Newb: Result of nessus scan

Discussion in 'Installation/Configuration' started by Slowhand, Jun 4, 2009.

  1. Slowhand

    Slowhand New Member

    Hi,

    Don't know if this is of any interest to anyone but I just completed the 'Perfect server, Ubuntu 8.04 LTS' instructions on a virgin box and then did a Nessus scan on the setup. These are the flags. Perhaps they will help with an updated version of the instructions...?:

    Code:
    [B]ProFTPD Command Truncation Cross-Site Request Forgery[/B]
    
    Synopsis :
    
    The remote FTP server is prone to a cross-site request forgery attack.
    
    Description :
    
    The remote host is using ProFTPD, a free FTP server for Unix and
    Linux.
    
    The version of ProFTPD running on the remote host splits an overly
    long FTP command into a series of shorter ones and executes each in
    turn. If an attacker can trick a ProFTPD administrator into accessing
    a specially-formatted HTML link, he may be able to cause arbitrary FTP
    commands to be executed in the context of the affected application
    with the administrator's privileges.
    
    See also :
    
    http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0524.html
    http://bugs.proftpd.org/show_bug.cgi?id=3115
    
    Solution :
    
    Apply the patch included in the bug report or upgrade to the latest
    version in CVS.
    
    Risk factor :
    
    Medium / CVSS Base Score : 6.8
    (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
    CVE : CVE-2008-4242
    BID : 31289
    Other references : OSVDB:48411
    
    [B]DNS Server Cache Snooping Information Disclosure[/B]
    
    Synopsis :
    
    The remote DNS server is vulnerable to cache snooping attacks.
    
    Description :
    
    The remote DNS server responds to queries for third-party domains
    which do not have the recursion bit set.
    
    This may allow a remote attacker to determine which domains have
    recently been resolved via this name server, and therefore which hosts
    have been recently visited.
    
    For instance, if an attacker was interested in whether your company
    utilizes the online services of a particular financial institution,
    they would be able to use this attack to build a statistical model
    regarding company usage of that financial institution. Of course, the
    attack can also be used to find B2B partners, web-surfing patterns,
    external mail servers, and more...
    
    See also :
    
    For a much more detailed discussion of the potential risks of allowing
    DNS cache information to be queried anonymously, please see:
    
    http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    
    [B]SSL Version 2 (v2) Protocol Detection[/B]
    
    Synopsis :
    
    The remote service encrypts traffic using a protocol with known
    weaknesses.
    
    Description :
    
    The remote service accepts connections encrypted using SSL 2.0, which
    reportedly suffers from several cryptographic flaws and has been
    deprecated for several years. An attacker may be able to exploit
    these issues to conduct man-in-the-middle attacks or decrypt
    communications between the affected service and clients.
    
    See also :
    
    http://www.schneier.com/paper-ssl.pdf
    
    Solution :
    
    Consult the application's documentation to disable SSL 2.0 and use SSL
    3.0 or TLS 1.0 instead.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    
    Nessus ID : 20007
    
    
    [B]SSL Weak Cipher Suites Supported[/B]
    Synopsis :
    
    The remote service supports the use of weak SSL ciphers.
    
    Description :
    
    The remote host supports the use of SSL ciphers that offer either weak
    encryption or no encryption at all.
    
    See also :
    
    http://www.openssl.org/docs/apps/ciphers.html
    
    Solution :
    
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    
    Plugin output :
    
    Here is the list of weak SSL ciphers supported by the remote server :
    
    Low Strength Ciphers (< 56-bit key)
    SSLv2
    (List of ciphers here)
    
    [B]SSL Version 2 (v2) Protocol Detection[/B]
    
    Synopsis :
    
    The remote service encrypts traffic using a protocol with known
    weaknesses.
    
    Description :
    
    The remote service accepts connections encrypted using SSL 2.0, which
    reportedly suffers from several cryptographic flaws and has been
    deprecated for several years. An attacker may be able to exploit
    these issues to conduct man-in-the-middle attacks or decrypt
    communications between the affected service and clients.
    
    See also :
    
    http://www.schneier.com/paper-ssl.pdf
    
    Solution :
    
    Consult the application's documentation to disable SSL 2.0 and use SSL
    3.0 or TLS 1.0 instead.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    
    [B]SSL Weak Cipher Suites Supported[/B]
    Synopsis :
    
    The remote service supports the use of weak SSL ciphers.
    
