We have a emil server installed by using the iredmail script. Its installed on a Ubuntu 22.04 vps server. Nothing else than the components for the email server is installed. Now I want to secure it as much as possible to protect it from outside attack. I can see doing portscans how interesting it is
The access to the server over SSH is protectet with a keypair, no password allowed and access to ssh only from 1 ip address. The FW is very strict set and only allow traffic on needed ports for the email flow plus https for the webmail
The spam and virus protection is taken care of using Spamassasin and Clamav and Amavisd and postscreen
Is there anything else we can do and have missed
I would move the ssh port to a non-standard port number. Then do a port scan yourself, and see if there’s anything else you can eliminate or move to localhost only connections.
Also, I’m unfamiliar with the script you mention, but verify that you’re not relaying mail for other people outside of your own domain.
Lastly, you’ll now get to keep up with dnsbl providers, so watch the mail log for any messages about them refusing your server’s mail. The earlier you know about this, the faster you can resolve it and not take a mail outage…
You could rate limit your connections. I do this for SSH, but would be a solid idea for email. My connection limit for SSH is 1 per/minute with a 5 min timeout. Doing this allows me to skip the IP restrictions and make back-door access (vpn being front door) more flexible.
Also, doing this on the FW negates the recent SSH regression attack.
I can show you how to do this if you use nftables.
Just filtering at the FW level for “new” TCP states. So a single IP can’t hammer away at your service, trying to guess your login. Basically each IP has x attempts per y amount of time to make a new connection. Simple and effective (for almost all brute force attempts).
Only takes 3-4 lines of nft config to accomplish. This is simpler and safer than installing software to monitor you logs and modify your FW on the fly (Fail2Ban).
Ok. Fail2Ban I already have. The fw also filter out a lot. I also Linux ipsets for kernel-grade performance with blocklists from IPSUM that is updated daily. I can see that the fw block a lot of attempts.
THanks for advice
@pacman Well I dont use them often either, because most people answering like to play high and mighty and look down on others. For me that is not what a forum is about, and I am sure it is not Jay’s intention with this one.