Home arrow Site Administration arrow Page 2 - Webserver Security (Part I)

The server offers services it was not intended to - Administration

This first article in a two-part series deals with tools to find security holes in webservers and workstations. Some of the topics covered are: port scanning, finding NFS security holes, and using lsof.

  1. Webserver Security (Part I)
  2. The server offers services it was not intended to
  3. Dumping a zone using nslookup
  4. Other Helpful Tools
  5. rpcinfo query to www.example.server
  6. Remote SNMP queries
By: Kristian Kohntopp
Rating: starstarstarstarstar / 2
April 19, 2000

print this article


Obviously many server operators have never had a look at their machines from the outside, for example with a port scanner. If they had, they would not be operating so many services on their machines which have no place on a production server or which need not be accessible from all IP addresses. One promiment example was featured on the Heise newsticker. This particular server, a german bookstore, was being operated completely without a firewall ("for performance reasons") and exported several filesystems via Sun Network Filesystem world writeable. Their Oracle database was connectable from everywhere, too. For increased convenience, passwords for Oracle connections were stored in scripts available from the exported network drives. Could this be your server? Have you looked recently?

Often this particular mistake is being combined with the use of insecure and snoopable protocols for maintenance access. For example, on webservers there are commonly POP3 accesses to gather orders and FTP accesses or even database access to upload new article data. These protocols may in some cases offer secure authentication (i.e. APOP) or even secure transmission (i.e. SSL versions of POP or FTP), but commonly the insecure versions of these protocols are used. Some protocols, such as the msql database server, offer almost no authentication at all.

It is good advice for webmasters to get network access outside of their company and run a full scale scan and attack against their own site to see what happens. Services that were available in the default configuration of a machine after install or which were needed during installation and initial deployment may not have been shut down properly. For example, some systems come with a webserver on a nonstandard port serving example scripts and manuals. These servers contain often erroneous CGI scripts or can become a security risk in other ways. There is no need to keep such servers around on a production machine accessible from the Internet - shut these services down. Another very common source used by attackers is SNMP (Simple Network Management Protocol), which will give a potential attacker extremely verbose and valuable information about your system and network layout. Because this is an UDP service, it does not show up on many of the simpler security scans.

Of course, not only web servers need protection. All other machines hosted outside the firewall much conform to the same security standards.{mospagebreak title=nmap-Scan against an example host} You can get nmap at http://www.insecure.org/nmap/
# nmap -sS -T Agressive -p 1-10000 www.example.server | grep open
Port    State       Protocol  Service
21      open        tcp       ftp
22      open        tcp       ssh
25      open        tcp       smtp
80      open        tcp       http
111     open        tcp       sunrpc
119     open        tcp       nntp
3306    open        tcp       mysql
4333    open        tcp       msql
www.example.server is being used as a WWW and FTP server. Additionally, it offers ssh, smtp, sunrpc, nntp, mysql and msql.

Of these, ssh is a protocol with strong encryption and authentication. It should be safe to use, if a current version of the server is being run.

http, ftp, smtp and nntp are the actual services provided by this server and need to be up and running. As long as FTP is being used only for anonymous services no passwords are being transmitted in clear. All other file transfers should be done using the scp utility and the ssh protocol.

The sunrpc, mysql and msql services need not be accessible from outside the firewall to all IP addresses. These ports should be blocked at a firewall or a packet filter instead.

For all services offered to the public you need to keep track of current versions and security information about these programs. Prepare to update quickly if security issues come up concerning any of these programs. For example, there have been problems with certain versions of ssh, where the server could be tricked into running nonencrypted connections under certain circumstances. Buffer overflows or other security relevant problems are known for several ftp servers, for old versions of sendmail and for some releases of INN.

There can be cases where your scan does find an open port, but you are unable to tell which program is operating on this port. Here a tool as lsof comes in handy. The command "lsof -P -n -i" can list all locally opened ports and the programs operating on these ports.
# lsof -P -n -i
xfstt       46 root    4u  IPv4     30       TCP *:7100 (LISTEN)
httpd      199 root   19u  IPv4     99       TCP (LISTEN)
smbd     11741 root    5u  IPv4  28694       UDP
smbd     11741 root    6u  IPv4  28689       TCP
With additional options you are able to search for specific protocols and ports:
# lsof -P -n -i tcp:139
smbd      276 root    5u  IPv4    175       TCP *:139 (LISTEN)
smbd    11741 root    6u  IPv4  28689       TCP

>>> More Site Administration Articles          >>> More By Kristian Kohntopp

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: