.syslog
rc.sysvinit
rc.udev
rc.ulogdTwo questions:
- What is wrong/missing in these settings?
- I would like to avoid rootkits, but am puzzled: there are a lot software available for that @SBo but I have no idea which would be the best in my case. A search with "rootkit" as argument gives:Code:chkrootkit
rkhunter
samhain
tiger
unhideWhich one(s) should I use?