Appendix C: Best practices

This section provides a list of best practices. Depending on your needs and on the deployment, you can evaluate implementing them or not.

1. Design disk partition carefully

You should carefully design the disk partition, considering the foreseeable needs for disk space in the medium-long term. It is highly recommended to use LVM [1] .

2. Have a good filesystem design

You should have a good filesystem design. It is extremely important to define the folders that will contain the user data, mailboxes, shared resources, etc. and (while maintaining the standard Debian filesystem hierarchy) decide which folders will be mounted on separate partitions.

If you make the right decisions when configuring the disk, the future migration tasks between servers are made much easier.

3. Use RAID

You should use some kind of RAID to grant the low-level security of the data on the disk.

4. Install only the modules you need

An installed and unused module increases system complexity, wastes resources and, generally, decreases system security. Therefore, you should install only modules that you are going to use.

5. Maintain a test server

It is highly recommended to have a test server, with the same configuration as the production server. Like this, you can safely carry out all the tests you deem necessary. This is especially useful when you plan to implement a new feature, update the server or make any changes that could compromise the stability or performance of the server.

6. Establish a server update policy

You should establish a server update policy: when the updates will be done, how and by whom.

7. Establish a backup policy

You should establish a backup policy (for both Zentyal Server configuration and for the data). Keep in mind that you can configure this directly from Zentyal:

8. Have a server recovery plan in place

Having a well tested server recovery plan in place is absolutely necessary. A critical failure in production server should not catch you by surprise you and lead you to improvise.

9. Decide admin users

Determine carefully which users will have administrative permissions on your Zentyal Server, through “webadmin” or console (including SSH).

Keep in mind that every user included in the “sudo” group can operate as admin on your Zentyal Server.

10. Establish a password policy

You should establish a password policy for both local and domain users (in case you are using this module).

11. Monitor your server

You should monitor your server on daily basis. Although it is highly recommended to implement a complete server monitoring system (with Zabbix, Nagios etc.), Zentyal also comes with a small utility that allows you to have a basic understanding of the server status:

12. Check the server status

Check often your Zentyal Server status. The Zentyal ‘system status report’ feature is very useful to this end:

13. Analyze the logs

It is important that you check and analyse the server logs to detect possible errors as early as possible.

14. Check log rotation

Analyse “logrotate” configurations and configure them according to your company policies.You should keep in mind that (depending on the company activity and legal framework) you could be obliged to store the logs for some specific period of time. Incorrect “logrotate” configuration could cause you to lose important data.

15. Limit traffic

Configure “deny” policy in your firewall by default. Forbid all the traffic expect the strictly needed. This will reduce the chances of unwanted accesses and/or attacks and intrusions.

Use utilities like Nmap [2] periodically to check the degree of external exposition of your server.

You can use Hping3 [3] to test the suitability of your firewall rules. This tool will allow you to test the firewall by creating TCP/IP packets with any configuration that you want.

16. Secure the SSH service

Change the default port, allow only the public key access and disable the root access. These are some mandatory practices if you need a permanent SSH service “in the wild”.

17. If you use the Domain Controller module

If you use the Domain Controller module, you should keep in mind the following points:

  • Carefully design the structure of your domain: Use the Organizational Units and security groups to replicate the organic structure of your organization. This will make the system management easier.
  • Regularly check your user accounts and update them. Disable or remove the unnecessary accounts.
  • Define disk quotas for users.
  • Regularly analyse the permissions defined on the shared resources. If you need to log the user activity on the shared resources, enable the “full_audit” option in your File sharing -> Samba settings.
  • Learn how GPOs allow you to control Windows computers joined to the domain.
[1]LVM: https://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)
[2]Nmap: https://nmap.org/
[3]Hping3: https://tools.kali.org/information-gathering/hping3