servus,
Wie man sieht bin ich Neu hier, Habe mir Die Woche Mal einen VServer von Strato bestellt, allerdings erstmal zum üben. Wenn ich fit in Linux und der Server Administration bin, würde ich gerne meine ganzen Webseiten auf den Server verlagern.
Eben hatte ich dann ne mail von Strato bekommen, wie es mit der Sicherheit aussieht. könnte mir das jemand mal erklären???
die Anfänge zur Serverabsicherung habe ich schon gemacht und bin auch gerade da dran.
Bis jetzt habe ich schon alle Passwörter geändert und dem root verboten sich normal anzumelden. sowie ein Antivirenprogramm installiert/ konfiguriert und mir mal die Firewall angeschaut.
habe allerdings noch Probleme beim updaten den ganzen. google habe ich natürlich bemüht nur ich finde irgendwie nicht so das richtige bzw. weiss ich noch nicht 100% was ich da suchen muss.
Linux 2.6.18-028stab064.7 <-- das ich mein linux System wobei ich gesehen habe das es wohl schon neuere Versionen gibt und Plesk 9.3.0.
grüße Jascha...
Wie man sieht bin ich Neu hier, Habe mir Die Woche Mal einen VServer von Strato bestellt, allerdings erstmal zum üben. Wenn ich fit in Linux und der Server Administration bin, würde ich gerne meine ganzen Webseiten auf den Server verlagern.
Eben hatte ich dann ne mail von Strato bekommen, wie es mit der Sicherheit aussieht. könnte mir das jemand mal erklären???
die Anfänge zur Serverabsicherung habe ich schon gemacht und bin auch gerade da dran.
Bis jetzt habe ich schon alle Passwörter geändert und dem root verboten sich normal anzumelden. sowie ein Antivirenprogramm installiert/ konfiguriert und mir mal die Firewall angeschaut.
habe allerdings noch Probleme beim updaten den ganzen. google habe ich natürlich bemüht nur ich finde irgendwie nicht so das richtige bzw. weiss ich noch nicht 100% was ich da suchen muss.
Linux 2.6.18-028stab064.7 <-- das ich mein linux System wobei ich gesehen habe das es wohl schon neuere Versionen gibt und Plesk 9.3.0.
grüße Jascha...
Securityreport für 85.214.131.156
Nikto (NASL wrapper) [ Web application abuses ]
Risk: None
Port: 8443
The target server did not return 404 on requests for non−existent pages. You have requested to force this scan. Please be aware that Nikto is very likely to report false positives under these circumstances. You need to check whether the issues reported by Nikto are real threats or were caused by otherwise correct configuration on the target server.
Port: 8443
Here is the Nikto report: − Nikto v2.1.0/2.1.0 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− + Target IP: 85.214.131.156 + Target Hostname: h1745250.stratoserver.net + Target Port: 8443 + Start Time: 2010−04−02 5:48:05 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− + Server: sw−cp−server/1.0.0 − Root page / redirects to: https://h1745250.stratoserver.net:8443/ + No CGI Directories found (use −C all to force check all possible dirs) + OSVDB−0: Multiple index files found: index.php index.php3 index.html index.htm index.shtml index.cfm index.asp default.asp default.htm index.do − ERROR: / returned an error: error reading HTTP response − ERROR: / returned an error: error reading HTTP response − ERROR: / returned an error: error reading HTTP response − ERROR: // returned an error: error reading HTTP response + 3582 items checked: 1 item(s) reported on remote host + End Time: 2010−04−02 5:48:05 (25 seconds) −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− + 1 host(s) tested
Port: 25
Remote SMTP server banner : 220 h1745250 ESMTP
This is probably: Qmail
Port: 587
An SMTP server is running on this port Here is its banner : 220 h1745250 ESMTP
Port: 80
Overview: This host is running Apache HTTP Server and is prone to Denial of Service vulnerability.
Nikto (NASL wrapper) [ Web application abuses ]
Risk: None
SMTP Server Detection [ General ]
Risk: None
Find Service [ Port scanners ]
Risk: 0
Apache mod_deflate Denial Of Service Vulnerability − July09 [ Denial of Service ]
Risk: Medium
1
Vulnerability Insight: The flaw is due to error in mod_deflate module which can cause a high CPU load by requesting large files which are compressed and then disconnecting.
Impact: Successful exploitation will allow remote attackers to cause Denial of Service to the legitimate user by CPU consumption.
