Re: LAMP and postfix-dovecot security

["Claudio Criscione" <blackfireml () securenetwork it>]

Hi Dave,

> I am very much new at administrating a LAMP/email server, although I have
[...]
>  this system to the Internet after I investigate integrating ClamAV,
>  PostfixDspam, the SPF package and Forum software. But before I take this
>  any further, I wish to security test the existing system.

I must admit that IIRC there have been not so many issues on the software you 
are mentioning lately. That is, Dovecot had a bug affecting its sieve 
components but not really that easy to exploit. 
You will most probably have to focus on standard", or vanilla things as open 
relay, weak passwords and, most notably, integration. You are not mentioning 
how you are managing the infrastructure, but I'm making a guess and maybe you 
are going to use a MySQL backend managed through a webapp to administer your 
user, in which case you are entering webapp security territory. For instance, 
being able to manipulate the mailbox path (which is stored in a database, or 
is the home directory of the user) can lead to interesting results. But I'd 
say you have quite a small attack surface here.

Once you start adding ClamAV and antispam stuff, anyway, things change a little 
and you could test the infrastructure' behaviour with archives or similar 
things: google for clamav vulnerabilities and you'll find plenty of info.


> Can anyone please offer sources of information and tools on hardening and
>  pentesting the services I currently use.

As far as hardening goes, you might find our Ubuntu hardening guide a nice 
starting point. It was written by a very bright intern with the newbie Linux 
administrator in mind so it should do, even in its beta stage.
You can find it here: www.securenetwork.it/ricerca/whitepaper/download/Debian-
Ubuntu_hardening_guide.pdf

-- 
Claudio Criscione


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------