Training on Zimbra at Dodla Dairy by GBB

Example issues can be seen at https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_Troubleshooting_Zimbra_issues

Older articles are available at https://www.sbarjatiya.com/notes_wiki/index.php/Troubleshooting_zimbra_issues

For other issues use below suggested methods.

Refer https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_Zimbra_backup_and_restore

For understanding DNS blacklists and configuring them for Zimbra refer:

• https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_Configure_Postfix_to_block_spam
• https://www.blackmoreops.com/2016/12/19/add-rbl-zimbra-server/

Additional anti-spam techniques:

• https://wiki.zimbra.com/wiki/Anti-spam_Strategies
• https://wiki.zimbra.com/wiki/Zimbra_MTA#Turning_On_or_Off_RBLs

If system is already compromised, dont try to harden it. The best option is to take data (not application) backup and format the system. All infected partitions including D: might have to be formatted to clean the infection.

Any new Windows installation is vulnerable as many latest patches are developed after Windows installation was prepared. These patches are released after Windows installation was prepared and are not part of installation DVD. To get these packages systems are often connected to Internet to get these updates. This has two issues:

1. System is vulnerable while patches are getting downloaded and installed.
2. If the number of systems in large then considerable Internet bandwidth is getting used in re-downloading same patches for different systems.

A utility for updating windows offline is available at http://www.wsusoffline.net/ This utility can help in preparing a offline update DVD. Using such offline update DVD, systems can be patched before they are connected to Internet.

At various stages of hardening such as initial unhardened system can be imaged for future reference or restoring purposes. If during hardening system breaks, we can revert to previous stable image and continue hardening using different techniques.

In case of VMs the image can be created as snapshot or templates. In case of physical systems consider using free edition of https://www.macrium.com/reflectfree

If there is expertise in Linux then live boot using system rescue CD, followed by imaging disk using Linux dd command can also be considered. Refer https://www.sbarjatiya.com/notes_wiki/index.php/Cloning_disks_or_partitions_using_dd

If there is need to clone from one Gold system to many others refer https://www.sbarjatiya.com/notes_wiki/index.php/Udpcast

Windows 10 comes with Windows Defender anti-virus. If some other anti-virus is desired then even that can be considered. It is useful to have anti-virus as it can scan files obtained from media (USB, CD/DVD, etc.) or downloaded from Internet. It is also possible to receive files using protocols such as Windows File Sharing, SMTP (Email attachments), etc.

In Linux it is rare to login directly as root on workstations. Most work is done using normal user account. Privilege escalation is used when administrative access is required for thing such as:

• Modifying critical system settings, files, partitions, etc.
• Starting important network service on ports < 1024
• Installing software or drivers to be available to all users
• Update date/time or ntp settings
• Join or leave AD domain

The same is recommended for Windows. All work should be done from standard non-administrator user. Login as administrator only when required.

It is unwise to install unknown software or software which is required for one-time use directly on important end-user machine. Such software should be installed on test machine or on VMs. After work is done test machine can be restored to original image or VM can be restored to previous snapshot.

Many remote access software such as anydesk or teamviewer can also be run from inside the VM. This way only VM is accessible from reverse anydesk or teamviewer and not the real admin station.

It is irritating to get notifications for approval initially but they are helpful in maintaining a secure system. Go to Control Panel -> All Control Panel Items -> User Accounts -> Change User Account Control Settings and move slider up to make system more secure.

Using network as work/home is useful only when file sharing, joining domain, etc. are desired. If these are not desired, then choosing public for a network gives it most secure defaults.

Additional steps from the reference hardening link such as:

Use only Bare Essential Network protocols

Disable IPv6, File and printer sharing, Microsoft LLDP Protocol Driver, etc.

Disable IPV6 Totally

If IPv6 is not supported by ISP and not used within home/office internally, then disabling it makes system more secure from 6to4 tunneling.

Disable unused Networking Devices

Disable unused networking devices such as remote desktop redirection bus and kernel debug network adapter

Disable IGMP

Disable group protocols unless multicast protocols and support are required.

