[ home site | download | documentation | support | forums ]

sentora-paranoid

sentora-paranoid is a usefull script designed for those who are very concerned about sentora project security and want to enable basic security for an operational environment. 

The oficial web page of this project is: http://sentora-paranoid.open-source.tk

Introduction

sentora-paranoid is a complementary script to bring basic security beyond the default security considerations in the original sentora project, this script is executed AFTER the official sentora_installer script and BEFORE any other package in your hosting server to install basic security packages, all of them needed for a more secured hosting server environment.

All modifications since the original sentora-paranoid done by Mario Rodríguez Somohano , with contribution of ideas, patches and reports from the sentora and sentora-paranoid community and individuals.

If you wish to participate with this project you can help with:

News

2015-04-22: Newest stable release for sentora_installer v1.0.1

Old News

2015-04-21: Latest stable release for sentora_installer v1.0.0

2014-12-20: First beta code and tests released for a very few users


Security warning

The sentora-paranoid uses several external programs and modules for its operation. If there are security vulnerabilities in them, some parts of the setup might be affected. The possible damage is limited to what a non-privileged UID can accomplish in normal setups.

It is always a good idea to use fairly recent versions of external programs and external modules.


Download

Before downloading please consider a DONATION, the project relies on the kind donations from our users!
Home web site in Guadalajara, Jalisco, México (thanks to Bambusoft):

Latest unestable development release

Please be aware that development snapshots should only be used for development and testing purposes, they are not recommended for production environments!
Development => sentora-paranoid-1.0.2 at github

Most recent versions

stable release for sentora_installer v1.0.1 sentora-paranoid-1.0.1  (Ubuntu 14.04 LTS only)
stable release for sentora_installer v1.0.0 sentora-paranoid-1.0.0  (Ubuntu 14.04 LTS only)
Older versions

Announcements about new releases, they are posted in the sentora-paranid official page and in the forums


sentora-paranoid installed packages

There are some packaged versions available, provided and supported only by their respective authors/maintainers. Some are recent and updated frequently, others are pretty much out of date.

Package Version Description
tree 1.6.0-1 Displays directory tree to check original and final file permissions
iptables 1.24.1-1 Administration tools for packet filtering and NAT (Firewall functions)
iptables-persistent 0.5.7 Boot-time loader for iptables rules
openssl 1.0.1f-1 Secure Sockets Layer toolkit - cryptographic utility
fail2ban 0.8.11-1 Ban hosts that cause multiple rule based authentication errors
apparmor 2.8.95~2430-0 User-space parser utility for AppArmor (Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources)
apparmor-utils 2.8.95~2430-0 Utilities for controlling AppArmor
libapache2-mod-apparmor 2.8.95~2430-0 Changehat AppArmor library as an Apache module to confine vhost scripts
ipset 6.20.1-1 Administration tool for kernel IP sets (hash tool to block unwanted ips)
opendkim 2.9.1-1 Milter implementation of DomainKeys Identified Mail
opendkim-tools 2.9.1-1 Set of command line tools for OpenDKIM
amavisd-new 1:2.7.1-2 Interface between MTA and virus scanner/content filters
spamassassin 3.4.0-1 Perl-based spam filter using text analysis
spamc 3.4.0-1 Client for SpamAssassin spam filtering daemon
clamav 0.98.5 anti-virus utility for Unix - command-line interface
clamav-base 0.98.5 anti-virus utility for Unix - base package
libclamav6 0.98.5 anti-virus utility for Unix - library
clamav-daemon 0.98.5 anti-virus utility for Unix - scanner daemon
clamav-freshclam 0.98.5 anti-virus utility for Unix - virus database update utility
sp-policyd 1.0.0 Postfix send rate limit per user/domain
libswitch-perl 2.16-2  switch statement for Perl
libnet-dns-perl 0.68-1.2build1 Perform DNS queries from a Perl script
libmail-spf-perl 2.9.0-2 Perl implementation of Sender Policy Framework and Sender ID
pyzor 1:0.5.0-2fakesync1 spam-catcher using a collaborative filtering network
razor 1:2.85-4build2 spam-catcher using a collaborative filtering network
-decompressors- arj bzip2 cabextract cpio gzip nomarch pax rar unrar unzip zip

There may be other packaged version around, please let me know.

