Server Vulnerability Scan
Matt Graham
danceswithcrows at usa.net
Tue Jan 5 09:54:38 MST 2010
From: keith smith <klsmith2020 at yahoo.com>
> Part of what I am tasked with is keeping the cart PCI complaint.
That's one of those typos that actually makes more sense than it
would if speled correctly :-).
> We hired a company who scans our server and reports back to us.
> They report :
> We were able to determine which versions of the SSH protocol the
> remote SSH daemon supports. This gives potential attackers
> additional information about the system they are attacking.
sshd tells the client "I support protocol
2" or "I support protocol 1" or "I support both protocols". It's
not possible AFAICT to not do that and still be able to run ssh
with a standard client. The thing that'd probably work is to run
knockd (or something that implements Single Packet Authentication,
or something like that). Have an iptables rule that REJECTs all
traffic on the port you're running sshd on when SYN is set. Then
knockd or whatever inserts an iptables rule that ACCEPTs traffic
with SYN set from the IP that submits a successful knock request
(or valid SPA request) for ~30 seconds.
It is apparently possible to send so many packets so quickly that
knockd can be overwhelmed for short knock sequences, so either
make the sequence long or think about SPA.
Most PCI scanning companies do a minimum amount of effort. I was
annoyed when they said, "Version X.Y has a vulnerability in the
IMAP functions." I compiled that package and made it so all the
IMAP functions were commented out. Then I installed that on a
test box, and had them scan that test box. Yep, we still got
dinged for a vulnerability in functions that were not even there.
It may help to think of PCI compliance as a bureaucratic problem,
not a technical one, because that's how it seems to play out.
> I've looked in the sshd_config and find nothing that would alert
> me to how I can turn off reporting its config or its existence.
I don't think you can do that and still have sshd work properly.
But try an alternative approach, like the one above or the one
that Lisa mentioned late yesterday.
--
Matt G / Dances With Crows
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see
More information about the PLUG-discuss
mailing list