A Secure System How-To
This document assumes you already have your system set up to send and receive mail locally therefore discussion of MTA's is beyond the scope of this document.
First lets start with what we need to secure our Linux-based computer.
For our firewall we're going to use iptables, the successor to ipfwadm and ipchains. To be able to use iptables you need a 2.4.x or 2.6.x series kernel with the relevant options enabled (how to do that is left as an exercise to the reader as it is beyond the scope of this document).
Once the appropriate kernel options have been enabled and iptables has been installed, you are halfway towards having a more secure Linux computer. The next part is probably the hardest part and that is actually deciding on what exactly you want to do with unwanted traffic. Do you drop it, reject it or forward it to another port? For a very basic config, we'll look at my rules:
As you can see, I reject everything by default and then accept udp or tcp packets on certain ports. For most users you won't need ssh, mail or http so you can leave those out if you wish. Once you have your rules setup and have enabled logging (recommended), you can now turn on iptables. This should be accomplished one of two ways. If your installer installed an init script by default you can just run /etc/init.d/iptables start. If not, you should be able to run it just by running iptables from the command line. On my system an init script was included so that was the method I used.
Now your system should be safe from most attacks, especially if you are a consumer of broadband Internet access.
Next we are going to do the easiest thing covered in this document and that is setting up ClamAV, an Anti-Virus program. All you need to do is install the latest version, set up freshclam as a daemon so it retrieves the newest virus definitions every 12 hours and set up a crontab job to scan your system however frequently you feel comfortable with. I set crontab to scan /home once a week and only manually scan the entire system if I think it is necessary. Now some of you new to Linux may ask why we would need a virus scanner, isn't Linux supposed to be immune by default. Well, yes and no. Yes in the sense that most malicious code would need to somehow gain root privileges to do anything truly harmful to the system. No in the sense that as Linux grows in popularity (for whatever reasons) there are going to be more clueless lusers who know nothing and care nothing for security. ClamAV is also good because you can scan any mounted file system with it. Unfortunately it's rather slow.
Finally, mail filtering. With this setup you'll catch both spam and virii.
First we are going to assume you have procmail, SpamAssassin, ClamAssassin installed (or are competent enough to install them). Of course ClamAV is needed for ClamAssassin.
First lets train SpamAssassin.
This tells SpamAssassin that the mail it is looking at right now is not spam. I recommend feeding it as much ham as possible although after 1000 ham emails it should work just fine.
Again, after about a 1000 messages of spam, SpamAssassin should be able to fairly accurately tell what is and isn't spam. Next you need to run from the command line (as the user you are setting this up for) spamassassin --lint
This checks spam syntax, creates the ~/.spamassassin/ directory and folder contents (including user_prefs which is important) if needed and exits either silently or with warnings about rule syntax.
Next you need to already have your .forward pointing to procmail, usually using
which automatically searches for `/.procmailrc
Next you need to open .procmailrc (or create if it you don't already have it) using your favorite editor and add the following rules:
You should change $HOME/.maildir/spam to whatever folder you want detected spam to go to. It's recommended you do not dump spam in /dev/null unless you are absolutely sure that SpamAssassin is accurately tagging email as spam.
Now, in ~/.spamassassin/user_prefs you should have something that looks like this:
The version_tag just puts in the version number of spamassassin and the version number of your user_prefs rules.
The second one tells what score an email must have to be considered spam. 5 is a good number to start out with and can be lowered once SpamAssassin is better trained.
The next section in user_prefs (although there is no particular order for anything) deals with auto white lists. Basically this tells SpamAssassin which email addresses and domains are automatically white listed and should pass through. It does this by assigning the email a negative score low enough that even if it is real spam it will still get through. This is where continual training comes in. You can just move that piece of spam to a folder or another mail box and run sa-learn --spam --mbox|--dir box|folder, the same is true for ham marked as spam.