Note that packaged versions may not be based on the most recent version of sentora-paranoid.

Documentation

Besides this web page at  the following files comprise the sentora-paranoid documentation. 

Support

For free support check sentora forums for sentora project related support and sentora-paranoid forums for topics related to this script only, be advised that sentora team does not support or endorse this security project.

For questions about individual packaged versions please contact their maintainers and/or their bug-tracking mechanisms.

For paid support please contact author Mario Rodríguez < sentora-paranoid (at) open-source.tk > (english and spanish languages)

For hire an outsourced sentora security professional or offshore security monitoring services please contact Bambusoft Team < informes (at) bambusoft.com > (working hours GMT-06:00)

For outsourced hosting support or business expansion to spanish latinamerica market please contact Bambusoft Team < informes (at) bambusoft.com > 
(North America and the Caribbean working hours GMT-06:00) (South America market please consider GMT-04:00), there is no 24/7 support by now.


Features


Tips and FAQ

Tips and FAQ -- troubleshooting and reporting problems

Tips and FAQ -- general


Security considerations

Security considerations for the host running sentora-paranoid

sentora-paranoid uses OS packages installer, may call external modules and may fork external programs to decompress and decode message, classify its content, then the package is installed.

Any component of a program that comes in contact with unpredictable and possibly malicious mail/document content, must be careful not to let the content have any uncontrolled effect on the operation of the program, or its environment.

sentora-paranoid is written entirely in Bash. This in itself is a strong argument that the processing within sentora-paranoid (and other modules it calls) is not likely to be subject to buffer overruns, stack smashing, and other problems that are common source of security problems in programs written in languages like C.

The external packages called by sentora-paranoid have not been thoroughly screened for possible security implications. They still benefit from the OS environment but some of them are relatively complex piece of software. Some packages that deal with decoding and checking of mail contents may be targets of malicious mail content, especially if they include code written in C, like decoding and uncompressing libraries, e.g. zlib and uulib/uudeview (Convert::UUlib).

External programs that get forked from sentora-paranoid to perform some decoding/uncompressing or classifying task, are the greatest potential threat to the safe operation of the host running sentora-paranoid. Some of these programs that are used to decode certain archive formats are quite complex, are old or poorly maintained, and/or written by less security conscious authors. E.g. a vulnerability is present in Unix utility file(1) version 3.41 or older. Generally it is advised that external programs are kept up-to-date and that crashes of such programs are reported immediately to their maintainers (after verifying first the version is recent).

There is a tradeoff in deciding whether to call some external decoder: calling it may open a vulnerability at the host running sentora-paranoid packages; not calling it (and not decoding certain types of document) may cause virus checker to miss a malicious mail contents, increasing danger for the mail recipient, while reducing risk for the host running checks.

While it may be true that only a powered-down computer, locked in a basement and disconnected from the network is completely secure computer, this is not practical to get any job done. Besides choosing a security program to be written in bash and using external packages, there are other things one may do to reduce security threats to the computer running it:

Security considerations for mail clients being protected

Running a virus checking and a content filter for each mail before it reaches the mail reader is an important line of defense against virus outbreaks and in protecting the (possibly not security conscious) recipients, or their mail reader programs or computer environment.

Not all malware is passed by e-mail. Several viruses or worms use multiple mechanisms to propagate, including WWW, sharing disks or through peer-to-peer 'contents' sharing, social engineering, or even a memory key or a CD brought-in in a pocket or distributed by magazines and software publishing houses may bring in a virus;

Content filtering mailer can not protect internal hosts unless incoming SMTP (TCP dst port 25) is restricted at the firewall to official mailers only. Similarly external world deserves protection from possibly infected internal hosts, so outgoing SMTP (TCP dst port 25 again, outgoing this time) needs to be restricted to official mailers. (Use standard tcp port 587 for mail submission from roaming users.)

