Topic: Securing Down 6.0

[Brian L.]

Everyone,

After recovering from being hacked on my 5.6 box, I am getting paranoid about security on my 6.0 box.

How do you guys (or what do you use to) disable services, close ports, secure the filesystem, and scan for vulnerabilities/open ports?

This could make a good addition to the wiki.

Brian

[Boris]

What services and applications you going to be using?

[Brian]

Well, various ones, per the usual SME user.

IMAP
SSH
HTTP
HTTPS
Webmail
VPN
POP3

It would also be nice to turn off unneccessary services similar to the services contrib for 5.6. Does such a contrib exist for 6.0.1?

Brian

[Hermie]

you could use tools like nessus to scan the external interface and rkhunter to look for root kits and exploits

did you find out how you got broken into, that would be my first stop

[Boris]

It would also be nice to turn off unnecessary services similar to the services contrib for 5.6. Does such a contrib exist for 6.0.1?

Yes it does.
e-smith-service-control-1.1.0-06.noarch.rpm works with SME 6.x
Get it here: http://www.ibiblio.org/pub/Linux/distributions/smeserver/contribs/dmay/mitel/contrib/e-smith-service-control/e-smith-service-control-1.1.0-06.noarch.rpm

Re: securing your box:
Will you have users accessing it via ssh and VPN? If you can avoid it don't give shell accounts to users. Do "background check" on the applications you are installing and exercise generally advisable security measures like good passwords, changed regularly etc...
SME in the default installation is relatively secure. Every new change you do (create an account, install application, open VPN etc.) lowers this default security. Don't do it more then you have to achieve functionality you need.

[Anonymous]

Brian

POP3 & IMAP - NOT secure if external access enabled, local access only is OK

SSH - OK secure

HTTP - NOT secure if you use passwords and logins on ibays

HTTPS - OK secure

Webmail - use https ONLY for external

VPN - OK secure


Regs
Ray

[Krisen]

For SSH doesn't it depend if you upgrade to latest openssh rpms?  There have been exploits announced in March. I have not seen any updates on the contribs.org site so I had to go to rpmfind.net.  I have also recently been hacked (rooted last week running sme5.6).  I'm not sure how the hacker got in, but am now paranoid about having the latest patches for all exploits for the basic SME services (apache, php, ssh, proftpd etc.).  

It seems to me that security has taken a backburner in this new contribs.org release.  Does anyone else feel this way?

Brian

POP3 & IMAP - NOT secure if external access enabled, local access only is OK

SSH - OK secure

HTTP - NOT secure if you use passwords and logins on ibays

HTTPS - OK secure

Webmail - use https ONLY for external

VPN - OK secure


Regs
Ray

[Boris]

It seems to me that security has taken a backburner in this new contribs.org release.  Does anyone else feel this way?

If you check devinfo maillist you will have the same feeling about whole development.
Is it beginning of the end?

[Anonymous]

It seems to me that security has taken a backburner in this new contribs.org release.  Does anyone else feel this way?

If you check devinfo maillist you will have the same feeling about whole development.
Is it beginning of the end?

Devinfo has been so quite recently, I dont know what to think.

[Brenno]

Well, if this isn't a cause for concern, what is??!!

Now that I keep hearing about these boxes being hacked, I grow anxious.  One of my primary reasons for choosing e-smith, other than the cost, ease of use and reliability, was it's inherent security.  If the latter is no more, we're in trouble.

How can we be reassured that the security of these distros is still a primary goal?  I'd hate this software to go the way of Microsoft and let security take a back seat.

[jcoleman]

There are always concerns about boxes being hacked.  That is life.  

However, there are NO secuirty issues with 6.x to be fixed at the moment.

The SSH exploit is only on the older boxen, not on 6.x.    There have been NO reports of hack attempts where there was any information that could lead us to believe that an exploit was available under the current rev.

While Brian reported his box being hacked, remember that his hacked box was an older version with known exploits available.

BTW, if SME Server is dead, why are our usage stats on the website going up by an average of 300K hits per month?  We should get almost 3 million hits this month alone.

