Security Risks

[Jing]

One of my friends did a security scan on my DA box, and he pointed out some "risks" that my box has. I am quite a newbie, still on my process of learning how to admin a box (and since I am not doing anything big with my box, don't shoot me), so I would like some advices here. I am not so sure where he got all of this, but they sound scary.

Apache

The remote host is using the Apache mod_frontpage module.
mod_frontpage older than 1.6.1 is vulnerable to a buffer
overflow which may allow an attacker to gain root access.
*** Since Nessus was not able to remotely determine the version
*** of mod_frontage you are running, you are advised to manually
*** check which version you are running as this might be a false
*** positive.
If you want the remote server to be remotely secure, we advise
you do not use this module at all.

Solution : Disable this module
Risk factor : High

PHP

The remote host is running a version of PHP 4.3 which is older or
equal to
4.3.2.
There is a flaw in this version which may allow a local attacker to
bypass the safe mode and gain unauthorized access to files on the
local
system, thanks to a flaw in the function
php_safe_mode_include_dir().

Solution : Upgrade to PHP 4.3.3 when it is available
Risk factor : Medium

BIND

The remote BIND 9 server, according to its version number, is
vulnerable to a
buffer overflow which may allow an attacker to gain a shell on this
host or
to disable this server.

Solution : upgrade to bind 9.2.2 or downgrade to the 8.x series
See also : http://www.isc.org/products/BIND/bind9.html
http://cert.uni-stuttgart.de/archive/bugtraq/2003/03/msg00075.html
http://www.cert.org/advisories/CA-2002-19.html
Risk factor : High

SSH

You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.
OpenSSH features a mecanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS
lookups.
If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mecanism.

Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk Factor : Low

SSL

The remote host is using a version of OpenSSL which is
older than 0.9.6j or 0.9.7b
This version is vulnerable to a timing based attack which may
allow an attacker to guess the content of fixed data blocks and
may eventually be able to guess the value of the private RSA key
of the server.
An attacker may use this implementation flaw to sniff the
data going to this host and decrypt some parts of it, as well
as impersonate your server and perform man in the middle attacks.
*** Nessus solely relied on the banner of the remote host
*** to issue this warning
See also : http://www.openssl.org/news/secadv_20030219.txt
http://lasecwww.epfl.ch/memo_ssl.shtml
http://eprint.iacr.org/2003/052/

Solution : Upgrade to version 0.9.6j (0.9.7b) or newer
Risk factor : Medium

these are basically some of the important ones. any ideas how should I update them? Or does DA has a similar system to WHM where the system can download and patch itself? I just purchased my license yesterday, so I am not so clear about how things work yet. Sorry if I sound noob.

 

[Ryan]

For Apache & PHP, run the custom apache build system. See the forum post at http://www.directadmin.com/forum/showthread.php?s=&threadid=104 for more information.


Not sure about the BIND issue, as far as I know, DA uses a standard BIND install and you should be able to just update it normally but you might want confirmation on someone from DA on this.


For SSH see the forum post at http://www.directadmin.com/forum/showthread.php?s=&threadid=166

For the SSL upgrade see the forum post at
http://www.directadmin.com/forum/showthread.php?s=&threadid=163

Have fun,

 

[loopforever]

To upgrade BIND, I'm 99% sure you can upgrade using up2date or an rpm. You'll probably want to confirm this with John before attempting it though.

 

[DirectAdmin Support]

up2date -u bind

should work without any problems.

I'll add php-4.3.3 to the customapache build script when it comes out.

FYI.. it already uses apache 1.3.28 and mod_ssl-2.8.15.

John

 

[Jing]

I am trying to upgrade SSH with the guide in the link posted by Ryan (tq ryan and loopforever). And I stopped at ./configure that step as I noticed that it says I need to install something additional for sshd? can anyone give me some advices on this?

OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
KerberosIV support: no
KerberosV support: no
Smartcard support: no
AFS support: no
S/KEY support: no
TCP Wrappers support: no
MD5 password support: no
IP address in $DISPLAY hack: no
Use IPv4 by default hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags:
Linker flags:
Libraries: -lpam -ldl -lutil -lz -lnsl -lcrypto

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory