Server Vulnerability Scan

keith smith klsmith2020 at yahoo.com
Fri Jan 8 09:56:00 MST 2010 

Thank you Lisa and Matt!

Lots of info, thanks!

------------------------
Keith Smith


--- On Tue, 1/5/10, Matt Graham <danceswithcrows at usa.net> wrote:

> From: Matt Graham <danceswithcrows at usa.net>
> Subject: Re: Server Vulnerability Scan
> To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
> Date: Tuesday, January 5, 2010, 9:54 AM
> From: keith smith <klsmith2020 at yahoo.com>
> > Part of what I am tasked with is keeping the cart PCI
> complaint.
> 
> That's one of those typos that actually makes more sense
> than it
> would if speled correctly :-).
> 
> > We hired a company who scans our server and reports
> back to us.
> > They report :
> > We were able to determine which versions of the SSH
> protocol the
> > remote SSH daemon supports. This gives potential
> attackers
> > additional information about the system they are
> attacking.
> 
> sshd tells the client "I support protocol
> 2" or "I support protocol 1" or "I support both
> protocols".  It's
> not possible AFAICT to not do that and still be able to run
> ssh
> with a standard client.  The thing that'd probably
> work is to run
> knockd (or something that implements Single Packet
> Authentication,
> or something like that).  Have an iptables rule that
> REJECTs all
> traffic on the port you're running sshd on when SYN is
> set.  Then
> knockd or whatever inserts an iptables rule that ACCEPTs
> traffic
> with SYN set from the IP that submits a successful knock
> request
> (or valid SPA request) for ~30 seconds.
> 
> It is apparently possible to send so many packets so
> quickly that
> knockd can be overwhelmed for short knock sequences, so
> either
> make the sequence long or think about SPA.
> 
> Most PCI scanning companies do a minimum amount of
> effort.  I was
> annoyed when they said, "Version X.Y has a vulnerability in
> the
> IMAP functions."  I compiled that package and made it
> so all the
> IMAP functions were commented out.  Then I installed
> that on a
> test box, and had them scan that test box.  Yep, we
> still got
> dinged for a vulnerability in functions that were not even
> there.
> It may help to think of PCI compliance as a bureaucratic
> problem,
> not a technical one, because that's how it seems to play
> out.
> 
> > I've looked in the sshd_config and find nothing that
> would alert
> > me to how I can turn off reporting its config or its
> existence.
> 
> I don't think you can do that and still have sshd work
> properly.
> But try an alternative approach, like the one above or the
> one
> that Lisa mentioned late yesterday.
> 
> -- 
> Matt G / Dances With Crows
> The Crow202 Blog:  http://crow202.org/wordpress/
> There is no Darkness in Eternity/But only Light too dim for
> us to see
> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail
> settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

More information about the PLUG-discuss mailing list