Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th June 2009, 10:55
Slowhand Slowhand is offline
Member
 
Join Date: Sep 2007
Posts: 96
Thanks: 6
Thanked 0 Times in 0 Posts
Default Newb: Result of nessus scan

Hi,

Don't know if this is of any interest to anyone but I just completed the 'Perfect server, Ubuntu 8.04 LTS' instructions on a virgin box and then did a Nessus scan on the setup. These are the flags. Perhaps they will help with an updated version of the instructions...?:

Code:
ProFTPD Command Truncation Cross-Site Request Forgery

Synopsis :

The remote FTP server is prone to a cross-site request forgery attack.

Description :

The remote host is using ProFTPD, a free FTP server for Unix and
Linux.

The version of ProFTPD running on the remote host splits an overly
long FTP command into a series of shorter ones and executes each in
turn. If an attacker can trick a ProFTPD administrator into accessing
a specially-formatted HTML link, he may be able to cause arbitrary FTP
commands to be executed in the context of the affected application
with the administrator's privileges.

See also :

http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0524.html
http://bugs.proftpd.org/show_bug.cgi?id=3115

Solution :

Apply the patch included in the bug report or upgrade to the latest
version in CVS.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE : CVE-2008-4242
BID : 31289
Other references : OSVDB:48411

DNS Server Cache Snooping Information Disclosure

Synopsis :

The remote DNS server is vulnerable to cache snooping attacks.

Description :

The remote DNS server responds to queries for third-party domains
which do not have the recursion bit set.

This may allow a remote attacker to determine which domains have
recently been resolved via this name server, and therefore which hosts
have been recently visited.

For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution,
they would be able to use this attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

See also :

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:

http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

SSL Version 2 (v2) Protocol Detection

Synopsis :

The remote service encrypts traffic using a protocol with known
weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.

See also :

http://www.schneier.com/paper-ssl.pdf

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Nessus ID : 20007


SSL Weak Cipher Suites Supported
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of weak
ciphers.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
(List of ciphers here)

SSL Version 2 (v2) Protocol Detection

Synopsis :

The remote service encrypts traffic using a protocol with known
weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.

See also :

http://www.schneier.com/paper-ssl.pdf

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

SSL Weak Cipher Suites Supported
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of weak
ciphers.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
(List of ciphers here)

http TRACE XSS attack
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus353213367.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2009 14:07:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus353213367.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------


http TRACE XSS attack
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1657334004.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2009 14:07:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1657334004.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

http TRACE XSS attack
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus741855205.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2009 14:07:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus741855205.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
Perhaps someone can comment on a method to do such things as:
Code:
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
So it applies to all sites created by Ispc?

Slowhand
Reply With Quote
Sponsored Links
  #2  
Old 4th June 2009, 14:35
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,509
Thanks: 815
Thanked 5,268 Times in 4,130 Posts
Default

This can not be a ispconfig 3 server as proftpd is not even supported by ispconfig 3.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 4th June 2009, 14:53
Slowhand Slowhand is offline
Member
 
Join Date: Sep 2007
Posts: 96
Thanks: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
This can not be a ispconfig 3 server as proftpd is not even supported by ispconfig 3.
Till,

I *am* a total newb so anything is possible but I *definitely* have
"Powered by ISPConfig 3.0.1.3" at the bottom of my login page.

What's going on?

Slowhand
Reply With Quote
  #4  
Old 4th June 2009, 14:55
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,509
Thanks: 815
Thanked 5,268 Times in 4,130 Posts
Default

Then you installed a wrong FTP server or its a bug in nessus that it mixes up pure-ftpd with proftpd. Please make sure that you installed your server exactly as described in the ispconfig 3 installation instructions.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 4th June 2009, 14:55
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 922
Thanks: 16
Thanked 259 Times in 206 Posts
Default

Quote:
Originally Posted by Slowhand View Post
Till,

I *am* a total newb so anything is possible but I *definitely* have
"Powered by ISPConfig 3.0.1.3" at the bottom of my login page.

What's going on?

Slowhand
I think you should have followed a different tutorial (made for ISPC3)
Reply With Quote
  #6  
Old 4th June 2009, 15:03
Slowhand Slowhand is offline
Member
 
Join Date: Sep 2007
Posts: 96
Thanks: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Croydon View Post
I think you should have followed a different tutorial (made for ISPC3)
Croydon,

This is possible... :-)

I followed
http://www.howtoforge.com/perfect-server-ubuntu8.04-lts

and then

http://www.ispconfig.org/docs/INSTALL_UBUNTU_8.04.txt

The instructions are a bit confusing as they overlap a bit though. Newbs like me don't notice immediately :-)

Edit: You're right. That tutorial installs proftpd. Although it says it then is suitable for ISPconfig below, it must mean ISPc V2...?

How do I correct this properly?

S

Last edited by Slowhand; 4th June 2009 at 15:08.
Reply With Quote
  #7  
Old 4th June 2009, 15:07
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 922
Thanks: 16
Thanked 259 Times in 206 Posts
Default

You should have used the 2nd only i think. The first is not for ISPC
Reply With Quote
  #8  
Old 4th June 2009, 15:14
Slowhand Slowhand is offline
Member
 
Join Date: Sep 2007
Posts: 96
Thanks: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Croydon View Post
You should have used the 2nd only i think. The first is not for ISPC
Croydon,

Just below it says
"In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box)."

It must mean ISPc V2...?

S
Reply With Quote
  #9  
Old 4th June 2009, 15:16
Slowhand Slowhand is offline
Member
 
Join Date: Sep 2007
Posts: 96
Thanks: 6
Thanked 0 Times in 0 Posts
Default

Guys,

This makes me wonder how much else is wrong with my install...?

Only the ftp server or much more?

Can it be corrected or should I tear the server down again and start over?

S
Reply With Quote
  #10  
Old 4th June 2009, 15:16
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 922
Thanks: 16
Thanked 259 Times in 206 Posts
 
Default

Quote:
Originally Posted by Slowhand View Post
Croydon,

Just below it says
"In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box)."

It must mean ISPc V2...?

S
Yes, I think it is V2. V2 uses proftpd, V3 uses pure-ftp.

If it is not too much work, just reset the server and use a fresh install to set up ISPC3.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail delivery failed... No Such User Here?!? klonos HOWTO-Related Questions 11 22nd November 2008 02:19
WG311v2 almost working with Edgy (w/o ndiswrapper) need help with the rest caudata Server Operation 11 13th November 2006 20:02
Security scan using Nessus sysconfig Suggest HOWTO 1 3rd November 2006 08:44


All times are GMT +2. The time now is 02:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.