Re: LAMP and postfix-dovecot security

[admin <admin () propergander org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Peters wrote:
> On Sat, 2009-10-17 at 17:54 +0100, admin wrote:
>
> > I am very much new at administrating a LAMP/email server, although I have administered, fixed and secured Windows 
> > systems for around five years.
> > I have built a system based on Ubuntu 9.04 running services are ssh, LAMP, and Postfix with Dovecot.
> > Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.
>
> First off, if you are new to Linux, read up on iptables. There are some
> massive configurations out there, but if you keep things simple, you can
> pretty much lock down any server with just a handful of lines.
>
> For postfix I would point you toward Jeffrey Poslun's Postfix guides:
> http://www.posluns.com/guides/
>
> I also found this to be a good SpamAssassin/Postfix starter:
> http://www.akadia.com/services/postfix_spamassassin.html
>
> I am going a little in your reverse direction. Recently I had a project
> involving implementing Exchange (after many Linux projects). A key
> difference between Windows and *nix environment is the autonomy of each
> service. Windows tends to bundle things together into one massive
> "wizard" where Linux gives you a lot of granularity.
>
> By the same token, I would recommend your pentesting follow suit. In
> your setup essentially you need to target each service (pop, imap, smtp,
> http, ssh, https etc.). But then within each service you can break
> things down further. What I try to do is build an outline, and you will
> find that in Linux you end up several layers deep. Example for http:
>
> 1) HTTP
> - a) Apache
> - b) PHP
> -- i) Postfixadmin
> -- ii) PHPadmin
>
> Underneath each of those headings might be a whole bunch of
> vulnerabilities to test. In something like Windows rather than this
> detail, you might end up with one line - "IIS."
>
> I know that maybe doesn't point you toward a specific tool, but I think
> what you will discover is this is more about strategy than simply trying
> to do some all encompassing attack
>
> --
> JoePete

JoePete,

thanks for your advice, I found a bunch of hardening information for the LAMP stack from various sources and have 
implemented that which I
managed to verify across several sources. Iptables are this weeks project, I quickly looked at a few tutorials and 
found this one to be pretty
comprehensive: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html. I so far probed my server with 
Nessus, it only revealed the
traceon directive of Apache as a potential vulnerability, needless to say I switched this off.

I understand what you say regarding granularity, it is the thing I disliked most about windows, not knowing how badly 
the wizards were
configuring things in the background.

I shall be spending a little more time on research before I put the machine on the Internet. Although confidence in my 
securing the box does not
guarantee real security.

Thanks again for your advice and the provided links

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFK5YPGBStvyIzJtOARAvPoAKCRgK14AoyJxksEjLTnyfYkMapiPgCfYLEG
ff4a4Kz87Elv9MDT/TCjamQ=
=IyLL
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------