Impact Level: Application
Affected Software/OS: Apache HTTP Server version 2.2.11 and prior
Fix: Fixed in the SVN repository. http://svn.apache.org/viewvc?view=revbr> ****** NOTE: Ignore this warning if above mentioned patch is already applied. ******
References: http://secunia.com/advisories/35781 http://www.vupen.com/english/advisories/2009/1841 https://rhn.redhat.com/errata/RHSA−2009−1148.html https://bugzilla.redhat.com/show_bug.cgi?id=509125
CVSS Score: CVSS Base Score : 4.3 (AV:N/AC:M/Au:NR/C:N/I:N/A) CVSS Temporal Score : 3.2 Risk factor: Medium CVE : CVE−2009−1891 BID : 35623
Port: 25
An SMTP server is running on this port Here is its banner : 220 h1745250 ESMTP
Port: 21
Overview : The host is running ProFTPD Server, which is prone to cross−site request forgery vulnerability.
Vulnerability Insight : The flaw exists due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command.
Impact : This can be exploited to execute arbitrary FTP commands on another user s session privileges.
Impact Level : Application
Affected Software/OS : ProFTPD Project versions 1.2.x on Linux ProFTPD Project versions 1.3.x on Linux
Fix : Fixed is available in the SVN repository, http://www.proftpd.org/cvs.html
***** NOTE : Ignore this warning, if above mentioned fix is applied already. *****
Find Service [ Port scanners ]
Risk: 0
ProFTPD Long Command Handling Security Vulnerability [ Web application abuses ]
Risk: Medium
References :
2
http://secunia.com/advisories/31930/ http://bugs.proftpd.org/show_bug.cgi?id=3115
CVSS Score : CVSS Base Score : 5.5 (AV:N/AC:L/Au:SI/C
Port: 21
An FTP server is running on this port. Here is its banner : 220 ProFTPD 1.3.1 Server (ProFTPD) [85.214.131.156]
Port: 465
A FTP server is running on this port
Port: 80
Overview: Apache is prone to multiple vulnerabilities.
These issues may lead to information disclosure or other attacks. Apache versions prior to 2.2.15−dev are affected.
Solution: These issues have been addressed in Apache 2.2.15−dev. Apache 2.2.15 including fixes will become available in the future as well. Please see the references for more information.
References: http://www.securityfocus.com/bid/38494 http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/ https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 http://svn.apache.org/viewvc?view=revisionbr> Risk factor : Medium CVE : CVE−2010−0425, CVE−2010−0434, CVE−2010−0408 BID : 38494, 38491
Port: 80
Overview: This host is running Apache Web Server and is prone to Information Disclosure Vulnerability.
Vulnerability Insight: This flaw is caused due to an error in mod_proxy_ajp when handling improperly malformed POST requests.
Impact: Successful exploitation will let the attacker craft a special HTTP POST request and gain sensitive information about the web server.
Impact level: Application
Affected Software/OS: Apache HTTP Version 2.2.11
Find Service [ Port scanners ]
Risk: 0
Identifies services like FTP, SMTP, NNTP... [ Service detection ]
Risk: None
Apache Multiple Security Vulnerabilities [ Web Servers ]
Risk: Medium
Apache mod_proxy_ajp Information Disclosure Vulnerability [ Web application abuses ]
Risk: Medium
Workaround:
3
Update mod_proxy_ajp.c through SVN Repository (Revision 767089) http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff
Fix: No solution or patch is available as on 29th April, 2009. Information regarding this issue will be updated once the solution details are available. For further updates refer, http://httpd.apache.org/download.cgi
References: http://secunia.com/advisories/34827 http://xforce.iss.net/xforce/xfdb/50059 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938> CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C
Port: 22
Overview: The remote SSH Server supports the following SSH Protocol Versions:
1.99 2.0
SSHv2 Fingerprint: 10:d2:2b:8b:00:4a:4c:19:72:4c:84:3c:44:4f:8b:68 Risk factor : None
Port: 80
Overview: This host is running Apache HTTP Server and is prone to Denial of Service vulnerability.
Vulnerability Insight: The flaw is due to error in stream_reqbody_cl function in mod_proxy_http.c in the mod_proxy module. When a reverse proxy is configured, it does not properly handle an amount of streamed data that exceeds the Content−Length value via crafted requests.
Impact: Successful exploitation will allow remote attackers to cause Denial of Service to the legitimate user by CPU consumption.
