Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LAMP and postfix-dovecot security

From: Joe Peters <joepete () joepete com>
Date: Tue, 20 Oct 2009 21:16:02 -0400
On Sat, 2009-10-17 at 17:54 +0100, admin wrote:


I am very much new at administrating a LAMP/email server, although I have administered, fixed and secured Windows 
systems for around five years.
I have built a system based on Ubuntu 9.04 running services are ssh, LAMP, and Postfix with Dovecot.
Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.



First off, if you are new to Linux, read up on iptables. There are some
massive configurations out there, but if you keep things simple, you can
pretty much lock down any server with just a handful of lines.

For postfix I would point you toward Jeffrey Poslun's Postfix guides:
http://www.posluns.com/guides/

I also found this to be a good SpamAssassin/Postfix starter:
http://www.akadia.com/services/postfix_spamassassin.html

I am going a little in your reverse direction. Recently I had a project
involving implementing Exchange (after many Linux projects). A key
difference between Windows and *nix environment is the autonomy of each
service. Windows tends to bundle things together into one massive
"wizard" where Linux gives you a lot of granularity.

By the same token, I would recommend your pentesting follow suit. In
your setup essentially you need to target each service (pop, imap, smtp,
http, ssh, https etc.). But then within each service you can break
things down further. What I try to do is build an outline, and you will
find that in Linux you end up several layers deep. Example for http:

1) HTTP
- a) Apache
- b) PHP
-- i) Postfixadmin
-- ii) PHPadmin

Underneath each of those headings might be a whole bunch of
vulnerabilities to test. In something like Windows rather than this
detail, you might end up with one line - "IIS."

I know that maybe doesn't point you toward a specific tool, but I think
what you will discover is this is more about strategy than simply trying
to do some all encompassing attack

--
JoePete




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: