Sometimes you have servers hanging out in the public internet in ways that you have little control over the network and hardware firewalls. Setting up a hosted server, such as a Virtual Private Server (VPS) or “node” in the cloud can be scary. Fortunately software firewalls, such as iptables, can add a little to piece of mind. But, in these days of automated attacks, it is still not enough. Usually the primary means of access to these servers is SSH. There are a couple really simple things can be done to make SSH more secure. I recently setup a new node on Linode. In the first hour there...

I recently setup a CentOS 6.3 server on Linode.com. One of the first things I wanted to do was lock it down with iptables. Unfortunately iptables was not starting cleanly. Specifically, It was failing here: Iptables Error – Setting Chains To Policy ACCEPT: Security Raw Nat Mangle Filter [FAILED] It turns out that was happening due to the paravirt kernel having a “security” chain compiled into it, and the default “iptables” init script included with CentOS does not know how to handle it. After a bit of searching I found a patch for the init script, posted by one of the...

Once Nagios was setup on the little Minecraft server, it needed to be configured to send email. These days I prefer to relay through one of my Google Apps accounts, so I set forth to setup GMail as a relay using Postfix, which was already installed, but not really doing anything. Using Postfix always seems to be an issue with me, since I have more experience with Sendmail. However, having done this recently on a few Macs, I figured what the heck. Here’s a quick overview of the process: Install Postfix (if not already installed). Configure Postfix (if no main.cf exists). Use: sudo...

Setting up GMail as a relay in Postfix always seems to be an issue with me. Here’s a quick overview of the process: Install Postfix (if not already installed) Configure Postfix (if no main.cf exists). Use: sudo dpkg-reconfigure postfix Generate CSR, in /etc/postfix/certs /usr/lib/ssl/misc/CA.pl -newca openssl genrsa -out itchy.key 1024 openssl req -new -key itchy.key -out itchy.csr openssl ca -out itchy.pem -infiles itchy.csr Edit main.cf relayhost = [smtp.gmail.com]:587 #auth smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd #tls smtp_use_tls = yes...