Koozali.org formerly Contribs.org

Recent Posts

Pages: [1] 2 3 ... 10
1
SME Server 9.x / Re: ibay permissions question, can anyone help please?
« Last post by stabilys on Yesterday at 01:34:19 PM »




It should be possible to tighten the security -- but I, too, would go slowly. 

Decide on a new security configuration then test it on a new or small ibay. 

As long as you save a copy of the db settings for your ibays you can  put them back if you try something that doesn't work. 


Thank you mmccarn I will play with this carefully.

MeJ
2
SME Server 9.x / Re: ibay permissions question, can anyone help please?
« Last post by mmccarn on Yesterday at 04:50:57 AM »
'signal-event ibay-modify' (/etc/e-smith/events/actions/ibay-modify) definitely includes code to reset ownership and permissions within ibays based on the ibay settings in the accounts db

Code: [Select]
if ($properties {'UserAccess'} eq 'wr-admin-rd-group')
{
    $::owner = "admin";
    $::fileperm = 0640;
    $::dirperm = 02750;
}
elsif ($properties {'UserAccess'} eq 'wr-group-rd-group')
{
    $::fileperm = 0660;
    $::dirperm = 02770;
}
elsif ($properties {'UserAccess'} eq 'wr-group-rd-everyone')
{
    $::fileperm = 0664;
    $::dirperm = 02775;
}
else
{
    warn("Value of UserAccess bad or unset");
}


It should be possible to tighten the security -- but I, too, would go slowly. 

Decide on a new security configuration then test it on a new or small ibay. 

As long as you save a copy of the db settings for your ibays you can  put them back if you try something that doesn't work. 

'db accounts show' will list the entire accounts db; 'db accounts show ibayname' will show the settings for ibayname.

3
SME Server 9.x / ibay permissions question, can anyone help please?
« Last post by stabilys on March 22, 2019, 04:35:43 PM »
Hi all:

on one SME server we have just realised that somehow, dunno how or when or even by whom, almost all ibays have been changed to the group 'everyone'. This server has been continuously upgraded since v4.

As we now need to restrict access for one remote user in China, putting them in a restricted group with restricted access to ibays does not of course actually restrict access to all other ibays on the server that are set to 'everyone'.

As there are 10 TB of data on the server I am cautious about making access changes without prior advice as propagating such things takes a long time to set and reverse.

Question 1: If we change the ibays to a more restrictive group will this affect the permissions on the files within the ibays?

Question 2: Are there any potential toxic side effects of simply changing the group?

Thanks in anticipation for clues.

MeJ
4
SME 9.x Contribs / Re: Wordpress & Fail2Ban
« Last post by Jean-Philippe Pialasse on March 22, 2019, 02:52:50 AM »
personally I use this for a while with success :


/etc/e-smith/templates-custom/etc/fail2ban/jail.conf/99wordpress
Code: [Select]
[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http,https
findtime = 3600
maxretry = 1
bantime = 3600
action   = smeserver-iptables[port="80,443",protocol=tcp,bantime=3600]
           smeserver-sendmail[name="Wordpress (auth)",dest=root]


/etc/fail2ban/filter.d/wordpress.conf
Code: [Select]
# Fail2Ban configuration file
#
# Author: Charles Lecklider
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = wordpress

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
#failregex = ^.* wordpress .*: Authentication failure for .* from <HOST>$
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =






On top of that I have added the following to most sensitive wordpress with only few users:

.htaccess
Code: [Select]

<IfModule mod_rewrite.c>
# 403 error for any unauthorized ip to the admin pages
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
# first block to allow #
RewriteCond %{REMOTE_ADDR} !^145\.99\.2.+\..+$
# another block
RewriteCond %{REMOTE_ADDR} !^100\.100\.135\.94$
RewriteCond %{REMOTE_ADDR} !^100\.102\..{1,3}\..{1,3}$

RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order deny,allow
deny from all
# wordpress com because of publicize.
allow from 192.0.64.0/18
# my ISP ips
allow from 200.48.208.0/20
</files>
# END protect xmlrpc.php


just add this on top of the wordpress htaccess file, you can add as many authorized ip you need.
5
SME 9.x Contribs / Re: Wordpress & Fail2Ban
« Last post by ReetP on March 22, 2019, 02:35:00 AM »
Cool and thanks!!
6
SME 9.x Contribs / Re: Wordpress & Fail2Ban
« Last post by Mophilly on March 21, 2019, 09:59:28 PM »
Can you add that to the wiki?

And a link on the fail2ban page to the Wordpress one?

I updated both the Fail2Ban page and the WordPress page to reference this thread. Each has a link to the other.
7
SME Server 9.x / Re: FTP access to ibay
« Last post by janet on March 21, 2019, 07:38:23 PM »
alanh

Quote
They need to access via http/https

You ask for http/https access & ftp access. Which do you want ?
Read this for ftp which is somewhat more complex & has quite specific setup requirements for SME server & external ftp client.
https://wiki.contribs.org/FTP_Access_to_Ibays
8
Italiano / Re: Inviare mail da script
« Last post by ReetP on March 21, 2019, 07:08:18 PM »
Search the forums for

"mail -s"

e.g.

echo "Hello World" | mail admin@someaddress.com -s "Subject"

Or look here:

https://forums.contribs.org/index.php/topic,52931.msg273281.html#msg273281
9
SME Server 9.x / Re: 550 A TLS connection is required
« Last post by ReetP on March 21, 2019, 06:51:53 PM »
Makes me laugh when banks & all those supposedly secure businesses can't get their stuff together.

So we get a mail from:

'barclaycarddatasecuritymanager.co.uk'

Go to that as a URL (just for the giggles)

https://barclaycarddatasecuritymanager.co.uk/

Ha - some lazy sod hasn't bothered with a redirect, or a proper cert for the site, which should be:

https://www.barclaycarddatasecuritymanager.co.uk/

I did tell them about this, like 7 months ago......

<shakes head>
10
SME Server 9.x / Re: 550 A TLS connection is required
« Last post by cno on March 21, 2019, 05:50:46 PM »
thanks for everything everybody

if it help gratisdns.dk / larsendata.dk says: (traslated with google)

https://status.larsendata.dk/

TLS 1.2 requirements from the Data Inspectorate

Since we have had a lot of questions regarding our requirement for TLS 1.2, we would like to point out that this is a requirement from the Data Inspectorate.

See more here: https://www.datatilsynet.dk/emner/persondatasikkerhed/transmission-af-personinformation-via-e-mail/

If the connection from the sender's machine to the sender's mail server is over an open network, the connection at the handover of the e-mail to this mail server must also be secured with TLS. Only TLS 1.2 or later should be used

It is also a requirement that the mail server certificates are from approved issuers and match the host name of the mail server. Self-signed certificates cannot be approved. However, it is possible to use the same host name and thus only one certificate per. mail server although there are many different domains on the same server.

We sell SSL certificates from DKK 300 on GratisDNS.dk

https://web.gratisdns.dk/ssl/

Exchange servers

Microsft has made a guide to TLS 1.2 implementation which can be found here:

https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

Note that Exchange 2007 and earlier versions are not supported and should be updated immediately.
Pages: [1] 2 3 ... 10