Hi all,
I have run nessus against my virtual server.
btw:
- Hosting Server based on RedHat 7.1
- FreeVSD 1.4.9 (RPM installation)
- Skel: freevsd-skel-1_4_9-2rh62
- Tomcat 3.2.2 installed on port 8081
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 1
- Number of security warnings found : 10
- Number of security notes found : 11
TESTED HOSTS
vsone (Security holes found)
DETAILS
+ vsone :
. List of open ports :
o ftp (21/tcp) (Security warnings found)
o ssh (22/tcp) (Security notes found)
o telnet (23/tcp) (Security hole found)
o smtp (25/tcp) (Security warnings found)
o http (80/tcp) (Security notes found)
o pop3 (110/tcp) (Security notes found)
o https (443/tcp) (Security warnings found)
o iden-ralp (1725/tcp)
o iberiagames (1726/tcp)
o mysql (3306/tcp)
o unknown (8007/tcp)
o http-alt (8080/tcp) (Security warnings found)
o unknown (8081/tcp) (Security warnings found)
o unknown (8443/tcp) (Security warnings found)
o general/udp (Security notes found)
o general/tcp (Security notes found)
o general/icmp (Security warnings found)
. Warning found on port ftp (21/tcp)
The FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should
deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.
Risk factor : Low
CVE : CAN-1999-0497
. Information found on port ftp (21/tcp)
Remote FTP server banner :
. Information found on port ssh (22/tcp)
Remote SSH version :
ssh-1.99-openssh_2.9p1
. Vulnerability found on port telnet (23/tcp) :
The Telnet server does not return an expected number of replies
when it receives a long sequence of 'Are You There' commands.
This probably means it overflows one of its internal buffers and
crashes. It is likely an attacker could abuse this bug to gain
control over the remote host's superuser.
For more information, see:
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz
Solution: Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor:
High
. Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
. Information found on port telnet (23/tcp)
Remote telnet banner :
Server vsone
login:
. Warning found on port smtp (25/tcp)
The remote SMTP server answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much informations.
Solution : if you are using sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
. Information found on port smtp (25/tcp)
Remote SMTP server banner :
vsone ESMTP Sendmail 8.9.3/8.9.3
Wed, 29 Aug 2001 03:53:11 -0400
214-This is Sendmail version 8.9.3214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214- [EMAIL PROTECTED]
214-For local information send email to Postmaster at your site.
214 End of HELP info
. Information found on port http (80/tcp)
The remote web server type is :
Apache/1.3.14 (Unix) (Red-Hat/Linux) PHP/4.0.5
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
. Information found on port pop3 (110/tcp)
The remote POP server banner is :
+OK POP3 Welcome to vm-pop3d 1.1.4 <8806.999071871@vsone>
. Warning found on port https (443/tcp)
a web server is running on this port
. Information found on port https (443/tcp)
The remote web server type is :
Apache/1.3.14 (Unix) (Red-Hat/Linux) PHP/4.0.5
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
. Warning found on port http-alt (8080/tcp)
a web server is running on this
port
. Warning found on port http-alt (8080/tcp)
The misconfigured proxy accepts requests coming
from anywhere. This allows attackers to gain some anonymity when
browsing
some sensitive sites using your proxy, making the remote sites think
that
the requests come from your network.
Solution: Reconfigure the remote proxy so that it only accepts
coming
from inside your network.
Risk factor :
Low/Medium
. Information found on port http-alt (8080/tcp)
The remote web server type is :
Apache/1.3.14 (Unix) (Red-Hat/Linux) PHP/4.0.5
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
. Warning found on port unknown (8081/tcp)
a web server is running on this port
. Warning found on port unknown (8081/tcp)
The 'snoop' tomcat's servlet is installed.
(/examples/jsp/snp/anything.snp)
This servlet gives too much information about
the remote host, such as the PATHs in use,
the host kernel version and so on...
This allows an attacker to gain more knowledge
about this host, and make more precise attacks
thanks to this.
Solution : delete this servlet
Risk factor : Low
CVE : CAN-2000-0760
. Warning found on port unknown (8443/tcp)
a web server is running on this port
. Information found on port unknown (8443/tcp)
The remote web server type is :
Apache/1.3.14 (Unix) (Red-Hat/Linux) PHP/4.0.5
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
. Information found on port general/udp
For your information, here is the traceroute to 1.2.3.4 :
1.2.3.4
1.2.3.5
. Information found on port general/tcp
QueSO has found out that the remote host OS is
* Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS
CVE : CAN-1999-0454
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
------------------------------------------------------
This file was generated by the Nessus Security Scanner
------------------------------------------------------
-----Urspr�ngliche Nachricht-----
Von: Dave C. [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 28. August 2001 10:33
An: [EMAIL PROTECTED]
Betreff: Security of the provided skel
Hi,
Has anyone run a nessus (or other security probe) agains a running
virtual
server? If so, what are the results?
Dave
------------------------- The freeVSD Support List
--------------------------
Subscribe:
mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support
Unsubscribe:
mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support
Archives: http://freevsd.org/support/mail-archives/freevsd-support
------------------------------------------------------------------------
-----
------------------------- The freeVSD Support List --------------------------
Subscribe: mailto:[EMAIL PROTECTED]?body=subscribe%20freevsd-support
Unsubscribe: mailto:[EMAIL PROTECTED]?body=unsubscribe%20freevsd-support
Archives: http://freevsd.org/support/mail-archives/freevsd-support
-----------------------------------------------------------------------------