One of the issues that caused consternation in the community with the Mitel version was that they end-of-life'd their versions about evvery 6 months.  That caused great problems in the field with upgrading boxes to remain current.

SME Server is committed to giving a longer term life cycle to the distro than Mitel did.  Additionally, there have been no security releases because they haven't been required.

If it ain't broke, don't fix it.

Cheers,

-jeff

[Anonymous]

Thank-you

This was another pointless thread that should have slipped off the front page instead of getting bumped every so often - like I have just done.

To answer the original question - nothing, I do nothing to "lock it down". I am more than happy with the vanilla install. But Because I choose to add Hylafax, Asterisk and Tapeware and I diminish the security of the box then I run the server in server only mode hidden behind a dedicated firewall.

Brenno - there is no proof that a stock standard recent machine has been hacked.

6.0.1 is the best yet and I am not just talking cosmetics. The add-on stuff - clamav, mailfront, spamassassin etc that the Dev guys (you know the really quiet ones) have been putting out integrates exceptionally well with a minimum of fuss.

If your concerned about security - find the problem and fix it - roll the rpm and let us know. This is after all a community site. There is no reason to expect those that have built this great site, given there time and bandwidth for little in return to do everything.

Regards Duncan

[duncan]

I never remember log in.

[stancol]

There has been a lot of talk on the boards about boxes being hacked. So far I've seen no proof of it. Just some body saying they were hacked with out any proof is like trying to convict someone without any evidence. If we are going to convict 6.0 then we should be seeing some proof. Proof like  "What contribs were you running?", What other types of software were you running on your HTTP server. All the posts I've seen list people that had extra contribs and programs added to those boxes. Don't forget that human enginering is still one of the best ways to break in. If several people know the root password your asking for trouble on any system.

So much goes into securing a box. Doesn't matter what kind of security you run if your machine is near an outside window where prying eyes can watch you.

If we were to take in all the evidence I've seen so far into a court room the judge would laugh us out of the building.

P.S. If you really do have some concerns with some evidence we shouldn't be discussing them in an open form for all the world to see. In other words don't post your evidence for every one to see.

[Anonymous]

Agreed.

If you really have security concerns please post your issues to security@lists.contribs.org.

Enclose your suspicions, any evidence, logs, configs, etc.   So far, we have yet to find a real hack against 6.x.

-jeff

[Brenno]

It's certainly comforting to hear administrators talk here of the security of this product.  Your confidence says a lot about this issue.

I've had no evidence of compromise on my 6.0b2 system at all.  The only funny thing I've seen in my logs is the occassional port scan or failed FTP authentication.

Overall, I must emphasize that I am extremely satisfied with SME, and will continue to use it for as long as continues to be the robust and simple to use product that it is.

[Krisen]

Jeff,

In my previous post I stated that my sme5.6 server was hacked.  I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  I am quite willing to upgrade to 6.x after your email stating that 6.x has no known security issues. Does this mean that any future exploits eg: apache, ssh,  kernel etc. will be given a priority fix.

I love my SME servers and the simplicity it provides, however, I've lost  credibility after my last hack and while I know that there isn't a 100% gaurantee against a hack, I need to ensure that I have the ability to at least patch known exploits.  And yes I am willing to pay for an update feature.

Krisen

There are always concerns about boxes being hacked.  That is life.  

However, there are NO secuirty issues with 6.x to be fixed at the moment.

The SSH exploit is only on the older boxen, not on 6.x.    There have been NO reports of hack attempts where there was any information that could lead us to believe that an exploit was available under the current rev.

While Brian reported his box being hacked, remember that his hacked box was an older version with known exploits available.

BTW, if SME Server is dead, why are our usage stats on the website going up by an average of 300K hits per month?  We should get almost 3 million hits this month alone.

One of the issues that caused consternation in the community with the Mitel version was that they end-of-life'd their versions about evvery 6 months.  That caused great problems in the field with upgrading boxes to remain current.

