Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
howto:hardening [2012/03/06 21:46] – Fixed grammar issues, Updated the guides hardening settings instructions. Started some new hardening sections for SMTP and SendMail magikh0e | howto:hardening [2014/07/25 02:29] (current) – Synchronet supports Digest auth now, you don't need to disable the server to disable Basic auth deuce | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Hardening the Synchronet Servers ====== | ====== Hardening the Synchronet Servers ====== | ||
- | Hardening a system is the process in which an administrator or systems operator reduces the chance an attacker can either gain access or information from a system. | + | Hardening a system is the process in which an administrator or systems operator reduces the chance an attacker can either gain access or information from a system. |
===== Identifing your version of Synchronet ===== | ===== Identifing your version of Synchronet ===== | ||
- | Use of this document requires you to know which version of the software you are using. To identify what version | + | Use of this document requires you to know which version of the software you are using and ensuring you are using the most up-to-date |
- | On linux run: exec/sbbs - The version will be listed on the first line. | + | To identify what version of Synchro you are running: |
- | On Windows: | + | **Linux**: exec/sbbs -h |
+ | **Windows**: From the // | ||
+ | To check the latest available version of Synchro: [[http:// | ||
===== Why Harden My Server ===== | ===== Why Harden My Server ===== | ||
An Attacker can us various tactics to compromise a system - The reasons for compromising a system can include; | An Attacker can us various tactics to compromise a system - The reasons for compromising a system can include; | ||
Line 17: | Line 19: | ||
===== Settings to Harden ===== | ===== Settings to Harden ===== | ||
- | Some settings I'm proposing to harden include. | ||
- | |||
This guide will cover hardening synchronet from a security point of view, as well as an operational security point of view. Sometimes hardening breaks or removes functionality.. | This guide will cover hardening synchronet from a security point of view, as well as an operational security point of view. Sometimes hardening breaks or removes functionality.. | ||
Line 29: | Line 29: | ||
* Displaying of passwords to the Console/Log | * Displaying of passwords to the Console/Log | ||
* It is extremely common for people to use the same passwords for multiple things - should someone get access to a password from your system, it's possible that same password could be used on other systems. There is also the possibilty of shoulder surfing, since the default setting displays a users password as it is type in on the screen. In order to prevent passwords from being shown in the log files or on the console. | * It is extremely common for people to use the same passwords for multiple things - should someone get access to a password from your system, it's possible that same password could be used on other systems. There is also the possibilty of shoulder surfing, since the default setting displays a users password as it is type in on the screen. In order to prevent passwords from being shown in the log files or on the console. | ||
+ | |||
+ | // Note:// ensure the log/console is not accessible by untrusted users. Since passwords are stored in plain text, having them also in the log or on the console is not an increase in attack surface if this precaution is taken. | ||
+ | |||
* Change the following option to **No**. | * Change the following option to **No**. | ||
- | * Don't email passwords to users | + | * Don't email passwords to users //They will be in plain text// |
- | * email is not a secure method of transfering information - at any given time it's possible email messages could be intercepted | + | * Disable passwords being sent in emails //Plain text// |
- | * Change: Configuration Value | + | * Set the **email_passwords=** option to **false** in the //[login]// section of the // |
- | * Don't show version information | + | * Hiding |
- | * Providing version information to attackers in the form of status or other messages | + | * Providing version information to attackers in the form of a status or other messages |
- | * Limit use of: @VER@, @OS_VER@, @COMPILER@, @FULL_VER@, @REV@, @VER_NOTICE@ (Only because it includes the version information) | + | * Limit use of: **//@VER@//**, **//@OS_VER@//**, **//@COMPILER@//**, **//@FULL_VER@//**, **//@REV@//**, **//@VER_NOTICE@//** (Only because it includes the version information) |
- | * NOTE: @PLATFORM@ should be OK | + | * NOTE: **//@PLATFORM@//** should be OK |
- | * NOTE: Providing the Major Version number should be OK (Version 3) | + | * NOTE: Providing the Major Version number should be OK ie (Version 3) |
- | * Don't provide | + | * Preventing leaking of the internal IP address |
- | * Most times our BBSs are using an internal | + | * If your BBSs live behind some sort of firewall or NAT device, synchronet has the potential of leaking the internal IP address, ie (192.168.x.x or 10.x.x.x address). It is considered |
- | * Limit use of: @LOCAL-IP@ (Use @INETADDR@ or @HOSTNAME@ instead) | + | * Limit use of: **//@LOCAL-IP@//** (Use **//@INETADDR@//** or **//@HOSTNAME@//** instead) |
==== Disable Plain Text Protocols ==== | ==== Disable Plain Text Protocols ==== | ||
- | //Note//: By hardening some of these functions below, you may also remove | + | //Note//: By hardening some of these functions below, you may also remove |
* Blocking telnet and Enabling SSH. | * Blocking telnet and Enabling SSH. | ||
Line 54: | Line 57: | ||
* **Enabling SSH on Win32**: | * **Enabling SSH on Win32**: | ||
- | * From the // | + | * From the // |
* Disable FTP | * Disable FTP | ||
* FTP is not a secure method of transferring information - at any given time it's possible FTP sessions could be intercepted (most dangerous during authentication) | * FTP is not a secure method of transferring information - at any given time it's possible FTP sessions could be intercepted (most dangerous during authentication) | ||
- | * **Disable FTP on Win32**: From the // | + | * **Disable FTP on Win32**: From the // |
* Don't enable HTTP with basic auth | * Don't enable HTTP with basic auth | ||
- | * HTTP with basic auth is not a secure method of transferring information - at any given time it's possible HTTP with basic auth sessions could be intercepted | + | * HTTP with basic auth is not a secure method of transferring information - at any given time it's possible HTTP, with basic auth sessions, could be intercepted |
* Change: Configuration Value | * Change: Configuration Value | ||
- | | + | |
+ | | ||
* Don't enable NNTP | * Don't enable NNTP | ||
Line 82: | Line 86: | ||
* If you plan to recieve mail on your BBS | * If you plan to recieve mail on your BBS | ||
* POP3 and SMTP | * POP3 and SMTP | ||
- | * If you only play to send mail on your BBS | + | * If you only plan to send mail on your BBS |
* SendMail | * SendMail | ||
+ | |||
+ | === Logging === | ||
+ | **Unix**: [[config: | ||
+ | |||
===== Hardening Suggestions for 3.16: ===== | ===== Hardening Suggestions for 3.16: ===== | ||
- | * Passwords should not be echo'd to the log/console | ||
- | * Set SCFG-> | ||
- | * Alternatively, | ||
- | * Disable passwords being sent in emails | ||
- | * Set email_passwords=false in the [login] section of the ctrl/ | ||
* Disable Showing Version information to clients | * Disable Showing Version information to clients | ||
- | * text/ | + | * text/ |
Things to Investigate: | Things to Investigate: | ||
- | @NUMDIR@ - JS_VER - LIB LIBL - LN - MSG_LIB - SOCKET_LIB | + | //**@NUMDIR@**// - //**@JS_VER**// - //**@LIB LIBL**// - //**@LN**// - //**@MSG_LIB**// - //**@SOCKET_LIB**// |