Synchronet v3.19b-Win32 (install) has been released (Jan-2022).

You can donate to the Synchronet project using PayPal.

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
howto:hardening [2012/03/06 22:04] – [Settings to Harden] - document cleanups magikh0ehowto:hardening [2014/07/25 02:29] (current) – Synchronet supports Digest auth now, you don't need to disable the server to disable Basic auth deuce
Line 1: Line 1:
 ====== Hardening the Synchronet Servers ====== ====== Hardening the Synchronet Servers ======
  
-Hardening a system is the process in which an administrator or systems operator reduces the chance an attacker can either gain access or information from a system. It is recommended that systems be hardened to protect your BBS, your users and your self. +Hardening a system is the process in which an administrator or systems operator reduces the chance an attacker can either gain access or information from a system. You may wish to harden your system to protect your BBS, your users and your self. 
  
 ===== Identifing your version of Synchronet ===== ===== Identifing your version of Synchronet =====
  
-Use of this document requires you to know which version of the software you are using. To identify what version of Synchro you are using follow these steps:+Use of this document requires you to know which version of the software you are using and ensuring you are using the most up-to-date version available for your operating system. If you are not using the latest available verison, see [[http://wiki.synchro.net/install:win|Win32]] or [[http://wiki.synchro.net/install:nix|Unix]] installation instructions.
  
-On linux run: exec/sbbs - The version will be listed on the first line.  +To identify what version of Synchro you are running: 
-On Windows: TODO+**Linux**: exec/sbbs - 
 +**Windows**From the //Synchronet Control Panel//, Select **Help->About...**.
  
 +To check the latest available version of Synchro: [[http://synchro.net/download.html|Synchro Download]]
 ===== Why Harden My Server ===== ===== Why Harden My Server =====
 An Attacker can us various tactics to compromise a system - The reasons for compromising a system can include; An Attacker can us various tactics to compromise a system - The reasons for compromising a system can include;
Line 17: Line 19:
  
 ===== Settings to Harden ===== ===== Settings to Harden =====
-Some settings I'm proposing to harden include. 
- 
 This guide will cover hardening synchronet from a security point of view, as well as an operational security point of view. Sometimes hardening breaks or removes functionality.. This guide will cover hardening synchronet from a security point of view, as well as an operational security point of view. Sometimes hardening breaks or removes functionality..
  
Line 50: Line 50:
  
 ==== Disable Plain Text Protocols ==== ==== Disable Plain Text Protocols ====
-//Note//: By hardening some of these functions below, you may also remove ability of your BBS that can not be replaced by another secure function at this time. Specifically FTP & Finger.+//Note//: By hardening some of these functions below, you may also remove abilities of your BBS that can not be replaced by another secure function at this time. Specifically FTP & Finger.
  
   * Blocking telnet and Enabling SSH.   * Blocking telnet and Enabling SSH.
Line 57: Line 57:
            
      * **Enabling SSH on Win32**:       * **Enabling SSH on Win32**: 
-       * From the //Synchronet Control Panel//, Select **Terminal->Configure** from the top menu, then select the **SSH** tab. Check off **Enable**, then click **Apply** & **OK**.+       * From the //Synchronet Control Panel//, Select **Terminal->Configure** from the top menu, then select the **SSH** tab. Check off **Enable**, then click **OK**.
  
  
   * Disable FTP   * Disable FTP
     * FTP is not a secure method of transferring information - at any given time it's possible FTP sessions could be intercepted (most dangerous during authentication)     * FTP is not a secure method of transferring information - at any given time it's possible FTP sessions could be intercepted (most dangerous during authentication)
-      * **Disable FTP on Win32**: From the //Synchronet Control Panel//, Select **FTP->Configure** from the top menu, on the **General** tab. UnCheck **Auto Startup**, then click **Apply** & **OK**.+      * **Disable FTP on Win32**: From the //Synchronet Control Panel//, Select **FTP->Configure** from the top menu, on the **General** tab. UnCheck **Auto Startup**, then click **OK**.
  
   * Don't enable HTTP with basic auth   * Don't enable HTTP with basic auth
-    * HTTP with basic auth is not a secure method of transferring information - at any given time it's possible HTTP with basic auth sessions could be intercepted+    * HTTP with basic auth is not a secure method of transferring information - at any given time it's possible HTTPwith basic auth sessionscould be intercepted
       * Change: Configuration Value       * Change: Configuration Value
-      **Disable Web Server on Win32**: From the //Synchronet Control Panel//Select **Web->Configure** from the top menuon the **General** tabUnCheck **Auto Startup**, then click **Apply** & **OK**.+        In the .ini filein the Web sectionadd (or modify) the Authorization line to read ''Authorization=Digest'' 
 +        Ensure that any webctrl.ini files don't override this value.
  
   * Don't enable NNTP   * Don't enable NNTP
Line 85: Line 86:
     * If you plan to recieve mail on your BBS     * If you plan to recieve mail on your BBS
       * POP3 and SMTP       * POP3 and SMTP
-    * If you only play to send mail on your BBS+    * If you only plan to send mail on your BBS
       * SendMail        * SendMail 
 +
 +=== Logging ===
 +**Unix**: [[config:nix#logfacility|Setup Synchro to log to a specific file]]
 +
 ===== Hardening Suggestions for 3.16: ===== ===== Hardening Suggestions for 3.16: =====
  
-  * Passwords should not be echo'd to the log/console 
-     * Set SCFG->System->Toggle Options->Echo Passwords Locally to "No". 
-     * Alternatively, ensure the log/console is not accessable by untrusted users.  Since passwords are stored in plain text, having them also in the log or on the console is not an increase in attack surface if this precaution is taken. 
-  * Disable passwords being sent in emails 
-     * Set email_passwords=false in the [login] section of the ctrl/modopts.ini file 
   * Disable Showing Version information to clients   * Disable Showing Version information to clients
-     * text/answer.wip (Line: 15, @VER@)+     * text/answer.wip (Line: 15, //**@VER@**//)
  
 Things to Investigate: Things to Investigate:
  
-@NUMDIR@ - JS_VER - LIB LIBL - LN - MSG_LIB - SOCKET_LIB +//**@NUMDIR@**// //**@JS_VER**// //**@LIB LIBL**// //**@LN**// //**@MSG_LIB**// //**@SOCKET_LIB**//