Server Vulnerability Scan

[GK]

> 
> 
> Today's Topics:
> 
>    1. Re: Server Vulnerability Scan (keith smith)
> 
> 
> 
> --- On Tue, 1/5/10, Matt Graham <danceswithcrows at usa.net> wrote:
> 
> > From: Matt Graham <danceswithcrows at usa.net>
> > Subject: Re: Server Vulnerability Scan
> > To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
> > Date: Tuesday, January 5, 2010, 9:54 AM
> > From: keith smith <klsmith2020 at yahoo.com>
> > > Part of what I am tasked with is keeping the cart PCI
> > complaint.
> > 
> > That's one of those typos that actually makes more sense
> > than it
> > would if speled correctly :-).
> > 
> > > We hired a company who scans our server and reports
> > back to us.
> > > They report :
> > > We were able to determine which versions of the SSH
> > protocol the
> > > remote SSH daemon supports. This gives potential
> > attackers
> > > additional information about the system they are
> > attacking.
> > 
> > sshd tells the client "I support protocol
> > 2" or "I support protocol 1" or "I support both
> > protocols".? It's
> > not possible AFAICT to not do that and still be able to run
> > ssh
> > with a standard client.? The thing that'd probably
> > work is to run
> > knockd (or something that implements Single Packet
> > Authentication,
> > or something like that).? Have an iptables rule that
> > REJECTs all
> > traffic on the port you're running sshd on when SYN is
> > set.? Then
> > knockd or whatever inserts an iptables rule that ACCEPTs
> > traffic
> > with SYN set from the IP that submits a successful knock
> > request
> > (or valid SPA request) for ~30 seconds.
> > 
> > It is apparently possible to send so many packets so
> > quickly that
> > knockd can be overwhelmed for short knock sequences, so
> > either
> > make the sequence long or think about SPA.
> > 
> > Most PCI scanning companies do a minimum amount of
> > effort.? I was
> > annoyed when they said, "Version X.Y has a vulnerability in
> > the
> > IMAP functions."? I compiled that package and made it
> > so all the
> > IMAP functions were commented out.? Then I installed
> > that on a
> > test box, and had them scan that test box.? Yep, we
> > still got
> > dinged for a vulnerability in functions that were not even
> > there.
> > It may help to think of PCI compliance as a bureaucratic
> > problem,
> > not a technical one, because that's how it seems to play
> > out.
> > 
> > > I've looked in the sshd_config and find nothing that
> > would alert
> > > me to how I can turn off reporting its config or its
> > existence.
> > 
> > I don't think you can do that and still have sshd work
> > properly.
> > But try an alternative approach, like the one above or the
> > one
> > that Lisa mentioned late yesterday.
> > 
> > -- 
> > Matt G / Dances With Crows
> > The Crow202 Blog:? http://crow202.org/wordpress/





-- 
Syn and Ack attacks can not only be handled with Iptables, but
/etc/sysctl.conf. The later is at kernel level. I am guessing that the
knockd application is one that closes the port until you manipulate a
different port. I personally dont no REJECT packets. Most of the time I
DROP them or MoBlock will ACCEPT/MARK them. Dropping the packets gives
the illusion that the server is not even there.

VampirePenguin
-- 
-- 
If there is a question to the validity of this email please phone for validation. Proudly presented by Mutt, GNUPG, Vi/m and GNU/Linux via CopyLeft. GNU/Linux is about Freedom to compute as you want and need to, and share your work unencumbered and have others do the same with you. Key :  0xD53A8E1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100108/012bc8f5/attachment.pgp