Re: LAMP and postfix-dovecot security

[admin <admin () propergander org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Claudio Criscione wrote:
> Hi Dave,
>
> > I am very much new at administrating a LAMP/email server, although I have
> [...]
> >  this system to the Internet after I investigate integrating ClamAV,
> >  PostfixDspam, the SPF package and Forum software. But before I take this
> >  any further, I wish to security test the existing system.
>
> I must admit that IIRC there have been not so many issues on the software you 
> are mentioning lately. That is, Dovecot had a bug affecting its sieve 
> components but not really that easy to exploit. 
> You will most probably have to focus on standard", or vanilla things as open 
> relay, weak passwords and, most notably, integration. You are not mentioning 
> how you are managing the infrastructure, but I'm making a guess and maybe you 
> are going to use a MySQL backend managed through a webapp to administer your 
> user, in which case you are entering webapp security territory. For instance, 
> being able to manipulate the mailbox path (which is stored in a database, or 
> is the home directory of the user) can lead to interesting results. But I'd 
> say you have quite a small attack surface here.
>
> Once you start adding ClamAV and antispam stuff, anyway, things change a little 
> and you could test the infrastructure' behaviour with archives or similar 
> things: google for clamav vulnerabilities and you'll find plenty of info.
>
>
> > Can anyone please offer sources of information and tools on hardening and
> >  pentesting the services I currently use.
>
> As far as hardening goes, you might find our Ubuntu hardening guide a nice 
> starting point. It was written by a very bright intern with the newbie Linux 
> administrator in mind so it should do, even in its beta stage.
> You can find it here: www.securenetwork.it/ricerca/whitepaper/download/Debian-
> Ubuntu_hardening_guide.pdf
Hi Claudio,

The vanila things you mention are those things which I am most aware of, my head hurts from trying to remember strong 
passwords, there are no
services running that are not required, a hardware firewall also restricts which ports are forwarded. Having used the 
wonderfully secure and
reliable software written by Microsoft, its Operating Systems and applications, security has never been a concern to me 
until now /sarcasm

So far I am managing the server via ssh and vi, changing config files and not using any web based management. I haven't 
yet but will restrict
shh access to one static private IP address as the server sits on my LAN and will live in my garage. I plan to continue 
to admin the server via
a shell, if only to improve my Linux knowledge. If I start using web management interfaces, I won't really understand 
how things work and are
being secured/changed, I will only presume that they are. I never trusted Windoze wizards because I did not know what 
they did underneath.

I am testing in stages, ensuring each layer is securely configured before adding a new layer. The pdf to which you link 
is very good, all the
information and more that I gathered from several sources is here all in one place, I wish I had come across it sooner.

Thanks for your advice
my confidence and understanding grows

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFK5Yk8BStvyIzJtOARAtAgAJ46n3sZMyvKQVnxAwTyaG1jvK8L3gCgjWo0
CV5zX+DLH2d7VsXv4QeUmiQ=
=X8Ii
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------