Authoritative Postfix with Gmail
March 22, 2012 by Jaryd Malbin
I ran into an interesting problem this morning. I observed that a small portion of the email originating from my servers was simply disappearing. The most notable culprit was mail destined to AOL.com. I checked the email headers for mail destined to Gmail, and found that Google did not deem the mail particularly spammy, and so I was a little puzzled as to where the AOL mail was heading.
I spoke with the user with the suspicion that the mail was simply hitting the spam folder, and that it was just buried. However, the mail wasn't there, and so I dove into the logs.
Read more for the solution and configuration example.
SSH & SMS: Two Factor Authentication
March 09, 2012 by Jaryd Malbin
Two-factor authentication is the method by which you authenticate a user twice using two different techniques. If you have ever used SecureID or (most) banking websites then you are familiar with this authentication model.
No solution is perfect in itself, and so the idea is to continue to add layers of security.
Consider this example: Attacker gains local access, escalates to root, and replaces sshd with a comparable binary that logs passwords. Without two-factor authentication the attacker will be able to "follow" users out of the compromised server. With two-factor authentication, the attacker will gain the users' password but will not be able to pass the secondary authentication method.
Read more for code and an example configuration.
The Datacenter as a Computer
January 12, 2012 by Jaryd Malbin
Published in 2009 and authored by Google engineers Luiz André Barroso and Urs Hölzle "The Datacenter as a Computer" dives into the minds of two pivotal engineers who have helped Google build their legendary datacenters.
“These new large data centers are quite different from traditional hosting facilities of earlier times,” Barroso and Hölzle wrote. “Large portions of the hardware and software resources in these facilities must work in concert to efficiently deliver good levels of internet service performance, something that can only be achieved by a holistic approach to their design and deployment. In other words, we must treat the data center itself as one massive warehouse-scale computer.” (Google’s Data Center Engineer Shares Secrets of ‘Warehouse’ Computing)
Read more:
- Google Research: Luiz André Barroso, Urs Hölzle
- Barroso.org: http://www.barroso.org/
CentOS/RHEL Essential Reading
January 9, 2012 by Jaryd Malbin
With every major release Redhat releases comprehensive documentation detailing their latest software offering. I consider the following two guides to be essential reading for any security-minded administrator.
"RHEL 6 - Security Guide" covers basic hardening practices ranging from physical (hard) security to configuration tweaks. This guide touches briefly upon SELinux. SELinux was originally developed by the United States National Security Agency and stands for Security Enhanced Linux. It comprises a set of kernel modifications and userland tools to provide more fine-grained access controls and security modules.
For a more comprehensive guide to configuring and managing a SELinux enforcing environment refer to "RHEL6 - SELinux".
Hardened CentOS6 LEMP on Linode
11th December, 2011 by Jaryd Malbin
This is a multi-part article on installing and configuring a hardened LEMP server on the Linode cloud. LEMP refers to a server running Linux, nginx (enginx x), MySQL, and PHP.
This guide assumes the reader has familiarity with the Linux shell, or is not afraid of diving right in. You will need a Linode account. Note: This guide will probably work fine (with minor tweaks) for a CentOS6 build on other platforms as well.
- Step 1: Preliminary Setup
- Step 2: Grsecurity
- Step 3: SSHD
- Step 4: nginx
- Step 5: PHP
- Step 6: IPTables
- Step 7: MySQL