Penetration Testing mailing list archives
Re: LAMP and postfix-dovecot security
From: admin <admin () propergander org uk>
Date: Mon, 26 Oct 2009 11:34:20 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Claudio Criscione wrote:
Hi Dave,I am very much new at administrating a LAMP/email server, although I have[...]this system to the Internet after I investigate integrating ClamAV, PostfixDspam, the SPF package and Forum software. But before I take this any further, I wish to security test the existing system.I must admit that IIRC there have been not so many issues on the software you are mentioning lately. That is, Dovecot had a bug affecting its sieve components but not really that easy to exploit. You will most probably have to focus on standard", or vanilla things as open relay, weak passwords and, most notably, integration. You are not mentioning how you are managing the infrastructure, but I'm making a guess and maybe you are going to use a MySQL backend managed through a webapp to administer your user, in which case you are entering webapp security territory. For instance, being able to manipulate the mailbox path (which is stored in a database, or is the home directory of the user) can lead to interesting results. But I'd say you have quite a small attack surface here. Once you start adding ClamAV and antispam stuff, anyway, things change a little and you could test the infrastructure' behaviour with archives or similar things: google for clamav vulnerabilities and you'll find plenty of info.Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.As far as hardening goes, you might find our Ubuntu hardening guide a nice starting point. It was written by a very bright intern with the newbie Linux administrator in mind so it should do, even in its beta stage. You can find it here: www.securenetwork.it/ricerca/whitepaper/download/Debian- Ubuntu_hardening_guide.pdf
Hi Claudio, The vanila things you mention are those things which I am most aware of, my head hurts from trying to remember strong passwords, there are no services running that are not required, a hardware firewall also restricts which ports are forwarded. Having used the wonderfully secure and reliable software written by Microsoft, its Operating Systems and applications, security has never been a concern to me until now /sarcasm So far I am managing the server via ssh and vi, changing config files and not using any web based management. I haven't yet but will restrict shh access to one static private IP address as the server sits on my LAN and will live in my garage. I plan to continue to admin the server via a shell, if only to improve my Linux knowledge. If I start using web management interfaces, I won't really understand how things work and are being secured/changed, I will only presume that they are. I never trusted Windoze wizards because I did not know what they did underneath. I am testing in stages, ensuring each layer is securely configured before adding a new layer. The pdf to which you link is very good, all the information and more that I gathered from several sources is here all in one place, I wish I had come across it sooner. Thanks for your advice my confidence and understanding grows Dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFK5Yk8BStvyIzJtOARAtAgAJ46n3sZMyvKQVnxAwTyaG1jvK8L3gCgjWo0 CV5zX+DLH2d7VsXv4QeUmiQ= =X8Ii -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- LAMP and postfix-dovecot security admin (Oct 19)
- Re: LAMP and postfix-dovecot security Joe Peters (Oct 21)
- Re: LAMP and postfix-dovecot security admin (Oct 27)
- Re: LAMP and postfix-dovecot security Claudio Criscione (Oct 27)
- Re: LAMP and postfix-dovecot security admin (Oct 27)
- Re: LAMP and postfix-dovecot security Joe Peters (Oct 21)