Vulnerability scans - Page 2

BrucekConvergent · #11 (**permalink**) 07-14-2008, 07:06 PM

Just a reminder guys; while I think the entry that Barry G. mentions here may work in Version 6, but do remember this may void your support and / or "kill" the box. I'll be keeping up with this issue myself, there are some pen tests that we run against the box, I'll check to see if we have some that look at this "HTTP Trace" method.

BarryG · #12 (**permalink**) 07-15-2008, 12:50 AM

FWIW, I now have stronger evidence that TrustKeeper is using Nessus, or a custom-licensed version of Nessus; the wording in their reports is _extremely_ similar to the Nessus alerts.

BarryG · #13 (**permalink**) 07-15-2008, 01:04 AM

I've 'hacked' our ASL 6.3 installation to disable SSLv2 etc.

Disclaimer: As always, any changes via the shell may void your Astaro support!
If you make a mistake, it could kill webmin (and any portals, if v6 has any), so make sure you backup the files to be changed first!

reference: http://adamyoung.net/Disable-SSLv2-System-Wide
Note you need the first Apache line, even if you put in the second. I put both in.

Hack:
0. Make sure you have a current Astaro backup!

1. backup /etc/httpd.conf-default

2. add 2 lines and a comment to /etc/httpd.conf-default (near the top):
# Basic stuff

# 2008-07-14 - PCI compliance - (http://adamyoung.net/Disable-SSLv2-System-Wide)
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

3. make the same change to /etc/httpd.conf
(I couldn't figure out how to force the default to get copied)

4. restart webmin:
/etc/init.d/httpd restart

5. make sure webmin is working in your browser

6. test that SSLv2 is disabled. You can do this on Astaro (IF you allow webmin connections from ANY or from localhost), or from another box with openssl installed:
openssl s_client -ssl2 -connect fw.example.net:443

The result should be an error, e.g.
CONNECTED(00000003)
32124:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If anything goes wrong, undo the changes and restart httpd again.

I've done this on 6.311, and it worked fine for me. We'll be having another TrustKeeper scan tonight; I'll try to report on the results.

I haven't tried this on v7, but note that:
a. Astaro is now looking into this issue for v7 (CaseID 00071816), and some of these 'vulnerabilities' may not exist in v7 anyways. They did say however that people making this a 'feature request' would push it through faster.

b. v7 has the webmin, end user portal, ..., so there may be more than 1 httpd.conf; I'm not sure.

Barry

BarryG · #14 (**permalink**) 07-15-2008, 01:20 AM

BTW, above post doesn't cover the HTTP TRACE method issue.

As there is not a simple way (mod_rewrite isn't simple) to disable this in the version of Apache on ASL 6.3, I'm not going to try to mess with it.

reference:
http://www.ducea.com/2007/10/22/apac...-trace-method/

My 7.2x box seems to already have TRACE disabled in
/var/sec/chroot-httpd/etc/httpd/httpd.conf
This is good.

Barry