Anyways, a typical auto white list entry looks like this:
You can also blacklist addresses. This is recommended only if you are absolutely sure you don't want email from a certain domain or person (it is really more useful by specifying individual email addresses).
man 3 Mail::SpamAssassin::Conf goes into great detail on the options. Google is also a great help.
Our final mail filter is one that works with ClamAV to scan out virus infected email before it's processed by SpamAssassin.
ClamAssassin needs to be installed and the following rules should be edited to suit your needs:
clamassassin requires formail (provided by procmail), clamscan, and mktemp. You'll need to edit the clamassassin script to point to the correct path for each program. Once you have that filter setup you will have a spam and virus free inbox (for the most part) with a minimal amount of continued training on your part.
I hope you all enjoyed this little Secure System How-To. Feel free to give feedback in comments. This document is protected under the GNU Free Documentation License.
edit: sorry about the formatting.
First lets start with what we need to secure our Linux-based computer.
For our firewall we're going to use iptables, the successor to ipfwadm and ipchains. To be able to use iptables you need a 2.4.x or 2.6.x series kernel with the relevant options enabled (how to do that is left as an exercise to the reader as it is beyond the scope of this document).
Once the appropriate kernel options have been enabled and iptables has been installed, you are halfway towards having a more secure Linux computer. The next part is probably the hardest part and that is actually deciding on what exactly you want to do with unwanted traffic. Do you drop it, reject it or forward it to another port? For a very basic config, we'll look at my rules:
#Default policy $IPTABLES -A INPUT -P REJECT #Start udp $IPTABLES -A INPUT -t filter -p udp --destination-port 53 -j ACCEPT #Accept dns $IPTABLES -A INPUT -t filter -p udp --destination-port 123 -j ACCEPT #Accept ntp #Start tcp $IPTABLES -A INPUT -t filter -p tcp --destination-port 80 -j ACCEPT #Accept http $IPTABLES -A INPUT -t filter -p tcp --destination-port 53 -j ACCEPT #Accept dns $IPTABLES -A INPUT -t filter -p tcp --destination-port 22 -j ACCEPT #Accept ssh $IPTABLES -A INPUT -t filter -p tcp --destination-port 25 -j ACCEPT #Accept mail $IPTABLES -A INPUT -t filter -p tcp --destination-port 123 -j ACCEPT #Accept ntp # ---- THE END OF THE FIREWALL ---- # This is the end of the firewall's chains # All packets that reach this point, will be dropped # All incomming packets that reach this point will be also logged # if DROP_EVERYTHING_FROM_HERE="yes" # If you would like to see those packates that are dropped, uncomment the # following 4 lines (this is very good during fireall developement & testing) [ "$DEBUG" = "on" ] && echo -e "\n# Logging needed during developement" $IPTABLES -A INPUT -j LOG --log-prefix "giptables-end-of-firewall: " $IPTABLES -A OUTPUT -j LOG --log-prefix "giptables-end-of-firewall: " $IPTABLES -A FORWARD -j LOG --log-prefix "giptables-end-of-firewall: "
As you can see, I reject everything by default and then accept udp or tcp packets on certain ports. For most users you won't need ssh, mail or http so you can leave those out if you wish. Once you have your rules setup and have enabled logging (recommended), you can now turn on iptables. This should be accomplished one of two ways. If your installer installed an init script by default you can just run /etc/init.d/iptables start. If not, you should be able to run it just by running iptables from the command line. On my system an init script was included so that was the method I used.
Now your system should be safe from most attacks, especially if you are a consumer of broadband Internet access.
