The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to secure a server correctly?

Discussion in 'General Discussion' started by olivier222333, Sep 4, 2004.

  1. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    hello all
    I have a server : RH 3EL 2.4.21-15.0.4.EL at servermatrix.com


    I just ran rkhunter-1.1.6

    and I saw 3 vulnerabilities, I think that is important for all users to show that....





    * Application version scan
    - Exim MTA 4.42 [ Unknown ]
    - GnuPG 1.2.1 [ Vulnerable ]
    - Apache [unknown] [ OK ]
    - Bind DNS [unknown] [ OK ]
    - OpenSSL 0.9.7a [ Vulnerable ]
    - PHP 4.3.8 [ OK ]
    - PHP 4.3.8 [ OK ]
    - Procmail MTA 3.22 [ OK ]
    - OpenSSH 3.6.1p2 [ Vulnerable ]



    how to update this soft?

    thanks
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Rkhunter is wrong about them. Try the search button before posting as this has been discussed before.
     
  3. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    can you show me the thread please?
     
  4. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Is wrong about what
    OpenSSL 0.9.7a [ Vulnerable ]
    - OpenSSH 3.6.1p2 [ Vulnerable ]

    On server matrix these two things come with cpanel both versions are Vulnerable and should be changed

    Open SSL to version 0.9.7.d
    Open SSH to version 3.9p1

    Its the first thing i ever do !!
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    They are not known to be vulnerable.

    So that I don't have to go search for you:

    RedHat Enterprise Edition (and previous versions) is kept stable by using known stable versions of applications. When a security fix comes out for an application, instead of upgrading the application to the latest version which will often introduce more bugs and be less stable, RedHat backports the security fix into the stable version that they maintain.

    Indeed, you should not blindly upgrade apps or libraries beyond that which comes with RHE since you could well break something else (especially with the likes of openssl) unless you have a burning need for some new feature of a newer release of the app.

    So, they're not known to be vulnerable and you should not upgrade them unless you want to do away with the likes of up2date and rpm. Since you're running cPanel, you should not want to do that.

    [edit]changed "not vulnerable" to "not known to be vulnerable"[/edit]
     
  6. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    You are funny so you are saing that having kernel with grsec has the same safty as Red Hat Enterprise kernel :D:D:D hehehe NICE :) - No comment

    Second thing i think you should look into google.com typing opensll 0.9.7a

    Or look at www.openssl.org there is nice security info

    [edit] i will help you and paste the text here

    1. Null-pointer assignment during SSL handshake
    ===============================================

    Testing performed by the OpenSSL group using the Codenomicon TLS Test
    Tool uncovered a null-pointer assignment in the
    do_change_cipher_spec() function. A remote attacker could perform a
    carefully crafted SSL/TLS handshake against a server that used the
    OpenSSL library in such a way as to cause OpenSSL to crash. Depending
    on the application this could lead to a denial of service.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CAN-2004-0079 to this issue.

    All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from
    0.9.7a to 0.9.7c inclusive are affected by this issue. Any
    application that makes use of OpenSSL's SSL/TLS library may be
    affected. Please contact your application vendor for details.
     
    #6 Misiek, Sep 4, 2004
    Last edited: Sep 4, 2004
  7. Angel78

    Angel78 Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    413
    Likes Received:
    1
    Trophy Points:
    16


    RHE backports all bug fixes, so no those "vulnerable" entries are not "vulnerable" if you are running updated RHE system.
     
  8. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    That would have been wiser. ;)
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Misiek,

    3 things:

    1. You are wrong about openssl and you should stop spreading FUD when you don't understand what you are talking about

    2. I didn't mention anything about securing your kernel

    3. Unless you know what you are doing (and it seems evident that you do not since you don't understand about RH back-porting) then you should most certainly not be messing around changing beyond the supplied RHE versions, including the kernel
     
  10. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Ok you know what you know i know what i know and let it stay this way.
     
  11. olivier222333

    olivier222333 Well-Known Member
    PartnerNOC

    Joined:
    Jul 12, 2004
    Messages:
    55
    Likes Received:
    0
    Trophy Points:
    6
    Misiek please tell me how to upgrade my openssh and openssl?
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Olivier, there is no need.

    Misiek is wrong, there is no need and you are more likely to break something.

    Misiek,

    Stop talking crap, since you clearly do not understand how RH develops their software. Here's the proof:

    From the RHS site:
    https://www.redhat.com/security/
    And for OpenSSL:
    http://rhn.redhat.com/errata/RHSA-2004-120.html

    That's the vulnerability he is saying isn't fixed and there's the proof that it is. If you're unsure, you can view all of the RHE errata here:
    https://rhn.redhat.com/errata/rhel3es-errata.html
     
  13. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    That doesn't proof anything , so you are saying that running openssh 3.6.1 on RHE is as safe as running openssh 3.9.1 :D:D Dont be funny you cannot backport running servcie like openssl please learn to read exactly what is said on openssl site :) Hmmm and last funny thing im talking crap so how always updated machine of a very good hosting company on RHE had a hack throug ssl even though they had always latest update packages ??

    Interesting isn't it ??
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No, because you are flat out wrong :rolleyes: and spreading FUD.
     
  15. Misiek

    Misiek Well-Known Member

    Joined:
    Feb 23, 2004
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Ok you're right im wrong let's leave it this way.
    EOT
     
  16. jester.ro

    jester.ro Well-Known Member
    PartnerNOC

    Joined:
    Feb 6, 2004
    Messages:
    304
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bucharest, Romania
    cPanel Access Level:
    DataCenter Provider
    Misiek, please stop spreading wrong info's here. Some users may take your posts seriously, and actually break their machines.

    You are right, software.1.3 is less secure than software.1.4 .But this applies to software isntalled from sources, directly from the software's provider.

    This isn't redhat/fedora way.

    But i suppose you use kernel 2.4.27 on fedora, not 2.4.22-1.2199.nptl or whatever version is latest on fedora1.
     
  17. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Sounds like a good idea.
     
Loading...

Share This Page