Synchronet v3.18b-Win32 (install) has been released (Sept-2020).

Synchronet v3.19a, now under development, requires libarchive-dev to build successfully.

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
howto:hardening [2012/01/11 08:19]
coolacid
howto:hardening [2014/07/25 02:29] (current)
deuce Synchronet supports Digest auth now, you don't need to disable the server to disable Basic auth
Line 1: Line 1:
 ====== Hardening the Synchronet Servers ====== ====== Hardening the Synchronet Servers ======
  
-Hardening a system is the process in which an administrator or systems operator reduces the chance an attacker can either gain access or information from a system. ​It is recommended that systems be hardened ​to protect your BBS, your users and your self. +Hardening a system is the process in which an administrator or systems operator reduces the chance an attacker can either gain access or information from a system. ​You may wish to harden your system ​to protect your BBS, your users and your self. 
  
 ===== Identifing your version of Synchronet ===== ===== Identifing your version of Synchronet =====
  
-Use of this document requires you to know which version of the software you are using. To identify what version ​of Synchro ​you are using follow these steps:+Use of this document requires you to know which version of the software you are using and ensuring you are using the most up-to-date ​version ​available for your operating system. If you are not using the latest available verison, see [[http://​wiki.synchro.net/​install:​win|Win32]] or [[http://​wiki.synchro.net/​install:​nix|Unix]] installation instructions.
  
-On linux run: exec/sbbs - The version will be listed on the first line.  +To identify what version of Synchro you are running: 
-On Windows: ​TODO+**Linux**: exec/sbbs - 
 +**Windows**From the //​Synchronet Control Panel//, Select **Help->​About...**.
  
 +To check the latest available version of Synchro: [[http://​synchro.net/​download.html|Synchro Download]]
 ===== Why Harden My Server ===== ===== Why Harden My Server =====
-Atackers ​can us multiple tacktics ​to compromise ​systems ​- The reasons for compromising a system can include;+An Attacker ​can us various tactics ​to compromise ​a system ​- The reasons for compromising a system can include;
   * Gathering information on the users of the system - this inclused your BBS users, not just you   * Gathering information on the users of the system - this inclused your BBS users, not just you
   * Using the system to attack other systems   * Using the system to attack other systems
Line 17: Line 19:
  
 ===== Settings to Harden ===== ===== Settings to Harden =====
 +This guide will cover hardening synchronet from a security point of view, as well as an operational security point of view. Sometimes hardening breaks or removes functionality..
  