Next we are going to do the easiest thing covered in this document and that is setting up ClamAV, an Anti-Virus program. All you need to do is install the latest version, set up freshclam as a daemon so it retrieves the newest virus definitions every 12 hours and set up a crontab job to scan your system however frequently you feel comfortable with. I set crontab to scan /home once a week and only manually scan the entire system if I think it is necessary. Now some of you new to Linux may ask why we would need a virus scanner, isn't Linux supposed to be immune by default. Well, yes and no. Yes in the sense that most malicious code would need to somehow gain root privileges to do anything truly harmful to the system. No in the sense that as Linux grows in popularity (for whatever reasons) there are going to be more clueless lusers who know nothing and care nothing for security. ClamAV is also good because you can scan any mounted file system with it. Unfortunately it's rather slow.
Finally, mail filtering. With this setup you'll catch both spam and virii.
First we are going to assume you have procmail, SpamAssassin, ClamAssassin installed (or are competent enough to install them). Of course ClamAV is needed for ClamAssassin.
First lets train SpamAssassin.
sa-learn --ham --mbox (or --dir, depending on your setup) box1 folder1 (substitute your box or folder as appropriate)
This tells SpamAssassin that the mail it is looking at right now is not spam. I recommend feeding it as much ham as possible although after 1000 ham emails it should work just fine.
sa-learn --spam --mbox (or --dir, depending on your setup) box1 folder 1 (substitute your box or folder as appropriate).
Again, after about a 1000 messages of spam, SpamAssassin should be able to fairly accurately tell what is and isn't spam. Next you need to run from the command line (as the user you are setting this up for) spamassassin --lint
This checks spam syntax, creates the ~/.spamassassin/ directory and folder contents (including user_prefs which is important) if needed and exits either silently or with warnings about rule syntax.
Next you need to already have your .forward pointing to procmail, usually using
"|/usr/bin/procmail"
which automatically searches for `/.procmailrc
Next you need to open .procmailrc (or create if it you don't already have it) using your favorite editor and add the following rules:
:0fw | /usr/bin/spamc :0 * ^X-Spam-Flag: YES $HOME/.maildir/spam
You should change $HOME/.maildir/spam to whatever folder you want detected spam to go to. It's recommended you do not dump spam in /dev/null unless you are absolutely sure that SpamAssassin is accurately tagging email as spam.
Now, in ~/.spamassassin/user_prefs you should have something that looks like this:
version_tag jnagyjr1.1 # version=2.63-jnagyjr1.1 # How many hits before a mail is considered spam. required_hits 5
The version_tag just puts in the version number of spamassassin and the version number of your user_prefs rules.
The second one tells what score an email must have to be considered spam. 5 is a good number to start out with and can be lowered once SpamAssassin is better trained.
The next section in user_prefs (although there is no particular order for anything) deals with auto white lists. Basically this tells SpamAssassin which email addresses and domains are automatically white listed and should pass through. It does this by assigning the email a negative score low enough that even if it is real spam it will still get through. This is where continual training comes in. You can just move that piece of spam to a folder or another mail box and run sa-learn --spam --mbox|--dir box|folder, the same is true for ham marked as spam.
Anyways, a typical auto white list entry looks like this:
whitelist_from users@httpd.apache.org lists.gentoo.org
You can also blacklist addresses. This is recommended only if you are absolutely sure you don't want email from a certain domain or person (it is really more useful by specifying individual email addresses).
man 3 Mail::SpamAssassin::Conf goes into great detail on the options. Google is also a great help.
Our final mail filter is one that works with ClamAV to scan out virus infected email before it's processed by SpamAssassin.
ClamAssassin needs to be installed and the following rules should be edited to suit your needs:
:0fw | /home/jnagyjr/bin/clamassassin :0: * ^X-Virus-Status: Yes $HOME/.maildir/virus
clamassassin requires formail (provided by procmail), clamscan, and mktemp. You'll need to edit the clamassassin script to point to the correct path for each program. Once you have that filter setup you will have a spam and virus free inbox (for the most part) with a minimal amount of continued training on your part.
I hope you all enjoyed this little Secure System How-To. Feel free to give feedback in comments. This document is protected under the GNU Free Documentation License.
edit: sorry about the formatting.
