[SAC] [OSGeo] #2627: backup.osogeo.osuosl.org security remediation

OSGeoTrac · July 12, 2021, 7:49am

#2627: backup.osogeo.osuosl.org security remediation
---------------------------+---------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Keywords:
---------------------------+---------------------------------------
Block Port 25 outgoing. Not sure why this is exposed at all but the
nessus report noted it. It really doesn't need to be exposed to send mail
and assume it's not used except for admin messages.

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2627>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.

OSGeoTrac · July 12, 2021, 11:08pm

#2627: backup.osogeo.osuosl.org security remediation
---------------------------+----------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Changes (by robe):

* status: new => closed
* resolution: => fixed

Comment:

okay port 25 doesn't appear to be open to the outside so I think it's just
within the osuosl.org network.

Anyrate I did change the /etc/postfix/mail.cnf

{{{
#smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3D$
tls_medium_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
}}}

based on https://access.redhat.com/articles/1468593

--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2627#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.