Webserver Security (Part I) - The server offers services it was not intended to (
Page 2 of 6 )
Obviously many server
operators have never had a look at their machines from the outside, for example
with a port scanner. If they had, they would not be operating so many services
on their machines which have no place on a production server or which need not
be accessible from all IP addresses. One promiment example was featured on the
Heise newsticker. This particular server, a german bookstore, was being operated
completely without a firewall ("for performance reasons") and exported several
filesystems via Sun Network Filesystem world writeable. Their Oracle database
was connectable from everywhere, too. For increased convenience, passwords for
Oracle connections were stored in scripts available from the exported network
drives. Could this be your server? Have you looked recently?
Often this
particular mistake is being combined with the use of insecure and snoopable
protocols for maintenance access. For example, on webservers there are commonly
POP3 accesses to gather orders and FTP accesses or even database access to
upload new article data. These protocols may in some cases offer secure
authentication (i.e. APOP) or even secure transmission (i.e. SSL versions of POP
or FTP), but commonly the insecure versions of these protocols are used. Some
protocols, such as the msql database server, offer almost no authentication at
all.
It is good advice for webmasters to get network access outside of
their company and run a full scale scan and attack against their own site to see
what happens. Services that were available in the default configuration of a
machine after install or which were needed during installation and initial
deployment may not have been shut down properly. For example, some systems come
with a webserver on a nonstandard port serving example scripts and manuals.
These servers contain often erroneous CGI scripts or can become a security risk
in other ways. There is no need to keep such servers around on a production
machine accessible from the Internet - shut these services down. Another very
common source used by attackers is SNMP (Simple Network Management Protocol),
which will give a potential attacker extremely verbose and valuable information
about your system and network layout. Because this is an UDP service, it does
not show up on many of the simpler security scans.
Of course, not only
web servers need protection. All other machines hosted outside the firewall much
conform to the same security standards.{mospagebreak title=nmap-Scan against an
example host} You can get nmap at
http://www.insecure.org/nmap/ # nmap -sS -T Agressive -p 1-10000 www.example.server | grep open
Port State Protocol Service
21 open tcp ftp
22 open tcp ssh
25 open tcp smtp
80 open tcp http
111 open tcp sunrpc
119 open tcp nntp
3306 open tcp mysql
4333 open tcp msql
www.example.server is being used as a
WWW and FTP server. Additionally, it offers ssh, smtp, sunrpc, nntp, mysql and
msql.
Of these, ssh is a protocol with strong encryption and
authentication. It should be safe to use, if a current version of the server is
being run.
http, ftp, smtp and nntp are the actual services provided by
this server and need to be up and running. As long as FTP is being used only for
anonymous services no passwords are being transmitted in clear. All other file
transfers should be done using the scp utility and the ssh protocol.
The
sunrpc, mysql and msql services need not be accessible from outside the firewall
to all IP addresses. These ports should be blocked at a firewall or a packet
filter instead.
For all services offered to the public you need to keep
track of current versions and security information about these programs. Prepare
to update quickly if security issues come up concerning any of these programs.
For example, there have been problems with certain versions of ssh, where the
server could be tricked into running nonencrypted connections under certain
circumstances. Buffer overflows or other security relevant problems are known
for several ftp servers, for old versions of sendmail and for some releases of
INN.
There can be cases where your scan does find an open port, but you
are unable to tell which program is operating on this port. Here a tool as lsof
comes in handy. The command "lsof -P -n -i" can list all locally opened ports
and the programs operating on these ports.
# lsof -P -n -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
xfstt 46 root 4u IPv4 30 TCP *:7100 (LISTEN)
httpd 199 root 19u IPv4 99 TCP 192.168.1.12:80 (LISTEN)
...
smbd 11741 root 5u IPv4 28694 UDP 127.0.0.1:1180
smbd 11741 root 6u IPv4 28689 TCP 192.168.1.3:139
¬ -<192.168.1.2:1044 (ESTABLISHED)With
additional options you are able to search for specific protocols and ports:
# lsof -P -n -i tcp:139
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
smbd 276 root 5u IPv4 175 TCP *:139 (LISTEN)
smbd 11741 root 6u IPv4 28689 TCP 192.168.1.3:139
¬ -<192.168.1.2:1044 (ESTABLISHED)
