Quick security guide for Cobalt products

In decreasing order of (presumed) importance:
  1. First and foremost, make sure, and check regularily that your workstation is not trojaned with a keyboard logger!

  2. Check if the server has been compromized already (chkrootkit is your friend here). If so, it is hightly recommended to install the system from scratch (don't forget to backup all your data and configuration first!).

  3. Install all up to date patches.

  4. Install ssh from pkgmaster and disable telnet. Some SSH clients for Windows & Mac (including scp) can be found here.

  5. Disable on the control panel all services that are not absolutely required. If you have mysql and/or postgresql installed, make sure that they have network access disabled (or at least properly restricted). Here is the document describing how to do that for MySQL.

  6. Try to get rid of FTP service too. You might consider these options:
    • Install some kind of "secure FTP" solution, such as SafeTP or Secure FTP.
    • Make users use scp or sftp (parts of ssh).
    (NOTE: to make users use scp, you will have to enable shell access for them which may be undesirable. You will need to decide yourself if it is more risky to open shell access or have FTP service enabled.)

  7. Enable SSL on the main web server - this will make your admin interface SSL secured, and you won't be exposing admin password on the network anymore. After that, change admin password, just for case.

  8. Install intrusion detection software, such as tripwire, swatch, chkrootkit and a TriSentry suite. (The latter was developed by Psionic products but disappeared from their website after acquisition by Cisco). Install a portscanner on some other host and run it regularily (don't forget to make portsentry disregard its IP address).

  9. Install SSL enabled versions of POP3 and IMAP servers and make your users use them instead of plain POP3/IMAP. It is also possible to use native Cobalt POP3 and IMAP servers through an SSL wrapper such as sslwrap or stunnel.

  10. Configure firewall with ipchains to restrict access to certain ports (e.g. admin ports 81 and 444) only from certain IP addresses.

  11. Not a real protection, but some ready-to-use exploit scripts rely on gcc to compile exploit code on the target system. Uninstalling gcc RPM or just making gcc binary non-executable may, in some cases, thwart script kiddies and worms (but not serious intruders).

Also, to keep an eye on security problems and new patches, consider subscribing to these maillists:
Please send comments to Eugene Crosser <crosser at average dot org>
average.org