|Testing, testing testing|
Testing assumptions is critical to security
I've been busy lately. Every few months I like to spend a few days testing my web, email and DNS server security and performance. This has been very fruitful, and I usually learn a bit more about security, and sometimes find another hole.
I run both an apache and an IIS web server so can write articles comparing the two platforms. It's interesting finding the differences, especially in the area of security.
Anyway, I installed a new email web server and decided (wisely) to spend some time making sure it was not an open relay. I was going to just assume it was fine ... good thing I didn't.
I went to abuse.net and ran their open relay checker. To my surprise, the email server failed the check! Spent two days pulling my hair out trying to figure out why unchecking the "relay mail" box still allowed email to be relayed.
Turned out I had SMTP loaded on my IIS server, and because it was a "trusted" source, it could receive emails, then forward them to my new email server, which assumed that since it was trusted it must know what it was talking about. Thus, the interplay between two email servers introduced a very unsuspected vulnerability...
Just thought this would be of interest. I always like to test my assumptions, and I further reinforced that concept in the last two days. The last thing I need is to have an open relay...
Thanks, RIchard Lowe
Hmmm, I don't know a whole lot about advanced (?) security topics like that. Where can I find more tools and information on server security issues?
|brotherhood of LAN|
Security is paramount....its something I want to learn much more about.
OT, I go into yahoo chat, and the software that yahoo uses + IE makes me a sitting duck. Im sick of it ! In light these petty crimes against me, I'd love to see more about security on WMW, or related links :)
Rich...it sounds very interesting .....amazing to see how something along the lines of "a checked box" can mean life or death for a server.
Yes, it's very important and all webmasters need to be actively looking at their security for all that they control. Why? Not just from dangers of hacking and such, but robots and automated programs can do thing unintentionally.
I remember one kid started a website downloaded on a swimsuit site, and the downloader somehow got into a poorly protected admin area, and wound up deleting the entire customer database. The swimsuit company tried to sue him, but the judge decide it was not the kids fault. They, after all, left open an admin page...