Difference between pages "Collect mails from other accounts" and "Configuring and securing sshd"

From Linuxintro
(Difference between pages)
imported>ThorstenStaerk
 
imported>ChrisM
(New page: All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in yo...)
 
Line 1: Line 1:
This article shows how you can collect e-mails from your accounts in the web to your local computer. It has been tested with SUSE Linux 10.3 but should work for other configurations as well.
+
All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config.
  
To collect mails from pop accounts, we use fetchmail.
+
= Disable X11Forwarding =
  
= Install fetchmail =
+
If you do not want to use X11 forwarding, you should disable it altogether by setting <pre>X11Forwarding No</pre>. While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed.
To install what we will need, run
 
yast -i procmail
 
yast -i fetchmail
 
  
= Configure fetchmail =
+
= Putting sshd on a non-standard port =
To configure it, use the file .fetchmailrc in your home directory. It should look like this:
 
poll ''pop.provider.net''
 
        user "''username@provider.net''"
 
        pass "''password''"
 
        is ''localuser''
 
        mda "/usr/bin/procmail -f fetchmail"
 
Replace
 
* ''localuser'' with your local user on your Linux box.
 
* ''pop.provider.net'' with your provider's pop server name.
 
* ''username@provider.net'' with your mail address
 
* ''password'' with your password at the provider
 
Then set the permissions for the file
 
chmod 710 .fetchmailrc
 
  
= Configure procmail =
+
This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config:
Procmail is a '''m'''ail '''d'''elivery '''a'''gent MDA. It works together with the MTA. An MTA can either store its mails on its own or hand the mails over to an MDA. The MDA can then call e.g. spam checkers before delivering (or not delivering) the mail. Write a file /etc/procmailrc with the following content:
+
<pre>Port port
LOGNAME=/var/log/procmail
+
ListenAddress 0.0.0.0:port</pre>
DROPPRIVS=yes
 
DEFAULT=$HOME/Maildir/
 
MAILDIR=$HOME/Maildir/
 
Test procmail:
 
echo "this should be in your mailbox" | procmail
 
Now
 
grep "this should be in your mailbox" ~/Maildir/new/*
 
must deliver a match.
 
  
= Call fetchmail =
+
'''Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.'''
You need to know if your provider has a POP or an IMAP server for you. Or you need to try it out.
 
fetchmail -p POP3 -v ''pop.provider.net''
 
Replace ''pop.provider.net'' by your provider's pop mail server.
 
fetchmail -p IMAP -v ''imap.provider.net''
 
Replace ''imap.provider.net'' by your provider's imap mail server.
 

Revision as of 19:38, 17 October 2008

All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config.

Disable X11Forwarding

If you do not want to use X11 forwarding, you should disable it altogether by setting

X11Forwarding No

. While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed.

Putting sshd on a non-standard port

This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config:

Port port
ListenAddress 0.0.0.0:port

Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.