Disable port 1900 UPnP

It is not advisable to have UPnP so that all firewall rules are manual

Disable SMB v1 protocol

Disable old vulnerable protocols

Disabling Listening Ports

Look at netstat -abn output and disable services which are not required. As such firewall should provide protection against unauthorized connection to these services, but there is no point having service, if it is not required at all.

Network firewall

Apart from host level firewall, considering having a network firewall (hardware or software - such as pfsense).

Windows Advanced Firewall, turn on outbound blocking and logging

Most firewalls are configured to block only incoming connections while allowing all outgoing traffic. This is definitely bad.

However, use this with caution. Many systems such as anti-virus, OS, anti-spam, etc. talk to central servers for updates, signatures, patches. Disabling outgoing access by default might break many of these software.

Many more

Many more such useful advise from the reference link.

FTP protocol was not designed to traverse firewalls. By default FTP used one port 21 for control and other port 20 for data. Further, ftp assumes both server and client to be on same network without any NAT in between as data transfer requires server to connect to client on port 20 and not other way round.

Thus, passive FTP was invented to solve this issues. However, in this case server sends a port number from a range of port numbers to client for connecting. This port range is typically in insecure 1024-65535 range. For ftp server to work this port range has to be allowed in firewall. This is an issue as any unprivileged process can listen on these ports and act as backdoor for server.

Hence, ideally both FTP and FTPS (FTP over SSL) should be avoided and more secure and more modern protocols discussed later should be preferred.

Refer: https://www.sbarjatiya.com/notes_wiki/index.php/Active_vs_passive_ftp

Any Linux machine with SSH should provide SFTP subsystem support. If the goal of file sharing server is to give individuals private data storage space on server without any sharing between users then SFTP is a easy to setup choice. Setting up a Linux server with Linux users makes it a file sharing utility.

To secure it further consider editing /etc/ssh/sshd_config using:

Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

then add sftp only users to 'sftponly' group. These users will only be able to connect over sftp and chrooted to home folder. They will not be able to access anything outside home folder.

Note that this breaks rsync as users home folder is not a fully functional chroot environment with /dev/null, /dev/zero, /etc/passwd, etc. required files.

Note that this requires doing

1. chown root:root /home/user1
2. chmod 755 /home/user1
3. mkdir /home/user1/files
4. chown user1:user1 /home/user1/files
5. chmod 700 /home/user1/files

so that sftp chroot directory is owned by root user while accessible by user. At the same time there is a directory which can be read/written only by the user.

Ideally only key based access should be allowed. Do not use password based access.

Demo test1@mail.zimbra.sbarjatiya.com user sftp

Refer: https://www.sbarjatiya.com/notes_wiki/index.php/Chrooting_sftp_users_to_home_directory_with_openSSH

Other way of sharing files is by a more involved Samba or NFS setup. Samba plays well with Windows clients and supports authentication. It also allows many users to access same set of shared files/folders for read/write. Even printer sharing is allowed.

NFS is easier to configure and allows access based on client IP. We cannot configure authentication for NFS. It is easier to use NFS in Linux environments.

Refer:

• https://www.sbarjatiya.com/notes_wiki/index.php/Samba_server_configuration
• https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_NFS

Refer: https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_create_lightsail_owncloud_instance

Demo owncloud

For LAN monitoring consider using:

Nessus

It can be used for monitoring uptime, service status.

Cacti

It can be used for monitoring CPU, bandwidth used for each port. This works for both hosts and network devices using SNMP.

OpenNMS

It can also monitor traps sent by network devices such as port up/down information, configuration change, admin login, etc.

Refer:

• https://www.sbarjatiya.com/notes_wiki/index.php/Nagios_configuration
• https://www.sbarjatiya.com/notes_wiki/index.php/Cacti
• https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_OpenNMS

Once we have details of current status and usage, we can optimize by mechanisms such as upgrading switch, upgrading firmware, configuring or using port or link-aggregation, etc.

For WAN if we can setup firewall and monitor WAN usage based on parameters such as source IP, source user, destination domain, domain category, application traffic - http, dns, etc. This is easier to do using commercial sonicwall analyzer, fortilyzer, etc. But if required pfsense with ntop can also provide reasonably good information. Once it is learned which protocols or users or applications are using undesired amount of bandwidth, we can either block them or rate limit their usage.