Menu
▾
▴
[Os-sim-support] OSSIM default configuration vulnerabilities
|
From: David W. <dw...@ad...> - 2009-10-14 23:15:22
|
Dear OSSIM Developers, When setting up a security apparatus it is considered good practice to reduce the vulnerability "cross-section" of the device. Many less skilled admins will take your disk and slap it on a machine, thinking that they have made their networks more secure ( bear in mind that strictly following the install directions will result in a non-functional device ( see my previous posts about this )). Most of them will not stop to consider that a security appliance could actually open their network up to attack. So as a distributor of a custom Debian disk, you have a special responsibility to the end user (or in this case "end admin") to provide a pre-hardened configuration. With this is mind, please see this list of listening ports: ossimids:~# netstat -anp | grep LISTEN | grep -v LISTENING tcp 0 0 0.0.0.0:40001 0.0.0.0:* LISTEN 4228/ossim-server tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2883/rsyslogd tcp 0 0 127.0.0.1:40003 0.0.0.0:* LISTEN 3707/python tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3040/mysqld tcp 0 0 0.0.0.0:43 0.0.0.0:* LISTEN 3206/inetd tcp 0 0 0.0.0.0:9390 0.0.0.0:* LISTEN 3604/openvasd: wait tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN 4075/munin-node tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2958/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3811/master tcp 0 0 0.0.0.0:2265 0.0.0.0:* LISTEN 3615/osirisd tcp 0 0 0.0.0.0:2266 0.0.0.0:* LISTEN 3618/osirismd tcp6 0 0 :::514 :::* LISTEN 2883/rsyslogd tcp6 0 0 127.0.0.1:8005 :::* LISTEN 3869/java tcp6 0 0 :::8009 :::* LISTEN 3869/java tcp6 0 0 :::8080 :::* LISTEN 3869/java tcp6 0 0 :::80 :::* LISTEN 4012/apache2 tcp6 0 0 :::22 :::* LISTEN 2958/sshd tcp6 0 0 :::3000 :::* LISTEN 4287/ntop Virtually every one of these services have in the past been used to (a) take over the entire machine or (b) provided an attacker with what ever information is available via that service. The exceptions to rule are the services that you wrote yourselves. How much do you wish to gamble that no exploit will ever be found for your own software? Lets look at a few of these concerns: 1) ipv6 - Most older firewalls will not filter ipv6 (mine doesn't) There is no reason for this machine to listen for ipv6 packets, ever. If I had ipv6 on my network it should be detected by the install script. There is not now and will never be an ipv6 internet <http://cr.yp.to/djbdns/ipv6mess.html> . 2) Openvasd - this is a service that launches exploits against remote machines. It listens on a port because in theory one could use the openvas client to connect to it and see graphs and charts on your desktop machine. I wanted a web interface to look at vulnerabilities not a gtk/qt client. It is a gaping security hole to permit remote programs to connect to my security device and attack remote machines. 3) Tomcat -- there are more that 79 tomcat vulnerability http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tomcat outstanding today. It look me about 5 seconds to find one that worked http://MY_IP:8080/manager/html This link is live and using the default password listed on the web site permits you to run arbitrary tomcat webapps. This exploit is live and in the wild right now. I'm talking to the coworkers and they are telling me I'm all wet about this, but I insist that the kind of people that will install OSSIM are not talented admins and will not check under the hood to make sure that everything is secure. What services should be listening? 22 and 443 . Nothing else. These measures do not guarantee a secure machine, but not having them guarantees a rooted machine. Regards, -Dave |
