Disable unnecessary services. Type as root:
setup
Chose System services and uncheck:
anacron atd auditd cpuspeed kudzu mcstrans netfs pcscd portmap
Update all software:
yum update
Disable Ipv6. Edit /etc/sysconfig/network and set:
NETWORKING_IPV6=no HOSTNAME=sscserver
After that add the following to /etc/modprobe.conf:
alias ipv6 off alias net-pf-10 off
and reboot:
reboot
After above steps follow the guide Install and secure LAMP on CentOS
Install Webmin. Navigate to http://www.webmin.com/download.html and download a RPM package:
wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470-1.noarch.rpm rpm -ivh webmin-1.470-1.noarch.rpm
Point your browser to: http://ip.address:10000 and login with your root password:
Secure server. Change your root password:
passwd
For security reasons we will add a new user sscadmin for administration purposes:
adduser sscadmin && passwd sscadmin
Add the user sscadmin to the wheel group:
usermod -a -G wheel sscadmin
User sscadmin will use sudo for administrative tasks. Ensure the wheel group has the correct privileges. Run:
visudo
and uncomment the line:
%wheel ALL=(ALL) ALL
to allow people in group wheel to have full sudo privileges
To secure SSH access to the server follow the guide Secure existing OpenSSH installation.
Next step is secure temporary folders. Follow the guide Secure temporary folders on existing Unix or Linux systems
If you want to harden your server, follow the guide Server Hardening with ConfigServer Security & Firewall (CSF)
Install PostgreSQL database server
yum install postgresql postgresql-server
Start it and set it to run at startup:
service postgresql start chkconfig postgresql on
Connect to PostgreSQL server:
su - postgres psql -d template1 -U postgres
You'll get the following output:
Welcome to psql 8.1.11, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
template1=#
Install Postfix and remove Sendmail:
yum install postfix yum remove sendmail
Edit Postfix configuration file and change the following lines:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_security_options = noanonymous
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = domain.tld
Setup SASL + TLS to authenticate users. Install the required software:
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 \ cyrus-sasl-plain
Edit config file to allow plain and login logins:
nano -w /usr/lib/sasl2/smtpd.conf
and add the following:
pwcheck_method: saslauthd mech_list: plain login
Create the certificates for TLS:
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Install Dovecot:
yum install dovecot
Open the Dovecot config file /etc/dovecot.conf and make the following changes:
protocols = imap imaps pop3 pop3s
Install Squirrelmail. Setup the Squirrelmail under Apache. Open /etc/httpd/conf/httpd.conf and insert the following lines:
Alias /squirrelmail "/usr/share/squirrelmail"
<Directory /usr/share/squirrelmail/>
Options Indexes
AllowOverride none
DirectoryIndex index.php
Order allow,deny
allow from all
</Directory>
Run the configuration utility and set the server settings to SMTP and change your domain name to domain.tld:
/usr/share/squirrelmail/config/conf.pl
Restart all email services:
service postfix start service dovecot start service saslauthd start service httpd restart
Create a local user (to test the email):
adduser dima -s /sbin/nologin
Update a password for it:
passwd dima
To test the email open Squirrelmail and enter the username and the password
Make email services to run at startup:
chkconfig --levels 235 sendmail off chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on chkconfig --levels 235 dovecot on