Impact Level: Application
Affected Software/OS: Apache HTTP Server version prior to 2.3.3
Fix: Fixed in the SVN repository. http://svn.apache.org/viewvc?view=revbr> References: http://secunia.com/advisories/35691 http://www.vupen.com/english/advisories/2009/1773 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=790587v=790587
CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A
SSH Protocol Versions Supported [ Service detection ]
Risk: None
Apache mod_proxy_http.c Denial Of Service Vulnerability [ Denial of Service ]
Risk: Medium
4
CVE : CVE−2009−1890 BID : 35565
Port: 80
Overview: The host is running Apache and is prone to Denial of Service vulnerability.
Vulnerability Insight: The flaw is caused due to an error in ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module while processing responses received from FTP servers. This can be exploited to trigger a NULL−pointer dereference and crash an Apache child process via a malformed EPSV response.
Impact: Successful exploitation could allow remote attackers to cause a Denial of Service in the context of the affected application.
Impact Level: Application
Affected Software/OS: Apache HTTP Server version 2.0.x to 2.0.63 and and 2.2.x to 2.2.13 on Linux.
Fix: No solution or patch is available as on 14th September, 2009. Information regarding this issue will be updated once the solution details are available. For updates refer, http://www.apache.org/
References: http://intevydis.com/vd−list.shtml http://www.intevydis.com/blog/?p=59 http://secunia.com/advisories/36549 http://httpd.apache.org/docs/2.0/mod/mod_proxy_ftp.html
CVSS Score: CVSS Base Score : 5.4 (AV:N/AC:H/Au:NR/C:N/I:N/A:C) CVSS Temporal Score : 4.9 Risk factor: Medium CVE : CVE−2009−3094 BID : 36260
Synopsis : The remote service implements TCP timestamps. Description :
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.
See also : http://www.ietf.org/rfc/rfc1323.txt Risk factor : None
Port: 80
The following directories were discovered: /cgi−bin, /css, /error, /icons, /img
Apache mod_proxy_ftp Module Denial Of Service Vulnerability (Linux) [ Denial of Service ]
Risk: Medium
TCP timestamps [ General ]
Risk: None
Directory Scanner [ Service detection ]
Risk: None
5
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
Other references : OWASP:OWASP−CM−006
Port: 22
Overview: The host is installed with OpenSSH and is prone to information disclosure vulnerability.
Vulnerability Insight: The flaw is caused due to the improper handling of errors within an SSH session encrypted with a block cipher algorithm in the Cipher−Block Chaining CBC mode.
Impact: Successful exploits will allow attackers to obtain four bytes of plaintext from an encrypted session.
Impact Level: Application
Affected Software/OS: Versions prior to OpenSSH 5.2 are vulnerable. Various versions of SSH Tectia are also affected.
Fix: Upgrade to higher version http://www.openssh.com/portable.html
References: http://www.securityfocus.com/bid/32319
Risk factor: Medium BID : 32319
Port: 8443
This web server is [mis]configured in that it does not return 404 Not Found error codes when a non−existent file is requested, perhaps returning a site map, search page or authentication page instead.
CGI scanning will be disabled for this host. To work around this issue, please contact the OpenVAS team.
Port: 8880
Here is the Nikto report: − Nikto v2.1.0/2.1.0 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− + Target IP: 85.214.131.156 + Target Hostname: h1745250.stratoserver.net + Target Port: 8880 + Start Time: 2010−04−02 5:47:05 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− + Server: sw−cp−server/1.0.0 + No CGI Directories found (use −C all to force check all possible dirs) + OSVDB−0: Uncommon header p3p found, with contents: CP="NON COR CURa ADMa OUR NOR UNI COM NAV STA" + OSVDB−0: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB−3093: /login.php3?reason=chpass2%20: This might be interesting... has been seen in web logs from an unknown scanner. + 3582 items checked: 3 item(s) reported on remote host
OpenSSH CBC Mode Information Disclosure Vulnerability [ General ]
Risk: Medium
No 404 check [ Web Servers ]
Risk: None
Nikto (NASL wrapper) [ Web application abuses ]
Risk: None
6
+ End Time: 2010−04−02 5:48:05 (45 seconds) −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− + 1 host(s) tested
Port: 80
Overview: The host is running Apache and is prone to Command Injection vulnerability.
Vulnerability Insight: The flaw is due to error in the mod_proxy_ftp module which can be exploited via vectors related to the embedding of these commands in the Authorization HTTP header.
