Newb: Result of nessus scan

[Slowhand]

Hi,

Don't know if this is of any interest to anyone but I just completed the 'Perfect server, Ubuntu 8.04 LTS' instructions on a virgin box and then did a Nessus scan on the setup. These are the flags. Perhaps they will help with an updated version of the instructions...?:

Code:

ProFTPD Command Truncation Cross-Site Request Forgery

Synopsis :

The remote FTP server is prone to a cross-site request forgery attack.

Description :

The remote host is using ProFTPD, a free FTP server for Unix and
Linux.

The version of ProFTPD running on the remote host splits an overly
long FTP command into a series of shorter ones and executes each in
turn. If an attacker can trick a ProFTPD administrator into accessing
a specially-formatted HTML link, he may be able to cause arbitrary FTP
commands to be executed in the context of the affected application
with the administrator's privileges.

See also :

http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0524.html
http://bugs.proftpd.org/show_bug.cgi?id=3115

Solution :

Apply the patch included in the bug report or upgrade to the latest
version in CVS.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE : CVE-2008-4242
BID : 31289
Other references : OSVDB:48411

DNS Server Cache Snooping Information Disclosure

Synopsis :

The remote DNS server is vulnerable to cache snooping attacks.

Description :

The remote DNS server responds to queries for third-party domains
which do not have the recursion bit set.

This may allow a remote attacker to determine which domains have
recently been resolved via this name server, and therefore which hosts
have been recently visited.

For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution,
they would be able to use this attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

See also :

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:

http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

SSL Version 2 (v2) Protocol Detection

Synopsis :

The remote service encrypts traffic using a protocol with known
weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.

See also :

http://www.schneier.com/paper-ssl.pdf

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Nessus ID : 20007


SSL Weak Cipher Suites Supported
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of weak
ciphers.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
(List of ciphers here)

SSL Version 2 (v2) Protocol Detection

Synopsis :

The remote service encrypts traffic using a protocol with known
weaknesses.

Description :

The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.

See also :

http://www.schneier.com/paper-ssl.pdf

Solution :

Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

SSL Weak Cipher Suites Supported
Synopsis :

The remote service supports the use of weak SSL ciphers.

Description :

The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Solution :

Reconfigure the affected application if possible to avoid use of weak
ciphers.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv2
(List of ciphers here)

http TRACE XSS attack
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus353213367.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2009 14:07:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus353213367.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------


http TRACE XSS attack
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1657334004.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2009 14:07:30 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1657334004.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

http TRACE XSS attack
Synopsis :

Debugging functions are enabled on the remote web server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.

In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.

See also :

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/867593

Solution :

Disable these methods.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Plugin output :

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus741855205.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2009 14:07:31 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus741855205.html HTTP/1.1
Connection: Close
Host: 192.168.0.55
Pragma: no-cache
User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

Perhaps someone can comment on a method to do such things as:

Code:

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

So it applies to all sites created by Ispc?

Slowhand

[till]

This can not be a ispconfig 3 server as proftpd is not even supported by ispconfig 3.

[Slowhand]

Quote:

Originally Posted by till

This can not be a ispconfig 3 server as proftpd is not even supported by ispconfig 3.

Till,

I *am* a total newb so anything is possible but I *definitely* have
"Powered by ISPConfig 3.0.1.3" at the bottom of my login page.

What's going on?

Slowhand

[till]

Then you installed a wrong FTP server or its a bug in nessus that it mixes up pure-ftpd with proftpd. Please make sure that you installed your server exactly as described in the ispconfig 3 installation instructions.

[Croydon]

Quote:

Originally Posted by Slowhand

Till,

I *am* a total newb so anything is possible but I *definitely* have
"Powered by ISPConfig 3.0.1.3" at the bottom of my login page.

What's going on?

Slowhand

I think you should have followed a different tutorial (made for ISPC3)

[Slowhand]

Quote:

Originally Posted by Croydon

I think you should have followed a different tutorial (made for ISPC3)

Croydon,

This is possible... :-)

I followed
http://www.howtoforge.com/perfect-server-ubuntu8.04-lts

and then

http://www.ispconfig.org/docs/INSTALL_UBUNTU_8.04.txt

The instructions are a bit confusing as they overlap a bit though. Newbs like me don't notice immediately :-)

Edit: You're right. That tutorial installs proftpd. Although it says it then is suitable for ISPconfig below, it must mean ISPc V2...?

How do I correct this properly?

S

[Croydon]

You should have used the 2nd only i think. The first is not for ISPC

[Slowhand]

Quote:

Originally Posted by Croydon

You should have used the 2nd only i think. The first is not for ISPC

Croydon,

Just below it says
"In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box)."

It must mean ISPc V2...?

S

[Slowhand]

Guys,

This makes me wonder how much else is wrong with my install...?

Only the ftp server or much more?

Can it be corrected or should I tear the server down again and start over?

S

[Croydon]

Quote:

Originally Posted by Slowhand

Croydon,

Just below it says
"In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box)."

It must mean ISPc V2...?

S

Yes, I think it is V2. V2 uses proftpd, V3 uses pure-ftp.

If it is not too much work, just reset the server and use a fresh install to set up ISPC3.