Manualshelf

Setup guide

ManualsBrandsApple ManualsNetwork CardMac OS X Server
51525354555657585960
3. To update Postfix to use the new alias, issue the command:
newaliases
4.7.5 Disable the SMTP Banner
The SMTP banner provides information about the mail server software running on
the system that could be useful to an attacker. To remove this information and
replace it with a warning banner:
1. Open /etc/postfix/main.cf in a text editor.
2. Make sure any lines beginning with smtpd_banner are commented out, and
add the following line:
smtpd_banner = “Unauthorized use is prohibited.”
4.8 Remote Logging
The remote logging software included with Mac OS X Server is called syslogd (the
syslog daemon). It contains features not documented in its man page. A more
recent man page that fully describes its features is available at
http://www.freebsd.org/cgi/man.cgi?query=syslogd. This service accepts and stores
log messages from other systems on the network. In the event that another system is
compromised, its local logs can be altered and so the log server may contain the only
accurate system records. Remote logging should only be enabled across a trusted
internal network or VPN. By default, Mac OS X Server performs only local logging
and will not act as a log server. Configuring Mac OS X Server to use another system
as a log server is discussed in the Basic Installation and Configuration chapter.
Configuring Mac OS X Server to act as a remote log server involves changing
syslogd’s command line arguments. Enabling remote logging services requires
removal of the -s tag from the syslogd command, which allows any host to send
traffic via UDP to the logging machine, which can present security risks. In order to
better control what hosts are allowed to send logging message traffic, the -a option
should be used to ensure that log messages from only certain IP addresses are
accepted. The –a option may be used multiple times to specify additional hosts. The
-a option should be followed with an address in the format:
ipaddress/masklen[:service]
This format is the IPv4 address with a mask bit length. Optionally, the service is a
name or number of the UDP port the source packet must belong to. When using this
-a option, do not omit the masklen portion, as the default masklen may be very small
and the corresponding matching addresses could therefore be almost anything. The
default [:service] is 'syslog' and should not need to be changed. For example, match
a subnet of 255 hosts as follows:
-a 192.168.1.0/24
46
UNCLASSIFIED