On 14-Jun-01 ryanm3@eircom.net wrote:
I am running the following services on my SuSE 6.4 box:
Do you use the latest kernel? If your current kernel is <= 2.2.14 you should update.
Port Service version comments 21 in.ftpd 6.4/OpenBSD/Linux-ftpd-0.16 2 users allowed access strong passwords enforced
I would replace this with proftpd (www.proftpd.org), which is more flexible and more secure than the standard in.ftpd. Proftpd can be run standalone as a demon listening to port 21 or, like usual, via inetd.
25 sendmail 8.9.3
AFAIK this version of sendmail seems to be secure. However, sendmail is a complex piece of software and may contain a couple of 'sleeping bugs' which could propose a threat to your host. To overcome this possible danger you may want to use a smtp proxy software which accepts mails on port 25 and hands them over to your MTA. Thus, if the (low priviledged) smtp proxy breaks or gets cracked, your system can not be 'owned' by elevated privileges (it could with sendmail as it normally runs as root). You can find a good smtp proxy and other such tools in the tis firewall toolkit (tis fwtk) from www.tis.com/research/software/ .
53 named BIND 8.2.3-REL
No problems with this one. Make sure you choose a non-priviledged user to run bind with in a chroot jail. Look at www.linux.org/docs/ldp/howto/Chroot-BIND-HOWTO.html how this can be done.
80 httpd Apache 1.3.12 PHP/3.0.15, mod_perl/1.21
No problems with this Apache version. If you run MySQL, too, make sure you use the latest version.
110 rinetd 0.61 POP3 requests redirected to another machine
No known problems (to me). I use ipmasqadm for port redirection which IMHO should perform a little better than rinetd.
443 https Apache 1.3.12
No known problems. Make sure your private key files and certificates are properly secured...
According to an nmap port scan, all other ports up to port 1024 are in state filtered. Anything from port 1024 up is closed.
My question is whether this box is vulnerable in its current state and if so, what should I be doing to secure it?
If possible, avoid protocols with clear text passwords (ftp, pop3, etc...). If not possible, replace these protocols with ones using encryption or tunnel requests to unsafe services via ssh/ssl. Many tightly secured systems had been cracked in the past due to a combination of sniffers running in the networking neighborhood and heavy use of clear text protocols. You may want to take a look at ssh/openssh to find out wether file transfers from/to your host can be accomplished with sftp (secure ftp) or scp (secure file copy). If so, use it and forget about ftp.
Tnx, MR
Good luck,
---
Boris Lorenz