Yunohost Pentest - verify yunohost security

genma · June 20, 2016, 8:48am

Hi,

I’m asking myself how much Yunohost is secure and how we can verify/audit it.
Yunohost, it’s not only the Yunohost system, it’s also Debian (if you use Debian) and the web apps you install… So there’s different projects involved and each part of this “ecosystem” can be a single point failure (you can have the last version of Yunohost on an not updated Debian with security breach in it ; or the webapps you use was not audited…)

Every parts is “opensource” so the code is auditable and I hope it’s done

For a first time, I’d like to know if someone use some pentests tools (with Kali Linux for exemple) to test it’s own Yunohost installation?

Personnly, as I want to learn some pentest tools, it will be a good exercise.

I launch this thread in order to get some ideas, if some people wants to help…

thomas · June 21, 2016, 4:25pm

Hi @genma

I had the same idea some time ago and I’m very interested in this thread. As I’m neither a pentester myself I think I can learn a lot if I try to pentest my YNH instance.
To start I think I would try to test the basic defense mechanisms: firewall, fail2ban (with it several jails) etc…
Then I would test the security of the files and directories: Is everything safe from public access or public listing ? Are my users well isolated enough from each others (bob can’t access or see alice files for example).

Depending on what is your YNH running on you may want to test physical security as well.

After the pentest comes a big part: hardening. You can begin to list what fails during the pentest and what can be improved. For example why not installing portsentry or nessus ?

As I said I’m not a pentester so theses are a few leads we can explore.
If an IT security specialist happen to wander the YNH forum it would be nice to have a feedback !

aoz · June 22, 2016, 7:23am

Running the test “Lynis” could be a first step :

sudo apt-get install lynis
sudo lynis -c

Advices can then be readen in the file:
sudo grep Suggestion /var/log/lynis.log

genma · June 22, 2016, 8:42am

Thanks for theses answers and advise, it will be helpfull. I’ll post here after I’ve started some test.

Benjamin · June 22, 2016, 3:07pm

Hello,

there gonna be a pentesting sessions @ PSESHSF of Internetcube and yunohost next week https://www.pseshsf.org/fr/programme/2016/#event-517
maybe some documentation after this session

++
b

thomas · June 22, 2016, 3:13pm

Yes of course Lynis is always a very good start but in this case I thought @genma would prefer to learn while pentesting. I use lynis myself but it’s entirely automated. If we’re talking scripts there’s also wpscan to test a wordpress blog, PHP Malware Finder specific to php files and also similar to Lynis there were LBSA and Nikto if I recall correctly.

genma · June 23, 2016, 7:28am

I’ll be at PSESHSF (see Passage en seine - Hacker Space festival 30 juin - 03 juillet post) so it will of course interest me !

thomas · July 11, 2016, 4:25pm

Does anyone has any feedback (PSESHSF or else ) ?