Starting from scratch with a new CentOS 7 Linode,
I found that iptables is set by default to block (although not reject)
packets to the IMAP and POP3 services.
Rackspace has a good primer
on setting up Dovecot that includes these instructions, but here's the
sudo iptables -I INPUT 2 -p tcp --dport 587 -j ACCEPT sudo iptables -I
INPUT 3 -p tcp --dport 110 -j ACCEPT sudo iptables -I INPUT 4 -p tcp
--dport 143 -j ACCEPT sudo iptables -I INPUT 5 -p tcp --dport 993 -j
ACCEPT sudo iptables -I INPUT 6 -p tcp --dport 995 -j ACCEPT sudo
/etc/init.d/iptables save sudo /etc/init.d/iptables restart
That adds a rule to accept the IMAP and POP ports, both the regular and
SSL versions. Then we save the chain table and restart iptables. Now
you should be able to get in:
$ telnet myhost.wlindley.com imap Trying
myhost.wlindley.com... Connected to myhost.wlindley.com. Escape
character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
Connecting to wireless networks can be a bit of a trial-and-error
thing, and the "number of bars" indicator does not tell you the whole
story. Here's a single command-line for Linux that pings the current
gateway -- so you can try rotating or moving your computer to see how
the reception changes.
ping `route -n | grep "^0.0.0.0" | tr -s ' ' | cut -d ' ' -f2`
Here we are nesting the output of a command with the back-quotes. We
get the current route table which looks something like this:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0
and then use grep to extract just the line that starts with the
universal destination 0.0.0.0, the next field being the IP address of
the gateway. Then tr compresses multiple spaces to one, and cut selects
just the second field... returning that to ping.
The end result looks like:
$ ping `route -n | grep "^0.0.0.0" | tr -s ' ' | cut -d ' ' -f2`
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=2.01 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=1.52 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=1.42 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=64 time=1.34 ms
so you get an immediate feedback of times, and timeouts, duplicate
packets, and so on. Press Ctrl+C to exit ping.
Upon first install Virtualmin, you will need to set a few
- I recommend running Clam and SpamAssassin as servers, if you handle
email. If you delegate all email to a separate server, leave these
We will be disabling root login to webmin / virtualmin. Start by
creating an administration group:
From the Virtualmin control panel, click at the top: Webmin
Open the webmin drop-down on the left
Click Webmin Users
Under Webmin Groups, click Create a new Webmin group
Call it "admins" or "devel" or as you wish. There is a Select All
link at the bottom of the list of permissions; use it.
Back on the Webmin User panel, click Convert Unix users to Webmin
Click in the radio-button for "Users with group" and put "wheel"
into the box (see previous post, where we set our administrator
users into the wheel group)
The default should be to use Unix authentication for the Webmin users.
That means, resetting your Unix password will update your Webmin login
Logout of Webmin and then back in with your username. Go back to Webmin
Users and click on the 'root' user in the list of users. Set the
password to "No password accepted" and voilá, your Webmin is now a
little more secure.
Disabling Unused Cronjobs
CentOS in particular puts unwanted tasks in the cron entries. They do
not appear in the 'crontab' proper but in /etc/cron.daily and
/etc/cron.hourly. Rename these files to be their hidden dotfile
Otherwise, awstats will run every hour for every domain, regardless of
the settings you make in Virtualmin. Also I disabled 'makewhatis'
'webalizer' and 'freshclam' as I am not using them.