Impact: Successful exploitation could allow remote attackers to bypass intended access restrictions in the context of the affected application, and can cause the arbitrary command injection.
Impact Level: Application
Affected Software/OS: Apache HTTP Server on Linux.
Fix: No solution or patch is available as on 15th September, 2009. Information regarding this issue will be updated once the solution details are available. For updates refer, http://www.apache.org/
References: http://intevydis.com/vd−list.shtml http://httpd.apache.org/docs/2.0/mod/mod_proxy_ftp.html
CVSS Score: CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C
Port: 80
The remote web server type is : Apache/2.2.10 (Linux/SUSE)
Solution : You can set the directive ServerTokens Prod to limit the information emanating from the server in its response headers.
Port: 587
Remote SMTP server banner : 220 h1745250 ESMTP
This is probably: Qmail
Port: 8443
The remote web server type is : sw−cp−server/1.0.0
Apache mod_proxy_ftp Module Command Injection Vulnerability (Linux) [ General ]
Risk: High
HTTP Server type and version [ General ]
Risk: None
SMTP Server Detection [ General ]
Risk: None
HTTP Server type and version [ General ]
Risk: None
7
SSH Server type and version [ General ]
Risk: None
Port: 22
Remote SSH version : SSH−2.0−OpenSSH_5.1 Remote SSH supported authentication : publickey,keyboard−interactive
Port: 21
Overview: ProFTPD is prone to a security−bypass vulnerability because the application fails to properly validate the domain name in a signed CA certificate, allowing attackers to substitute malicious SSL certificates for trusted ones.
Successful exploits allows attackers to perform man−in−the− middle attacks or impersonate trusted servers, which will aid in further attacks.
Versions prior to ProFTPD 1.3.2b and 1.3.3 to 1.3.3.rc1 are vulnerable.
Solution: Updates are available. Please see the references for details.
References: http://www.securityfocus.com/bid/36804 http://bugs.proftpd.org/show_bug.cgi?id=3275 http://www.proftpd.org
Risk factor : Medium CVE : CVE−2009−3639 BID : 36804
Port: 143
An IMAP server is running on this port
Port: 110
A pop3 server is running on this port
Port: 8443
A web server is running on this port
Port: 8880
The remote web server type is : sw−cp−server/1.0.0
Port: 143
The remote imap server banner is : * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT
ProFTPD mod_tls Module NULL Character CA SSL Certificate Validation Security Bypass Vulnerability [ FTP ]
Risk: Medium
Find Service [ Port scanners ]
Risk: 0
Find Service [ Port scanners ]
Risk: 0
Find Service [ Port scanners ]
Risk: 0
HTTP Server type and version [ General ]
Risk: None
Get the IMAP Banner [ General ]
Risk: None
8
THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier−IMAP ready. Copyright 1998−2004 Double Precision, Inc. See COPYING for distribution information. Versions and types should be omitted where possible. Change the imap banner to something generic.
Port: 8880
A web server is running on this port
Port: 22
An ssh server is running on this port
Port: 21
Overview: This host is running ProFTPD Server and is prone to remote SQL Injection vulnerability.
Vulnerability Insight: This flaw occurs because the server performs improper input sanitising, − when a %(percent) character is passed in the username, a single quote ( ) gets introduced during variable substitution by mod_sql and this eventually allows for an SQL injection during login. − when NLS support is enabled, a flaw in variable substition feature in mod_sql_mysql and mod_sql_postgres may allow an attacker to bypass SQL injection protection mechanisms via invalid, encoded multibyte characters.
Impact: Successful exploitation will allow remote attackers to execute arbitrary SQL commands, thus gaining access to random user accounts.
Affected Software/OS: ProFTPD Server version 1.3.1 through 1.3.2rc2
Fix: Upgrade to the latest version 1.3.2rc3, http://www.proftpd.org/
References: http://www.milw0rm.com/exploits/8037 http://www.securityfocus.com/archive/1/archive/1/500833/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/500851/100/0/threaded
CVSS Score: CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C
Port: 21
Remote FTP server banner : 220 ProFTPD 1.3.1 Server (ProFTPD) [85.214.131.156]
Port: 80
A web server is running on this port
Find Service [ Port scanners ]
Risk: 0
Find Service [ Port scanners ]
Risk: 0
ProFTPD Server SQL Injection Vulnerability [ FTP ]
Risk: High
FTP Server Detection [ General ]
Risk: None
Find Service [ Port scanners ]
Risk: 0
9
Last edited by a moderator:
