Pages

Wednesday, 30 November 2011

Dovecot IMAP server and tcpd's hosts.allow

Running your own email server is great, but it must be secure against attacks from hackers and “script-kiddies”, idiots who scan networks looking for systems that advertise services and allow remote access. You can secure certain services on your linux-based machine, such as sshd and imapd using tcpd’s hosts.allow and hosts.deny functionality, to limit the number of hosts that can even get to a login prompt.
My main working machine runs Mac OS X. I also have a dedicated server running Debian Linux that handles all my email and ensures I can get Unix shell access from wherever I am. This server is secured against attack, and I have switched off all unnecessary services and use a dedicated hardware firewall to limit access. The only services I allow are ssh and imaps, on ports 22 and 443 respectively. After some time I noticed that my ssh server was under continual attack by hackers across the globe, who would port-scan a range of machines on different networks and then attempt to login via brute-force methods. To counter this, I began using special firewall rules to limit the frequency of connections, and finally to limit which machines could connect.
I now use tcpd and its hosts.allow hosts.deny functionality, to specify which computers are allowed to connect. I can specify large swathes of network addresses, and so, for example, ensure I can access my machine from anywhere on campus. Over time, I have extended this to include specific other machines and networks, mainly in the UK, from which hacker attack would be unlikely.
I recently noticed that my IMAP server was not similarly protected. This is because my IMAP server of choice (dovecot), runs directly from init.d on server startup, rather than via inetd. Only services run via inetd are protected by the hosts.allow mechanism, so it is sensible to switch to this mechanism:
There are some brief instructions here.
  1. Stop the existing dovecot service.
    /etc/init.d/dovecot stop
  2. Stop dovecot running on normal startupRename /etc/rc2.d/S21dovecot to K21dovecot
    mv /etc/rc2.d/S21dovecot /etc/rc2.d/K21dovecot
  3. Add the following to /etc/inetd.conf:
    imap stream tcp nowait root /usr/sbin/tcpd /usr/lib/dovecot/imap-login
    imaps stream tcp nowait root /usr/sbin/tcpd /usr/lib/dovecot/imap-login --ssl
  4. Tell inetd about its updated configuration by sending it the HUP signal
    killall -1 inetd
    And you should find your system is protected!

No comments:

Post a Comment