I haven’t done much over the weekend. Oh, just this: I sat down and installed a certificate from CAcert, and made our web server and email setup a bit more secure. Here’s how:
First you have to go to the above mentioned cacert.org website and register yourself, your main domain name, and all of your subdomains which you want to protect. You can use a wildcard like *.mydomain.com or the like. Be sure to setup email forwarders for all of those first, as you are required to confirm these mails sent to hostmaster, postmaster, or root and so on - even for subdomains you might have.
After doing that, go to their Wiki page to learn how to use the Apache web server together with vhosts (virtual hosts, which means your sub- or other domains). Download the script onto your server, and run it, following the example given on the page. You will end up with a CSR (certificate signing request), which you should copy & paste into your admin area with CAcert - this will produce a signed, ready-to-use certificate for your server.
This certificate will be valid for half a year only, after which you have to renew it. In case you don’t know yet: CAcert works with a web of trust, very similar to GnuPG, and you can “earn” points when meeting other people for key- (or cert-?) signing. If you have enough points, your certificate will be valid for two years instead of just 6 months. You can (and should) read all of this on their page.
Further down that mentioned wiki page, under “Example Configuration”, you’ll find detailed steps about how to proceed with your Apache setup. Adjust the examples to your need, and paste them into your httpd.conf and vhosts.conf. Be sure to really stop and restart your web server; a reload won’t be enough. Then go and test your pages both with http (on port 80) as well as with https (on port 443). Make sure to cover at least every login and admin page with that setup.
If everything runs fine, go and proceed with POP3s and IMAPs, should you offer that. We are currently using the courier server together with maildrop, which offers both. But it didn’t right out of the box: first we had to ‘apt-get install courier-pop-ssl courier-imap-ssl’. That’s Debian: life can be so easy 
I’ll stick with the CAcert Wiki, to make things easy - tho you can find lots of information all over the internet about secure servers, and I’m pretty sure that publishers like O’Reilly offer books about that with more details than you’d ever like to know. However, for our purposes, scroll back up the CAcert Wiki, and in their search box, enter “courier”. Voila - there you have it. You don’t have to care about the first half of the explanation, since you have a certificate already. So just go to the “tricky” part, where you have to glue the cert, the key, and some DH information together:
# cat mail.example.com.key mail.example.com.crt > mail.example.com.pem
# openssl gendh >> mail.example.com.pem
After following their advice with the ‘chmod 400′ (which you should do with all the stuff here), and editing and restarting courier (both pop3 and imap), you’re done.
That’s it - for receiving email. For sending, repeat the procedure (search the page for ‘postfix’, and follow the TLS setup instructions). Then you’re mostly done, regarding the server side setup.
For the client setup, first download and import the root certificate of CAcert in both Firefox and Thunderbird, for instance (I’m mentioning these here, because they are cross-platform. Of course there are many great alternatives on Linux and BSD systems). Then test email access, both with POP3 and POP3/SSL, as well as (if you need it) with IMAP and IMAP/SSL. After that, try to send yourself a mail, using TLS (which doesn’t change the default port of 25 for SMTP (the simple mail transport protocol)).
Still with me? Fear not; we’re almost there. If you - like we - happen to use Wordpress on some of your pages, you still have to set the Wordpress URL (under Options) to https://yoursite.com, leaving the Blog URL at http://yoursite.com. Since Wordpress uses these URLs to actually hardlink everything on its admin pages, this must be done. Still, as some guys pointed out, cookies can be sent in cleartext, so watch out in hostile surroundings (you don’t save cookies or even passwords on your machines, do you? Then start with a fresh browser session). This is being worked on: the Wordpress 2.1alpha brings secure logins already, so things are changing for the better. If you want real Wordpress security now, visit Jürgen Kreileder’s pages and follow that setup - here an own server (at least vserver) is a must - you won’t be able to do this on shared webhosting.
Ok; what have we achieved? Following this simple howto, you can securely log into your protected pages, send and receive email in a secure way, and just show your friends and the rest of the world that you’re cool. It helps if you can answer some questions from people with less understanding (aka your “Users”), but if you can help here as well, then it’s only for the better. Show everyone and your neighbour what can be done with no money involved - just free and open source software, and some of your time on a rainy weekend.
0 Responses to “Howto secure your vserver”