LAMP and postfix-dovecot security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am very much new at administrating a LAMP/email server, although I have administered, fixed and secured Windows systems for around five years.
I have built a system based on Ubuntu 9.04 running services are ssh, LAMP, and Postfix with Dovecot.
Everything is working fine, as far as my limited knowledge allows me to deduce such workings.
I eventually plan to expose this system to the Internet after I investigate integrating ClamAV, PostfixDspam, the SPF package and Forum
software. But before I take this any further, I wish to security test the existing system.

As a novice security researcher I am looking for advice and links to tips and tools which will allow me to test all of the currently installed
components from a security perspective. I will worry about the rest at a later date. I have googled but I would take me days to separate the
wheat from the chaff.

So far I have come across although not used Nikto, Nessus, DenyHosts. I am also aware of and have used to a limited extent Backtrack and
KCPentrix live CD's

Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.

Thanks
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFK2fawBStvyIzJtOARAnPQAJwLYqp23ZOavSXeZDh/PAzoM74ynwCcC9Rv
byLHWYRXYn0DM1G0eNzohVw=
=ycDl
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

On Sat, 2009-10-17 at 17:54 +0100, admin wrote:

> I am very much new at administrating a LAMP/email server, although I have administered, fixed and secured Windows systems for around five years.
> I have built a system based on Ubuntu 9.04 running services are ssh, LAMP, and Postfix with Dovecot.
> Can anyone please offer sources of information and tools on hardening and pentesting the services I currently use.
>

First off, if you are new to Linux, read up on iptables. There are some
massive configurations out there, but if you keep things simple, you can
pretty much lock down any server with just a handful of lines.

For postfix I would point you toward Jeffrey Poslun's Postfix guides:
http://www.posluns.com/guides/

I also found this to be a good SpamAssassin/Postfix starter:
http://www.akadia.com/services/postfix_spamassassin.html

I am going a little in your reverse direction. Recently I had a project
involving implementing Exchange (after many Linux projects). A key
difference between Windows and *nix environment is the autonomy of each
service. Windows tends to bundle things together into one massive
"wizard" where Linux gives you a lot of granularity.

By the same token, I would recommend your pentesting follow suit. In
your setup essentially you need to target each service (pop, imap, smtp,
http, ssh, https etc.). But then within each service you can break
things down further. What I try to do is build an outline, and you will
find that in Linux you end up several layers deep. Example for http:

1) HTTP
- a) Apache
- b) PHP
-- i) Postfixadmin
-- ii) PHPadmin

Underneath each of those headings might be a whole bunch of
vulnerabilities to test. In something like Windows rather than this
detail, you might end up with one line - "IIS."

I know that maybe doesn't point you toward a specific tool, but I think
what you will discover is this is more about strategy than simply trying
to do some all encompassing attack

--
JoePete




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Hi Dave,

> I am very much new at administrating a LAMP/email server, although I have
[...]
>  this system to the Internet after I investigate integrating ClamAV,
>  PostfixDspam, the SPF package and Forum software. But before I take this
>  any further, I wish to security test the existing system.

I must admit that IIRC there have been not so many issues on the software you
are mentioning lately. That is, Dovecot had a bug affecting its sieve
components but not really that easy to exploit.
You will most probably have to focus on standard", or vanilla things as open
relay, weak passwords and, most notably, integration. You are not mentioning
how you are managing the infrastructure, but I'm making a guess and maybe you
are going to use a MySQL backend managed through a webapp to administer your
user, in which case you are entering webapp security territory. For instance,
being able to manipulate the mailbox path (which is stored in a database, or
is the home directory of the user) can lead to interesting results. But I'd
say you have quite a small attack surface here.

Once you start adding ClamAV and antispam stuff, anyway, things change a little
and you could test the infrastructure' behaviour with archives or similar
things: google for clamav vulnerabilities and you'll find plenty of info.


> Can anyone please offer sources of information and tools on hardening and
>  pentesting the services I currently use.

As far as hardening goes, you might find our Ubuntu hardening guide a nice
starting point. It was written by a very bright intern with the newbie Linux
administrator in mind so it should do, even in its beta stage.
You can find it here: www.securenetwork.it/ricerca/whitepaper/download/Debian-
Ubuntu_hardening_guide.pdf

--
Claudio Criscione


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Peters wrote:
JoePete,

thanks for your advice, I found a bunch of hardening information for the LAMP stack from various sources and have implemented that which I
managed to verify across several sources. Iptables are this weeks project, I quickly looked at a few tutorials and found this one to be pretty
comprehensive: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html. I so far probed my server with Nessus, it only revealed the
traceon directive of Apache as a potential vulnerability, needless to say I switched this off.

I understand what you say regarding granularity, it is the thing I disliked most about windows, not knowing how badly the wizards were
configuring things in the background.

I shall be spending a little more time on research before I put the machine on the Internet. Although confidence in my securing the box does not
guarantee real security.

Thanks again for your advice and the provided links

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFK5YPGBStvyIzJtOARAvPoAKCRgK14AoyJxksEjLTnyfYkMapiPgCfYLEG
ff4a4Kz87Elv9MDT/TCjamQ=
=IyLL
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Claudio Criscione wrote: Hi Claudio,

The vanila things you mention are those things which I am most aware of, my head hurts from trying to remember strong passwords, there are no
services running that are not required, a hardware firewall also restricts which ports are forwarded. Having used the wonderfully secure and
reliable software written by Microsoft, its Operating Systems and applications, security has never been a concern to me until now /sarcasm

So far I am managing the server via ssh and vi, changing config files and not using any web based management. I haven't yet but will restrict
shh access to one static private IP address as the server sits on my LAN and will live in my garage. I plan to continue to admin the server via
a shell, if only to improve my Linux knowledge. If I start using web management interfaces, I won't really understand how things work and are
being secured/changed, I will only presume that they are. I never trusted Windoze wizards because I did not know what they did underneath.

I am testing in stages, ensuring each layer is securely configured before adding a new layer. The pdf to which you link is very good, all the
information and more that I gathered from several sources is here all in one place, I wish I had come across it sooner.

Thanks for your advice
my confidence and understanding grows

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFK5Yk8BStvyIzJtOARAtAgAJ46n3sZMyvKQVnxAwTyaG1jvK8L3gCgjWo0
CV5zX+DLH2d7VsXv4QeUmiQ=
=X8Ii
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[...]
>  shell, if only to improve my Linux knowledge. If I start using web
>  management interfaces, I won't really understand how things work and are
>  being secured/changed, I will only presume that they are. I never trusted
>  Windoze wizards because I did not know what they did underneath.

I can't but agree. It really depends on which kind of infrastructure you're
managing, but if you are handling only a small amount of advanced users, go
for the shell! :)

> I am testing in stages, ensuring each layer is securely configured before
>  adding a new layer. The pdf to which you link is very good, all the
>  information and more that I gathered from several sources is here all in
>  one place, I wish I had come across it sooner.

You're welcome ;-)


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------