Penetration Testing mailing list archives
Re: LAMP and postfix-dovecot security
From: Joe Peters <joepete () joepete com>
Date: Tue, 20 Oct 2009 21:16:02 -0400
On Sat, 2009-10-17 at 17:54 +0100, admin wrote:
I am very much new at administrating a LAMP/email server, although I have administered, fixed and secured Windows systems for around five years. I have built a system based on Ubuntu 9.04 running services are ssh, LAMP, and Postfix with Dovecot. Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.
First off, if you are new to Linux, read up on iptables. There are some massive configurations out there, but if you keep things simple, you can pretty much lock down any server with just a handful of lines. For postfix I would point you toward Jeffrey Poslun's Postfix guides: http://www.posluns.com/guides/ I also found this to be a good SpamAssassin/Postfix starter: http://www.akadia.com/services/postfix_spamassassin.html I am going a little in your reverse direction. Recently I had a project involving implementing Exchange (after many Linux projects). A key difference between Windows and *nix environment is the autonomy of each service. Windows tends to bundle things together into one massive "wizard" where Linux gives you a lot of granularity. By the same token, I would recommend your pentesting follow suit. In your setup essentially you need to target each service (pop, imap, smtp, http, ssh, https etc.). But then within each service you can break things down further. What I try to do is build an outline, and you will find that in Linux you end up several layers deep. Example for http: 1) HTTP - a) Apache - b) PHP -- i) Postfixadmin -- ii) PHPadmin Underneath each of those headings might be a whole bunch of vulnerabilities to test. In something like Windows rather than this detail, you might end up with one line - "IIS." I know that maybe doesn't point you toward a specific tool, but I think what you will discover is this is more about strategy than simply trying to do some all encompassing attack -- JoePete ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- LAMP and postfix-dovecot security admin (Oct 19)
- Re: LAMP and postfix-dovecot security Joe Peters (Oct 21)
- Re: LAMP and postfix-dovecot security admin (Oct 27)
- Re: LAMP and postfix-dovecot security Claudio Criscione (Oct 27)
- Re: LAMP and postfix-dovecot security admin (Oct 27)
- Re: LAMP and postfix-dovecot security Joe Peters (Oct 21)