Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Security thoughts - Kerio @ rootie
  •  
Spacey

Messages: 156
Karma: -8
Send a private message to this user
Hi!

Actually I'm testing Kerio and I'm trying to find a configuration / szenario which fits our needs. Since I want to use several services of Kerio (iCal, contact sync & imap..) on MacBooks, iPhones & iPads for several users connected through the web (not only LAN) I'm thinking about placing a Kerio on a rootie in a datacenter. So this would need some more security thoughts then a LAN only install I'm going to write down some thoughts here. Maybe you can give me some tips, advices or other useful informations to operate correctly.

1) General security of Kerio Connect: Any (many?!) known cases of where Kerio services has been compromised directly? How secure is the server itself?

2) A test Kerio install runs on an Debian Squeeze nice so far. Since this is a rootie in a datacenter I can't put a hardware firewall in front of it. What to do to secure the server itself best? Shorewall.... does denyhosts or anything else work with Kerio? Does Kerio itself got features to lock out IPs for hacking atempts?!

3) I normally only want to use secure services - can I safely turn off all insecure services? -> When I tried sync services for iCal I noticed that SSL is turned off. Turning it on doesn't work anymore... so what unsecure services are needed?

4) Which ports are needed? The one within the Kerio services screen? (25, 465, 587, 110, 995, 143, 993, 119, 563, 398, 636, 80, 8800, 443, 8843) - Any more?


Any more hardening / securing hints or advices?

Maybe we're thinking about setting up a second Kerio within the LAN - Master <-> Slave situation.

[Updated on: Thu, 04 August 2011 11:07]

  •  
pal

Messages: 57
Karma: 2
Send a private message to this user
2) I use deynhosts for ssh on debian and or course it works
3&4) I only have SMTP (25) and SMTP Submission (587) Ports open wich have SSL optional.
Furthermore i have Secure SMTP (465), Secure IMAP (993), Secure LDAP (636) and Secure HTTP (443) running.
All none SSL Service besides SMTP are turned off.
  •  
Spacey

Messages: 156
Karma: -8
Send a private message to this user
Thanks!

So the iPad & iPhone Exchange connector all runs secured?! What about the iCal / caldav thing? I've set it up via the kerio pgk and it installed itself without SSL. When I activate it in iCal in the account settings on my own syncing doesn't work anymore. Maybe an cert problem?

The idea with denyhosts was to connect it to kerio logs - to block hacking tries there. Or does Kerio has something similar here itsel integrated - locking out IPs which do password & user hacks!? I think I've seen something somewhere in the settings...
  •  
Spacey

Messages: 156
Karma: -8
Send a private message to this user
I think I found the problem: When I stop the http service and try to use the pgk install tool it tried to install the account with SSL but I get an error message:

"kerio connect is running http service over ssl however server ssl certificate does not comply with mac osx ssl certificate requirements".... the (test) server got a hostname which isn't currently working correct because of no A-Record for it. I'm working with the IP directly but the ssl cert is created on the server hostname. So IP & hostname doesn't match. That should be that problem.
  •  
pal

Messages: 57
Karma: 2
Send a private message to this user
ActiveSync, CalDAV and CardDAV run trough HTTP or HTTPS if available! I deactivated HTTP therefor no unsecured connections are possible. As you stated out your ip, hostname and certification problem is the issue.

Haven't tried to setup denyhosts with Kerio. However you can setup in the advance options in the security policy tab that the enable account lockout feature, which prevents password guessing attempts similar to denyhosts.
Previous Topic: Can I re-use license.key file again
Next Topic: xserve storage recommendations?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 06:18:07 CEST 2017

Total time taken to generate the page: 0.00505 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.