-Some settings I'm proposing ​to harden include + * Linux/Unix systems: **DO NOT RUN Synchronet AS ROOT** 
-  * Displaying of passwords to the Console/​Log +    *Create a username and group for synchronet ​to run as, once done. Edit the //​sbbs.ini//​ found in the ctrl directory of synchronet.  
-    * It is extreamlly ​common for people to use the same passwords for multiple things - should someone get access to a password from your system, it's possible that same password could be used on other systems+    *Under the //[UNIX]// section, uncomment and change the following values. 
 +   // User=sbbsuser & Group=sbbsgroup//​ 
 +   *make sure you change //​__sbbuser__//​ and //​__sbbgroup__//​ to reflect the username and group you have just created. 
 +    ​ 
 + * Displaying of passwords to the Console/​Log 
 +    * It is extremely ​common for people to use the same passwords for multiple things - should someone get access to a password from your system, it's possible that same password could be used on other systems. There is also the possibilty of shoulder surfing, since the default setting displays a users password as it is type in on the screen. In order to prevent passwords from being shown in the log files or on the console.  
 + 
 +// Note:// ensure the log/console is not accessible by untrusted users. Since passwords are stored in plain text, having them also in the log or on the console is not an increase in attack surface if this precaution is taken.  
 + 
 +    * Change the following option to **No**. ​  ​**SCFG->​System->​Toggle Options->​Echo Passwords Locally**. 
 + 
 +  * Don't email passwords to users //They will be in plain text// 
 +    * Disable passwords being sent in emails //Plain text// 
 +      * Set the **email_passwords=** option to **false** in the //[login]// section of the //​ctrl/​modopts.ini//​ file 
 + 
 +  * Hiding version information 
 +    * Providing version information to attackers in the form of a status or other messages will improve the chances of knowing what vulnerabilities the software may contain.  
 +      * Limit use of: **//​@VER@//​**,​ **//​@OS_VER@//​**,​ **//​@COMPILER@//​**,​ **//​@FULL_VER@//​**,​ **//​@REV@//​**,​ **//​@VER_NOTICE@//​** (Only because it includes the version information) 
 +      * NOTE: **//​@PLATFORM@//​** should be OK 
 +      * NOTE: Providing the Major Version number should be OK ie (Version 3) 
 + 
 +  * Preventing leaking of the internal IP address 
 +    * If your BBSs live behind some sort of firewall or NAT device, synchronet has the potential of leaking the internal IP address, ie (192.168.x.x or 10.x.x.x address). It is considered best practice to keep that information private as it will expose the internal IP address and details about the network it is connected too, hence the purpose of NAT from a security point of view. 
 +      * Limit use of: **//​@LOCAL-IP@//​** (Use **//​@INETADDR@//​** or **//​@HOSTNAME@//​** instead) 
 + 
 + 
 +==== Disable Plain Text Protocols ==== 
 +//Note//: By hardening some of these functions below, you may also remove abilities of your BBS that can not be replaced by another secure function at this time. Specifically FTP & Finger. 
 + 
 +  * Blocking telnet and Enabling SSH. 
 +    * telnet is not a secure method of transferring information - at any given time it's possible telnet sessions could be intercepted (most dangerous during authentication) 
 +    * Ensure port 23 is filtered by the firewall. 
 +      
 +     * **Enabling SSH on Win32**:  
 +       * From the //​Synchronet Control Panel//, Select **Terminal->​Configure** from the top menu, then select the **SSH** tab. Check off **Enable**, then click **OK**. 
 + 
 + 
 +  * Disable FTP 
 +    * FTP is not a secure method of transferring information - at any given time it's possible FTP sessions could be intercepted (most dangerous during authentication) 
 +      * **Disable FTP on Win32**: From the //​Synchronet Control Panel//, Select **FTP->​Configure** from the top menu, on the **General** tab. UnCheck **Auto Startup**, then click **OK**. 
 + 
 +  * Don't enable HTTP with basic auth 
 +    * HTTP with basic auth is not a secure method of transferring information - at any given time it's possible HTTP, with basic auth sessions, could be intercepted
       * Change: Configuration Value       * Change: Configuration Value
-  ​* Don'​t ​email passwords to users +        * In the .ini file, in the Web section, add (or modify) the Authorization line to read ''​Authorization=Digest''​ 
-    * email is not a secure method of transfering ​information - at any given time it's possible ​email messages ​could be intercepted+        * Ensure that any webctrl.ini files don't override this value. 
 + 
 +  ​* Don'​t ​enable NNTP 
 +    * NNTP is not a secure method of transferring ​information - at any given time it's possible ​NNTP sessions ​could be intercepted ​(most dangerous during authentication)
       * Change: Configuration Value       * Change: Configuration Value
-  ​* Don'​t ​show version information to users/​attackers + 
-    * Providing version information to attackers in the form of status or other messages improves their chances of knowing what vulnerabilities the software may contain. It would be possible ​for an attacker to cross reference the version number provided with the softwares website that lists changes and vulnerabilities. +  ​* Don'​t ​enable IRC 
-      * Limit use of: @VER@, @OS_VER@, @COMPILER@, @FULL_VER@, @REV@, @VER_NOTICE@ ​(Only because it includes the version information+    * IRC is not a secure method ​of transferring information - at any given time it'​s ​possible ​IRC sessions could be intercepted ​(most dangerous during authentication
-      * NOTE@PLATFORM@ should be OK +      * ChangeConfiguration Value 
-      * NOTE: Providing the Major Version number should be OK (Version 3) + 
-  * Don'​t ​provide internal IP addresses +  * Don'​t ​enable Finger 
-    * Most times our BBSs are using an internal only IP address (192.168.x.x or 10.x.x.x address) ​and our modems/​routers pass the connection though to these systemsIt is consitered best practice to keep that information ​secure+    * Finger is not a secure method of transferring information - at any given time it's possible Finger sessions could be intercepted 
-      * Limit use of@LOCAL-IP@ (Use @INETADDR@ or @HOSTNAME@ instead)+    * Finger provides information about users, their current online status, ​and the system A potential ​information ​leak
 +      * ChangeConfiguration Value 
 + 
 +  * Mail Server Configuration 
 +    * If you plan to recieve mail on your BBS 
 +      * POP3 and SMTP 
 +    * If you only plan to send mail on your BBS 
 +      * SendMail  
 + 
 +=== Logging === 
 +**Unix**: [[config:​nix#​logfacility|Setup Synchro to log to a specific file]]
  
 ===== Hardening Suggestions for 3.16: ===== ===== Hardening Suggestions for 3.16: =====
  
-  * Passwords should not be echo'd to the log/console 
-     * Set SCFG->​System->​Toggle Options->​Echo Passwords Locally to "​No"​. 
-  * Disable passwords being sent in emails 
-     * Set email_passwords=false in the [login] section of the ctrl/​modopts.ini file 
   * Disable Showing Version information to clients   * Disable Showing Version information to clients
-     * text/​answer.wip+     * text/​answer.wip ​(Line: 15, //​**@VER@**//​)
  
 Things to Investigate:​ Things to Investigate:​
  
-@NUMDIR@ - JS_VER - LIB LIBL - LN - MSG_LIB - SOCKET_LIB ​+//**@NUMDIR@**// //**@JS_VER**// //**@LIB LIBL**// //**@LN**// //**@MSG_LIB**// //**@SOCKET_LIB**// 
  
  

In Other Languages