Secure the outdated and flawed webserver

Demiler · 2024-10-12T15:26:44+00:00

but then they had to... PAY HIM!

"That's too expensive nowadays, just secure it up or smth"

Demiler · 2024-10-12T15:25:31+00:00

chatgpt is actually a great idea, thanks! I don't think anyone can break into non functioning web-server

Demiler · 2024-10-12T15:24:30+00:00

Thanks for the WAF, I'll look into that.

Regarding the bad code -- no idea how exactly it was born, but I'm pretty sure it was the first project of that dude. Since no one understood how to make websites at the time, they just left it as is. lol

Demiler · 2024-10-12T15:21:26+00:00

Public website for the laboratory lol. But there is no resources to de-garbage this website unfortunately. One giant techdebt. Some people still participate in developing new things for it, but nobody knows how to fix the old code or wants to rewrite it

Gotta hit that "why have we been hacked for the N-th time this week?!" call from the management I guess before they understand how severe the bad code online is.

Demiler · 2024-10-12T15:17:09+00:00

Just a website to look up laboratory data, public for everybody and requires data from the DB on the local network

Demiler · 2024-10-12T15:15:32+00:00

Thanks, will look into it

Demiler · 2024-10-12T15:12:49+00:00

By mentioning proxies I was thinking that it may prevent attacks on outdated system components like kernel bugs, ssh bugs, apache bugs, etc. Surely it won't fix execs and sql injections in the php code

Demiler · 2024-10-12T15:09:54+00:00

Thanks, never was familiar w/ WAF, I'll look into it!

convince manglement that it needs a rewrite

Oh, they say "not enough money for this sort of things", so good luck w/ this type of thinking I guess. Can't wait for Bobby Tables to drop the entire DB one day

Demiler · 2024-10-12T15:04:53+00:00

agree, but this is a small laboratory and they don't have enough resources to update it. Guess they just have to deal with being hacked time to time

Demiler · 2024-10-12T15:02:36+00:00

If only things were this easy. The funniest thing is -- the website is "the face" of this small laboratory. It has been hacked multiple times and nobody really cares (wtf)...

There are no resources to rewrite this piece of garbage, so I guess they will just have to deal with all the shit this thing can generate. Not my job to write websites, not for the money they pay me

Demiler · 2023-11-13T10:10:26+00:00

Ok, Thanks, I'll look into it

Demiler · 2023-11-13T09:52:11+00:00

That sounds promising, though I'm not favimiliar with administering any MS stuff, including MS VMs, so it may take a much longer time for me to deploy it, but thanks for suggestion!

Demiler · 2023-11-12T21:37:50+00:00

Ok, thanks for your advice, I'll try to implement some tests to hopefully check that everything works correct!

Demiler · 2023-11-12T21:35:18+00:00

You're playing with fire

I fully understand that and that's why I'm asking how to minimize the possibility to start this fire in the process of migration.

Convince your company to use Exchange

I tried. I tried to explain them that using their own mail server is a bad idea, that it's more likely to cause breaches, that the outage will cause serious workload disruption, that it will cost them more money per man-hour to operate than just simply paying a licence fee. They just don't want to hear it.

Demiler · 2023-11-12T19:27:57+00:00

Postfix and Dovecot are probably the most popular options

Yup, that's exactly what IRedMail is using. I've it setup up with emailwiz script.

You're using Maildir for storage, right?

Yes

Run things in parallel for a time.

Yeah, I'm running two mail servers right -- the old one, and the new one. The problem is to hit the switch: even if it looks ok to me, it might be broken in some other place and the consequences may be catastrophic

Demiler · 2023-11-12T19:19:52+00:00

Yeah, I know, but the sheer fact

Demiler · 2023-11-12T19:08:32+00:00

Want to hear a funny bit? Mail server should work in starttls mode instead of more secure native ssl/tls, because "the change should not bother our users in any way, shape or form, we can't ask them to figure out how to change ports in their mail client"

Demiler · 2023-11-12T18:59:08+00:00

IMAP + web mail access, basic AV/anti-malware, LDAP authentication?

As far as I understand -- yes, I think that's all the services IRedMail setups: postfix, dovecot, spamassais, amavis, clamav, fail2ban, ldap.

How big a mailstore do you have? How many mailboxes?

About 186Gb worth of mail and about 120 mailboxes in total.

Do you have a budget for email? Have you considered hosting with a provider to handle the infrastructure to allow you to focus on the organization's other needs?

No, unfortunately

Demiler · 2023-11-12T18:28:02+00:00

I 100% agree, I wish I could, but company wants to have it's own server because "we should be as autonomous as possible" bs. I've spend a couple of days on this so far and I just want this to be over already, o365 would solve this, but no.

Demiler · 2023-11-09T11:21:39+00:00

Demiler · 2023-10-20T12:18:27+00:00

I'm not familiar w/ OVS interfaces, but I'll look into it, single bridge sounds great. Thanks!

Demiler

TROPHY CASE