Webserver Security (Part I) - The server offers services it was not intended to (Page 2 of 6 )
Obviously many server operators have never had a look at their machines from the outside, for example with a port scanner. If they had, they would not be operating so many services on their machines which have no place on a production server or which need not be accessible from all IP addresses. One promiment example was featured on the Heise newsticker. This particular server, a german bookstore, was being operated completely without a firewall ("for performance reasons") and exported several filesystems via Sun Network Filesystem world writeable. Their Oracle database was connectable from everywhere, too. For increased convenience, passwords for Oracle connections were stored in scripts available from the exported network drives. Could this be your server? Have you looked recently?
Often this particular mistake is being combined with the use of insecure and snoopable protocols for maintenance access. For example, on webservers there are commonly POP3 accesses to gather orders and FTP accesses or even database access to upload new article data. These protocols may in some cases offer secure authentication (i.e. APOP) or even secure transmission (i.e. SSL versions of POP or FTP), but commonly the insecure versions of these protocols are used. Some protocols, such as the msql database server, offer almost no authentication at all.
It is good advice for webmasters to get network access outside of their company and run a full scale scan and attack against their own site to see what happens. Services that were available in the default configuration of a machine after install or which were needed during installation and initial deployment may not have been shut down properly. For example, some systems come with a webserver on a nonstandard port serving example scripts and manuals. These servers contain often erroneous CGI scripts or can become a security risk in other ways. There is no need to keep such servers around on a production machine accessible from the Internet - shut these services down. Another very common source used by attackers is SNMP (Simple Network Management Protocol), which will give a potential attacker extremely verbose and valuable information about your system and network layout. Because this is an UDP service, it does not show up on many of the simpler security scans.
Of course, not only web servers need protection. All other machines hosted outside the firewall much conform to the same security standards.{mospagebreak title=nmap-Scan against an example host} You can get nmap at
http://www.insecure.org/nmap/ # nmap -sS -T Agressive -p 1-10000 www.example.server | grep open
Port State Protocol Service
21 open tcp ftp
22 open tcp ssh
25 open tcp smtp
80 open tcp http
111 open tcp sunrpc
119 open tcp nntp
3306 open tcp mysql
4333 open tcp msql
www.example.server is being used as a
WWW and FTP server. Additionally, it offers ssh, smtp, sunrpc, nntp, mysql and msql.
Of these, ssh is a protocol with strong encryption and authentication. It should be safe to use, if a current version of the server is being run.
http, ftp, smtp and nntp are the actual services provided by this server and need to be up and running. As long as FTP is being used only for anonymous services no passwords are being transmitted in clear. All other file transfers should be done using the scp utility and the ssh protocol.
The sunrpc, mysql and msql services need not be accessible from outside the firewall to all IP addresses. These ports should be blocked at a firewall or a packet filter instead.
For all services offered to the public you need to keep track of current versions and security information about these programs. Prepare to update quickly if security issues come up concerning any of these programs. For example, there have been problems with certain versions of ssh, where the server could be tricked into running nonencrypted connections under certain circumstances. Buffer overflows or other security relevant problems are known for several ftp servers, for old versions of sendmail and for some releases of INN.
There can be cases where your scan does find an open port, but you are unable to tell which program is operating on this port. Here a tool as lsof comes in handy. The command "lsof -P -n -i" can list all locally opened ports and the programs operating on these ports.
# lsof -P -n -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
xfstt 46 root 4u IPv4 30 TCP *:7100 (LISTEN)
httpd 199 root 19u IPv4 99 TCP 192.168.1.12:80 (LISTEN)
...
smbd 11741 root 5u IPv4 28694 UDP 127.0.0.1:1180
smbd 11741 root 6u IPv4 28689 TCP 192.168.1.3:139
¬ -<192.168.1.2:1044 (ESTABLISHED)
With
additional options you are able to search for specific protocols and ports:
# lsof -P -n -i tcp:139
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
smbd 276 root 5u IPv4 175 TCP *:139 (LISTEN)
smbd 11741 root 6u IPv4 28689 TCP 192.168.1.3:139
¬ -<192.168.1.2:1044 (ESTABLISHED)
Next: Dumping a zone using nslookup >>
More Administration Articles
More By Kristian Kohntopp
