Hi, Don't know if this is of any interest to anyone but I just completed the 'Perfect server, Ubuntu 8.04 LTS' instructions on a virgin box and then did a Nessus scan on the setup. These are the flags. Perhaps they will help with an updated version of the instructions...?: Code: [B]ProFTPD Command Truncation Cross-Site Request Forgery[/B] Synopsis : The remote FTP server is prone to a cross-site request forgery attack. Description : The remote host is using ProFTPD, a free FTP server for Unix and Linux. The version of ProFTPD running on the remote host splits an overly long FTP command into a series of shorter ones and executes each in turn. If an attacker can trick a ProFTPD administrator into accessing a specially-formatted HTML link, he may be able to cause arbitrary FTP commands to be executed in the context of the affected application with the administrator's privileges. See also : http://archives.neohapsis.com/archives/fulldisclosure/2008-09/0524.html http://bugs.proftpd.org/show_bug.cgi?id=3115 Solution : Apply the patch included in the bug report or upgrade to the latest version in CVS. Risk factor : Medium / CVSS Base Score : 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE : CVE-2008-4242 BID : 31289 Other references : OSVDB:48411 [B]DNS Server Cache Snooping Information Disclosure[/B] Synopsis : The remote DNS server is vulnerable to cache snooping attacks. Description : The remote DNS server responds to queries for third-party domains which do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... See also : For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [B]SSL Version 2 (v2) Protocol Detection[/B] Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution : Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Nessus ID : 20007 [B]SSL Weak Cipher Suites Supported[/B] Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution : Reconfigure the affected application if possible to avoid use of weak ciphers. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 (List of ciphers here) [B]SSL Version 2 (v2) Protocol Detection[/B] Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution : Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) [B]SSL Weak Cipher Suites Supported[/B] Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html Solution : Reconfigure the affected application if possible to avoid use of weak ciphers. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 (List of ciphers here) [B]http TRACE XSS attack[/B] Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus353213367.html HTTP/1.1 Connection: Close Host: 192.168.0.55 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Wed, 03 Jun 2009 14:07:30 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g Connection: close Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus353213367.html HTTP/1.1 Connection: Close Host: 192.168.0.55 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ [B]http TRACE XSS attack[/B] Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1657334004.html HTTP/1.1 Connection: Close Host: 192.168.0.55 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Wed, 03 Jun 2009 14:07:30 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g Connection: close Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus1657334004.html HTTP/1.1 Connection: Close Host: 192.168.0.55 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ [B]http TRACE XSS attack[/B] Synopsis : Debugging functions are enabled on the remote web server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. In addition, it has been shown that servers supporting the TRACE method are subject to cross-site scripting attacks, dubbed XST for "Cross-Site Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. See also : http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/867593 Solution : Disable these methods. Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Plugin output : Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus741855205.html HTTP/1.1 Connection: Close Host: 192.168.0.55 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Wed, 03 Jun 2009 14:07:31 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ruby/1.2.6 Ruby/1.8.6(2007-09-24) mod_ssl/2.2.8 OpenSSL/0.9.8g Connection: close Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus741855205.html HTTP/1.1 Connection: Close Host: 192.168.0.55 Pragma: no-cache User-Agent: Mozilla/4.75 [en] (X11, U; Nessus) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ Perhaps someone can comment on a method to do such things as: Code: Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] So it applies to all sites created by Ispc? Slowhand
Till, I *am* a total newb so anything is possible but I *definitely* have "Powered by ISPConfig 3.0.1.3" at the bottom of my login page. What's going on? Slowhand
Then you installed a wrong FTP server or its a bug in nessus that it mixes up pure-ftpd with proftpd. Please make sure that you installed your server exactly as described in the ispconfig 3 installation instructions.
Croydon, This is possible... I followed http://www.howtoforge.com/perfect-server-ubuntu8.04-lts and then http://www.ispconfig.org/docs/INSTALL_UBUNTU_8.04.txt The instructions are a bit confusing as they overlap a bit though. Newbs like me don't notice immediately Edit: You're right. That tutorial installs proftpd. Although it says it then is suitable for ISPconfig below, it must mean ISPc V2...? How do I correct this properly? S
Croydon, Just below it says "In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box)." It must mean ISPc V2...? S
Guys, This makes me wonder how much else is wrong with my install...? Only the ftp server or much more? Can it be corrected or should I tear the server down again and start over? S
Yes, I think it is V2. V2 uses proftpd, V3 uses pure-ftp. If it is not too much work, just reset the server and use a fresh install to set up ISPC3.
Croydon, You're going to wish we'd never 'met' ;-) Can't thank you enough for your help. However, what does 'reset the server' mean? Reformat the whole setup, disks etc? I did that once already... S
That is up to you. If you think there could be lot of things messed up -> make a clean new server install. If you think you can clean the mess up by yourself -> ....
