Linux Server Diary

000-SSH+Firewall

1. Change root password after server provision
2. Create unprivileged user
3. Create SSH key pair on client machine and ssh-copy-id to user
4. Adjust /etc/ssh/sshd_config:
   PermitRootLogin no
   PubkeyAuthentication yes
   AllowUsers %user%
   PasswordAuthentication no
   TCPKeepAlive no
   UsePAM no
5. Prepare iptables
   - Protect against SSH Brute Force
   - Protect email daemon ports during setup

*filter
:INPUT ACCEPT [803:54262]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [479:50626]
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "SSH_brute_force "
-A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP
# @see http://www.cyberciti.biz/faq/iptables-block-port/
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 143 -j DROP
-A INPUT -p tcp -m tcp --dport 110 -j DROP
COMMIT

001-Email

Taking e-mail back

Part 1: http://arstechnica.com/information-technology/2014/02/how-to-run-your-own-e-mail-server-with-your-own-domain-part-1/1/
Part 2: http://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-2-arming-your-server-with-postfix-dovecot/1/
Part 3: http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/
Part 4: http://arstechnica.com/information-technology/2014/04/taking-e-mail-back-part-4-the-finale-with-webmail-everything-after/

Spamassassin sa-learn cronjob

http://www.dovecot.org/list/dovecot/2008-January/028413.html