secure your grommunio installation

Ggrommunio99 · 13 Feb

Dear community ,
a little suggest, how you can improve the security of your grommunio system.

First of all, my appliance is installed with the grommunio.x86_64-latest.install.iso

A.
Add a user instead of working as root:

sudo useradd -s /bin/bash -m myuser
sudo passwd myuser
su myuser
cd ~
#-# add your private key here
mkdir .ssh && echo "ssh-ed25519 XXXXXXX" >> .ssh/authorized_keys

B.
harden your ssh config:

sudo vi /etc/ssh/sshd_config
change or add these lines:

#-#Hardening 2025
#-# If you want to listen ssh only e.g. to your ipv4 ip
ListenAddress 1.2.3.4

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
UsePAM no
#-#optional
PrintMotd yes

#-#restart services and check logs:

sudo systemctl restart sshd
sudo journalctl -u sshd

C. tired of failed logins and ssh brute forcing?
Use the onboard firewall!!

remove all administrative ports from the firewall

sudo firewall-cmd --zone=public --remove-port=22/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=8443/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --remove-service=ssh --permanent

create a bash skript to allow these ports only from a defined IP ( in my case, my changing home IP)

#!/bin/bash
date="$(date +'%Y-%m-%d %H:%M:%S')"
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi

#query your now IPs

new_ip=$( dig +short XXX.myfritz.net)
echo $new_ip
new_ipv6=$( dig +short XXX.myfritz.net AAAA)
echo $new_ipv6

if [ "$new_ip" = "$old_ip" ] ; then
echo $date: IP address has not changed

else

#remove the rules for your old ip

            sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address='$old_ip' port protocol="tcp" port="22" accept' --permanent
            sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address='$old_ip' port protocol="tcp" port="8443" accept' --permanent
            sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address='$old_ip' port protocol="tcp" port="8080" accept' --permanent
            sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv6" source address='$old_ipv6' port protocol="tcp" port="22" accept' --permanent
            sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv6" source address='$old_ipv6' port protocol="tcp" port="8443" accept' --permanent
            sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv6" source address='$old_ipv6' port protocol="tcp" port="8080" accept' --permanent

#add the rules for your new ip

            sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address='$new_ip' port protocol="tcp" port="22" accept' --permanent
            sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address='$new_ip' port protocol="tcp" port="8443" accept' --permanent
            sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address='$new_ip' port protocol="tcp" port="8080" accept' --permanent
            sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv6" source address='$new_ipv6' port protocol="tcp" port="22" accept' --permanent
            sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv6" source address='$new_ipv6' port protocol="tcp" port="8443" accept' --permanent
            sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv6" source address='$new_ipv6' port protocol="tcp" port="8080" accept' --permanent

#reload the services

    sudo firewall-cmd --reload
    echo  $date: firewall-cmd has been updated

fi

3.
#Reload the firewall to apply changes
sudo firewall-cmd --reload

#Verify the rules
sudo firewall-cmd --zone=public --list-rich-rules

create a cron as root!

#update dyndnsip from which ssh port 22 is allowed
*/15 * * * * bash /home/myuser/firewall.sh >> /var/log/dyndns-firewall.log 2>&1

hide the nginx version

/usr/share/grommunio-common> sudo vi nginx.conf

in this section
server {
listen 80;
listen [::]:80;
server_name _;
return 301 https://$host$request_uri;
include /usr/share/grommunio-common/nginx/traffic_status_params*.conf;
#add this
server_tokens off;
}

Reboot your system and do a nmap scan from your home ip and another ip to check the open ports
In my case only port 25,80,443,587 are open from any public

@Grommunio Team . your are welcome to implement this in your grommunio setup.
@community - any other advices welcome.

best regards

crpb · 13 Feb

grommunio99 /usr/share/grommunio-common> sudo vi nginx.conf

be aware that this will likely be undone by an update. you might have better chances with that in /etc/nginx/nginx.conf in the http-block i believe
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

WalterH · 2025-02-14T10:40:08+00:00

Some thoughts on the suggestions:

Changing the sshd configuration file to certificate login without explaining how to set up certificate login is problematic, some admins lock themselves out.
Because of the firewall, the mail server should be in a DMZ, i.e. behind a hardware firewall or a reverse proxy, so that it is not necessary to adjust the appliance firewall.
Brute force logins can be intercepted with fail2ban, this is explained in the forum. And you have a firewall in front.
Because of the grommunio configuration files, as @crpb says, you must not change anything in these configuration files, the next update will probably remove these changes or the next update will not work as desired. You don't want either.

Ggrommunio99 · 2025-02-15T14:11:01+00:00

Thanks Walter.
Of course a DMZ is the best solution!
But I think most community users will have their server on a virtual machine hosted anywhere in the internet without a DMZ - that's why I wrote this post.
Unfortunately I can't edit the post any more, so I will post the link here:
Why?
https://www.ssh.com/academy/ssh/public-key-authentication
How to?
https://www.thomas-krenn.com/en/wiki/SSH_public_key_authentication_under_Ubuntu