Similarly, if mail readers can fetch mail from external mailboxes (POP3, IMAP), the SMTP mail gateway can not protect them. One solution is to provide a centralized fetchmail service to users that need access to external mailboxes, and feed such mail to the regular content filtering mailer, while blocking other unofficial access to external POP3 and IMAP servers at a firewall.

Even in e-mail, malware may be carried in encrypted or scrambled form, or simply as a plain text, using social engineering techniques to persuade recipient to fetch or activate malware.

It is not possible to prevent user shooting himself in the foot, or to prevent a dedicated person to transfer malware. There is a tradeoff in keeping e-mail useful, and protecting against threats.

The first line of defense (mail content filtering, firewall) must be complemented by defense mechanisms at the local user's desktop computer. This includes virus scanners run on PCs, keeping software up-to-date, doing backups, and educating users.

Malware does not have to play by the rules. Nothing prevents malware from generating a syntactically incorrect mail, to send it directly to some host ignoring MX and A records, to supply forged SMTP information or forged mail header, to poison DNS, perhaps even to use forged source IP address.

Content filter with virus scanner tries to decide if the mail under consideration will, or can, cause any bad effects on the recipient computer, often without knowing what mail reading software or what computer is used by recipients. This implies that while some mail may be decoded (by adhering to standards) into a harmless text, it might be decoded by some broken MUA or archiver into a virus or exploit, or trigger a MUA bug or vulnerability during decoding, or during displaying a message. External archivers/unpackers called by sentora-paranoid may be relatively easy to trick into not extracting certain archive members, thus hiding malicious code.

Solving this problem would require content filter with virus scanner to emulate all known (and unknown?!) mail readers in the way they respond to malformed mail. While sentora-paranoid content filters try to anticipate some common problems, especially the ones practiced by currently active viruses, there is no guarantee that this approach is always successful.

Even now there are combinations of viruses and virus scanners that fail to be detected due to a malformed MIME header, which gets decoded differently (and correctly, considering standards!) by MIME::Parser, yet certain mail readers decode it differently, forming a virus. It often helps to use more than one virus scanner (e.g. clamd along with some commercial virus scanner).

RFC 2046 defines a way to split sending one document into several e-mail messages, which can then be reassembled (automatically or manually) by MUA. The Content-Type value to look for is message/partial (and similarly: message/external-body). Checking mail fragments individually for viruses can not reliably detect viruses, which only get reassembled into a recognizable form by the recipient's mail reader. Most virus scanners at the MTA level (including clamav and all other variants of amavis-new) check each mail independently from other messages, so the only protection to this threat is to ban these MIME content-types (see $banned_filename_re setting in amavisd.conf), or by disabling auto-reassembly at mail readers, or running a virus checker tightly associated with MUA.

Blocking the MIME content type message/external-body may sound useful, although the mechanism is not much different from letting user freely browse the web or fully interpret HTML mail messages, so if the later is allowed, it probably does not make sense to treat message/external-body differently.

Protection against denial-of-service (DoS) attacks

Because sentora-paranoid tries to set a firewall as efficent as possible, this may be abused by malware or bad configurations. The so-called mail bomb, e.g. 42.zip or bzip2 bomb are examples of such malware. Such mail message, when fully decoded, can exceed available disk size several times, or consume a lot of time for decoding. Unless decoding is stopped at an earlier stage, it could cause the message checking to be retried over and over again, each time either hitting the disk full condition, or exceeding the allowed time limit. Note that mail bombs are targeting mail content filters, and are normally not a threat to mail clients (MUA), unless they carry a virus as well.



Disclaimer

Please, do not install sentora-paranoid in a production server if you didn't do all necesary tests to check that it is suitable for your needs.
Be advised, that I didn't take any responsability for damage or loss by using this free software. If you are running a hosting business please consider to hire a security professional, do not blame me if you use this script and not take the time to check if all is going as you expected.


Last updated: 2015-04-21