Penetration Testing mailing list archives
Re: LAMP and postfix-dovecot security
From: "Claudio Criscione" <blackfireml () securenetwork it>
Date: Sat, 24 Oct 2009 21:41:41 +0200
Hi Dave,
I am very much new at administrating a LAMP/email server, although I have
[...]
this system to the Internet after I investigate integrating ClamAV, PostfixDspam, the SPF package and Forum software. But before I take this any further, I wish to security test the existing system.
I must admit that IIRC there have been not so many issues on the software you are mentioning lately. That is, Dovecot had a bug affecting its sieve components but not really that easy to exploit. You will most probably have to focus on standard", or vanilla things as open relay, weak passwords and, most notably, integration. You are not mentioning how you are managing the infrastructure, but I'm making a guess and maybe you are going to use a MySQL backend managed through a webapp to administer your user, in which case you are entering webapp security territory. For instance, being able to manipulate the mailbox path (which is stored in a database, or is the home directory of the user) can lead to interesting results. But I'd say you have quite a small attack surface here. Once you start adding ClamAV and antispam stuff, anyway, things change a little and you could test the infrastructure' behaviour with archives or similar things: google for clamav vulnerabilities and you'll find plenty of info.
Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.
As far as hardening goes, you might find our Ubuntu hardening guide a nice starting point. It was written by a very bright intern with the newbie Linux administrator in mind so it should do, even in its beta stage. You can find it here: www.securenetwork.it/ricerca/whitepaper/download/Debian- Ubuntu_hardening_guide.pdf -- Claudio Criscione ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- LAMP and postfix-dovecot security admin (Oct 19)
- Re: LAMP and postfix-dovecot security Joe Peters (Oct 21)
- Re: LAMP and postfix-dovecot security admin (Oct 27)
- Re: LAMP and postfix-dovecot security Claudio Criscione (Oct 27)
- Re: LAMP and postfix-dovecot security admin (Oct 27)
- Re: LAMP and postfix-dovecot security Joe Peters (Oct 21)