    Description :
    
    The remote host supports the use of SSL ciphers that offer either weak
    encryption or no encryption at all.
    
    See also :
    
    http://www.openssl.org/docs/apps/ciphers.html
    
    Solution :
    
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    
    Plugin output :
    
    Here is the list of weak SSL ciphers supported by the remote server :
    
    Low Strength Ciphers (< 56-bit key)
    SSLv2
    (List of ciphers here)
    
    [B]http TRACE XSS attack[/B]
    Synopsis :
    
    Debugging functions are enabled on the remote web server.
    
    Description :
    
    The remote webserver supports the TRACE and/or TRACK methods. TRACE
    and TRACK are HTTP methods which are used to debug web server
    connections.
    
    In addition, it has been shown that servers supporting the TRACE
    method are subject to cross-site scripting attacks, dubbed XST for
    "Cross-Site Tracing", when used in conjunction with various weaknesses
    in browsers. An attacker may use this flaw to trick your legitimate
    web users to give him their credentials.
    
    See also :
    
    http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
    http://www.apacheweek.com/issues/03-01-24
    http://www.kb.cert.org/vuls/id/867593
    
    Solution :
    
    Disable these methods.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    Solution :
    
    Add the following lines for each virtual host in your configuration file :
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    
    Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
    support disabling the TRACE method natively via the 'TraceEnable'
    directive.
    
    Plugin output :
    
    Nessus sent the following TRACE request :
    
    ------------------------------ snip ------------------------------
    TRACE /Nessus353213367.html HTTP/1.1
    Connection: Close
    Host: 192.168.0.55
    Pragma: no-cache
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    
    ------------------------------ snip ------------------------------
    
    and received the following response from the remote server :
    
    ------------------------------ snip ------------------------------
    HTTP/1.1 200 OK
    Date: Wed, 03 Jun 2009 14:07:30 GMT
    Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: message/http
    
    
    TRACE /Nessus353213367.html HTTP/1.1
    Connection: Close
    Host: 192.168.0.55
    Pragma: no-cache
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    
    ------------------------------ snip ------------------------------
    
    
    [B]http TRACE XSS attack[/B]
    Synopsis :
    
    Debugging functions are enabled on the remote web server.
    
    Description :
    
    The remote webserver supports the TRACE and/or TRACK methods. TRACE
    and TRACK are HTTP methods which are used to debug web server
    connections.
    
    In addition, it has been shown that servers supporting the TRACE
    method are subject to cross-site scripting attacks, dubbed XST for
    "Cross-Site Tracing", when used in conjunction with various weaknesses
    in browsers. An attacker may use this flaw to trick your legitimate
    web users to give him their credentials.
    
    See also :
    
    http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
    http://www.apacheweek.com/issues/03-01-24
    http://www.kb.cert.org/vuls/id/867593
    
    Solution :
    
    Disable these methods.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    Solution :
    
    Add the following lines for each virtual host in your configuration file :
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    
    Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
    support disabling the TRACE method natively via the 'TraceEnable'
    directive.
    
    Plugin output :
    
    Nessus sent the following TRACE request :
    
    ------------------------------ snip ------------------------------
    TRACE /Nessus1657334004.html HTTP/1.1
    Connection: Close
    Host: 192.168.0.55
    Pragma: no-cache
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    
    ------------------------------ snip ------------------------------
    
    and received the following response from the remote server :
    
    ------------------------------ snip ------------------------------
    HTTP/1.1 200 OK
    Date: Wed, 03 Jun 2009 14:07:30 GMT
    Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: message/http
    
    
    TRACE /Nessus1657334004.html HTTP/1.1
    Connection: Close
    Host: 192.168.0.55
    Pragma: no-cache
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    
    ------------------------------ snip ------------------------------
    
    [B]http TRACE XSS attack[/B]
    Synopsis :
    
    Debugging functions are enabled on the remote web server.
    
    Description :
    
    The remote webserver supports the TRACE and/or TRACK methods. TRACE
    and TRACK are HTTP methods which are used to debug web server
    connections.
    
    In addition, it has been shown that servers supporting the TRACE
    method are subject to cross-site scripting attacks, dubbed XST for
    "Cross-Site Tracing", when used in conjunction with various weaknesses
    in browsers. An attacker may use this flaw to trick your legitimate
    web users to give him their credentials.
    
    See also :
    
    http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
    http://www.apacheweek.com/issues/03-01-24
    http://www.kb.cert.org/vuls/id/867593
    
    Solution :
    
    Disable these methods.
    
    Risk factor :
    
    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    Solution :
    
    Add the following lines for each virtual host in your configuration file :
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    
    Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
    support disabling the TRACE method natively via the 'TraceEnable'
    directive.
    
    Plugin output :
    
    Nessus sent the following TRACE request :
    
    ------------------------------ snip ------------------------------
    TRACE /Nessus741855205.html HTTP/1.1
    Connection: Close
    Host: 192.168.0.55
    Pragma: no-cache
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    
    ------------------------------ snip ------------------------------
    
    and received the following response from the remote server :
    
    ------------------------------ snip ------------------------------
    HTTP/1.1 200 OK
    Date: Wed, 03 Jun 2009 14:07:31 GMT
    Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: message/http
    
    
    TRACE /Nessus741855205.html HTTP/1.1
    Connection: Close
    Host: 192.168.0.55
    Pragma: no-cache
    User-Agent: Mozilla/4.75 [en] (X11, U; Nessus)
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Accept-Language: en
    Accept-Charset: iso-8859-1,*,utf-8
    
    ------------------------------ snip ------------------------------
    
    Perhaps someone can comment on a method to do such things as:
    Code:
    Add the following lines for each virtual host in your configuration file :
    
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    So it applies to all sites created by Ispc?

    Slowhand
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    This can not be a ispconfig 3 server as proftpd is not even supported by ispconfig 3.
     
  3. Slowhand

    Slowhand New Member

    Till,

    I *am* a total newb so anything is possible but I *definitely* have
    "Powered by ISPConfig 3.0.1.3" at the bottom of my login page.

    What's going on?

    Slowhand
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Then you installed a wrong FTP server or its a bug in nessus that it mixes up pure-ftpd with proftpd. Please make sure that you installed your server exactly as described in the ispconfig 3 installation instructions.
     
  5. Croydon

    Croydon Member Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I think you should have followed a different tutorial (made for ISPC3) ;)
     
  6. Slowhand

    Slowhand New Member

    Croydon,

    This is possible... :)

    I followed
    http://www.howtoforge.com/perfect-server-ubuntu8.04-lts

    and then

    http://www.ispconfig.org/docs/INSTALL_UBUNTU_8.04.txt

    The instructions are a bit confusing as they overlap a bit though. Newbs like me don't notice immediately :)

    Edit: You're right. That tutorial installs proftpd. Although it says it then is suitable for ISPconfig below, it must mean ISPc V2...?

    How do I correct this properly?

    S
     
    Last edited: Jun 4, 2009
  7. Croydon

    Croydon Member Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    You should have used the 2nd only i think. The first is not for ISPC ;)
     
  8. Slowhand

    Slowhand New Member

    Croydon,

    Just below it says
    "In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box)."

    It must mean ISPc V2...?

    S
     
  9. Slowhand

    Slowhand New Member

    Guys,

    This makes me wonder how much else is wrong with my install...?

    Only the ftp server or much more?

    Can it be corrected or should I tear the server down again and start over?

    S
     
  10. Croydon

    Croydon Member Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Yes, I think it is V2. V2 uses proftpd, V3 uses pure-ftp.

    If it is not too much work, just reset the server and use a fresh install to set up ISPC3.
     
  11. Slowhand

    Slowhand New Member

    Croydon,

    You're going to wish we'd never 'met' ;-) Can't thank you enough for your help.

    However, what does 'reset the server' mean? Reformat the whole setup, disks etc?

    I did that once already...:)

    S
     
  12. Croydon

    Croydon Member Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    That is up to you. If you think there could be lot of things messed up -> make a clean new server install.
    If you think you can clean the mess up by yourself -> ....
     
  13. Slowhand

    Slowhand New Member


    Croydon,

    No worries. I'll start over and give you guys a rest.

    For a while...! ;-)

    S
     

Share This Page