2

I have a CentOS 5.7 server with Zimbra installed and all was working fine.

I just secured SSH by:

  • changing to another port
  • denying root login
  • enabling StrictModes
  • changed AllowUsers to only 1 user (not zimbra)
  • disabling RSAAuthentication
  • enabling PubkeyAuthentication
  • disabling PasswordAuthentication
  • disabling ChallengeResponseAuthentication

The above works for SSH'ing to the server as the allowed user and su'ing to root / sudoing.

However when I login to my webmail I cannot send / receive any messages anymore. Eeek!

By doing some searches on the web it looks like Zimbra uses ssh internally to talk to other Zimbra modules.

Anybody knows how to fix this?

PeeHaa
  • 221
  • 4
  • 18

3 Answers3

3

I can't really test this because I don't have a test setup of Zimbra to work with, but I'd suspect adding the zimbra user to AllowUsers and setting the ssh port back to 22 should be sufficient.

If you're nervous about exposing ssh on a standard port, it should be possible to configure sshd to listen on your alternative port as well as port 22, and use iptables to limit access to port 22 to the local IP address only. (Personally, I prefer to leave ssh on its standard port and limiting the source IP addresses, but this may not be practical if you don't have a fixed source IP address.)

If you're nervous about exposing the zimbra user to the world, you might want to look into pam_access to limit what IP addresses the zimbra user may SSH from.

That said, I have a feeling that, according to the symtoms you listed, there's more going on with your server than just broken SSH access. Zimbra does not require ssh to itself for routine stuff like sending e-mail, but rather mainly for administrative purposes. You probably want to check logs in /var/log and /opt/zimbra/log.

Per von Zweigbergk
  • 2,625
  • 2
  • 19
  • 28
  • `That said, I have a feeling that, according to the symtoms you listed, there's more going on with your server than just broken SSH access.` I think you were right on that one. After restoring my original `sshd_config` it still didn't work. The logs as well as `zmcontrol` stated that MTA was stopped. I wanted to do an upgrade of the system anyway and since the mail was already down I decided to do it now. So I did an fresh install of the system and now everything is working. Too bad that I still don't know what the culprit was :( – PeeHaa Dec 03 '11 at 21:59
  • To answer the original question for people who may be googling, did you try my suggestions for securing SSH and were you successful? – Per von Zweigbergk Dec 04 '11 at 04:57
  • I succeeded kinda :P After the fresh install I made sure I had first set up the secure SSH. After that I installed Zimbra. Most of it works now (can send mails and stuff), however there is still an issue with Zimbra and SSH in the admin (cannot go to mailsettings / mail queue). I've created a thread in the Zimbra forum to find out how to fix this. http://www.zimbra.com/forums/administrators/53852-cannot-access-some-parts-admin-because-ssh-error.html – PeeHaa Dec 04 '11 at 12:43
1

I suggest you revert back to the original setup and enable one feature at a time.

The major thing you can do is set root login to "without-password" to prevent password login for root (while allowing key-authentication, if necessary).

For ssh ports, do you have a hardware or external firewall in your environment? If so, you can have ssh listen to multiple ports. 22 and 2222, for instance. Just limit inbound access from the world to your alternate port.

I think the AllowUsers directive may be part of the problem. You'd be able to determine this via examining your /var/log/secure logs.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • `What exactly are you looking to accomplish` setting up secure SSH. Which only accepts login using key authentication. no external firewall (it's a VPS). Error in log `Dec 2 21:51:07 mail sshd[21892]: Received disconnect from xxx: 14: No supported authentication methods available` `Dec 2 21:48:22 mail sshd[20263]: error: Bind to port 2222 on 0.0.0.0 failed: Address already in use.` – PeeHaa Dec 02 '11 at 22:01
0

No need to go back to port 22 (I use 1234 here):

# su - zimbra
$ zmprov ms domain.tld zimbraRemoteManagementPort 1234
$ ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@domain.tld -p 1234
Gilles Quénot
  • 1,313
  • 10
  • 17