Ssh – Broken Zimbra after securing SSH

sshzimbra

I have a CentOS 5.7 server with Zimbra installed and all was working fine.

I just secured SSH by:

  • changing to another port
  • denying root login
  • enabling StrictModes
  • changed AllowUsers to only 1 user (not zimbra)
  • disabling RSAAuthentication
  • enabling PubkeyAuthentication
  • disabling PasswordAuthentication
  • disabling ChallengeResponseAuthentication

The above works for SSH'ing to the server as the allowed user and su'ing to root / sudoing.

However when I login to my webmail I cannot send / receive any messages anymore. Eeek!

By doing some searches on the web it looks like Zimbra uses ssh internally to talk to other Zimbra modules.

Anybody knows how to fix this?

Best Answer

I can't really test this because I don't have a test setup of Zimbra to work with, but I'd suspect adding the zimbra user to AllowUsers and setting the ssh port back to 22 should be sufficient.

If you're nervous about exposing ssh on a standard port, it should be possible to configure sshd to listen on your alternative port as well as port 22, and use iptables to limit access to port 22 to the local IP address only. (Personally, I prefer to leave ssh on its standard port and limiting the source IP addresses, but this may not be practical if you don't have a fixed source IP address.)

If you're nervous about exposing the zimbra user to the world, you might want to look into pam_access to limit what IP addresses the zimbra user may SSH from.

That said, I have a feeling that, according to the symtoms you listed, there's more going on with your server than just broken SSH access. Zimbra does not require ssh to itself for routine stuff like sending e-mail, but rather mainly for administrative purposes. You probably want to check logs in /var/log and /opt/zimbra/log.

Related Topic