2

In recent news, Bitcoinica was compromised by an e-mail server infiltration. The hacker then applied social engineering, using one of the administrative e-mail accounts to reset the root credentials on the database server, subsequently hijacking the virtual bitcoins as a result.

What initiatives can an administrator apply to ensure that his e-mail server remains secure, mitigating the risk of hack attempt(s).

Daniel Li
  • 441
  • 2
  • 4
  • 17

2 Answers2

3

To be honest, this question is generally a duplicate of questions such as this and be generally answered by looking at this hardening tag.

Just to add to the great points made by DKNUCKLES.

Regarding IDS/IPS, I personally wouldn't use a HIPS/HIDS on an email server. Email servers generally work pretty hard (due to AV, content-filtering and other checks on emails flowing in and out of an organisation) and having managed email servers, HIPS/HIDS wouldn't be for me.

I would use NIDS (most likely Snort, I'm not familiar with Suricata) and have it configured like a true Network Security Monitoring solution so I've visibility of what's going on in the network.

Additionally, I'd not only have the email server hardened as per the best practices in the links above but also have it segregated in a DMZ with outbound restrictions (i.e. connections to the Internet and back internally so that it can only talk to specific devices that it needs to (this is generally following defence-in-depth principles and layered security). Some papers from the SAN Reading Room on it - 1, 2, 3. You don't want the email server being used as a pivot point to attack more valuable elements of your infrastructure so its ability to do stuff needs to be restricted.

From a protocol perspective for downloading emails to the client, ensure that IMAP over SSL is used rather than POP, which is a clear-text protocol.

Ensure your sysadmin accesses the email server (for administration purposes) in a secure and controlled fashion.

On a a possibly unrelated note, configuring your mail server to always take certain actions (such as encrypt or block) when you see email going to a certain recipient or from a certain internal person or based on certain content can save unintended data leakage and other security issues.

Community
  • 1
Mark Hillick
  • 2,124
  • 11
  • 14
2
  • Constantly evaluate your firewall and monitor the traffic going through it
  • Install an IDS / IPS on the e-mail server
  • Make a point of regularly auditing your security logs
  • Conduct penetration testing on your systems
  • Make sure the SysAdmin stays current on current vulnerabilities (can be accomplished by reading security forums / RSS feeds / getting e-mail updates from vendors)
  • Keep your server patched and up-to-date
  • Most importantly, educate your staff on the methods of Social Engineering. Come up with a protocol of how to discuss matters with your staff and security measures to prevent the attacks.
DKNUCKLES
  • 9,247
  • 2
  • 37
  • 48