SME Server is committed to giving a longer term life cycle to the distro than Mitel did.  Additionally, there have been no security releases because they haven't been required.

If it ain't broke, don't fix it.

Cheers,

-jeff

[Ed]

I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  

What you mean that there are no patches for the 5.6.  I believe that the SSH exploit was patched in the Update6.

I still have several boxes running 5.6 and so if this is not true, tell me quick!  

SME is very secure expecially if you are careful about what addon's / contribs you install.  

Ed

[Krisen]

According to Jeff's post, 5.6 has known unpatch vulnerabilities and only 6.x is proven to have no security issues. see Jeff's posting in this thread.  I am considering upgrading to 6.x or switching to another distro that posts security fixes as exploits are discovered.

I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  

What you mean that there are no patches for the 5.6.  I believe that the SSH exploit was patched in the Update6.

I still have several boxes running 5.6 and so if this is not true, tell me quick!  

SME is very secure expecially if you are careful about what addon's / contribs you install.  

Ed

[Krisen]

The SSH vulnerability was discovered in March after the update 6 was released for 5.x

According to Jeff's post, 5.6 has known unpatch vulnerabilities and only 6.x is proven to have no security issues. see Jeff's posting in this thread.  I am considering upgrading to 6.x or switching to another distro that posts security fixes as exploits are discovered.

I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  

What you mean that there are no patches for the 5.6.  I believe that the SSH exploit was patched in the Update6.

I still have several boxes running 5.6 and so if this is not true, tell me quick!  

SME is very secure expecially if you are careful about what addon's / contribs you install.  

Ed

[Anonymous]

The SSH vulnerability was discovered in March after the update 6 was released for 5.x

I don't see it mentioned anywhere in the OpenSSH security pages

http://www.openssh.com/security.html

It says that OpenSSH 3.7.1 (Which was included in the Update6) is not affected by the reported problems.

Can anyone point to a specific advisory which says that OpenSSH 3.7.1  has security issues?

Thanks,
Ed

[quattro]

I have not really looked at the source code but briefly looking at SME6.0.1 I just install for testing purpose, php is *really* old, 4.1.2? I believe there was heap-based buffer overflow in php prior to 4.2.x Apache is 1.3.27 (date build was Sep 2002). All apache up to 1.3.29 has remote xploit issue. These alone could let crackers go right to your front door.

I hope my explanation above is all wrong. otherwise, all SME users are not secure at all with the current release. I just check out update mirror, the only I see there is initscripts? So, there has been no update for the above packages at all?

[dreamcat]

I would suggest a primary firewall in front of the SME server. My opinion of stock SME server security is low. I would suggest reading "Securing & Optimizing Linux: The Ultimate Solution" from The Linux Documentation Project. It is a little dated but almost all of it still applies in full.

Also, looking at the major version numbers is not always accurate on SME. SME uses a lot of Red Hat RPMS. RedHat does not change version numbers for several of the packages, instead they add a "-01", "-02", etc... suffix to the original version RPM. Many production distributions do this, instead of upgrading to new versions. They patch the security hole in the existing version which does not denote a change to the version number.



Securing & Optimizing Linux: The Ultimate Solution
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf

[quattro]

I would suggest a primary firewall in front of the SME server. My opinion of stock SME server security is low. I would suggest reading "Securing & Optimizing Linux: The Ultimate Solution" from The Linux Documentation Project. It is a little dated but almost all of it still applies in full.

Also, looking at the major version numbers is not always accurate on SME. SME uses a lot of Red Hat RPMS. RedHat does not change version numbers for several of the packages, instead they add a "-01", "-02", etc... suffix to the original version RPM. Many production distributions do this, instead of upgrading to new versions. They patch the security hole in the existing version which does not denote a change to the version number.



Securing & Optimizing Linux: The Ultimate Solution
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf

Are you saying after they patched a rpm package, the build date is still in 2002? I'm no rpm expert but that does not sound right.

BTW, even when you have a firewall, the damage is still great if you run vulnerable application/software.

I'm so glad that contribs.org's here, but if it continues to use old/vulnerable software, it really hurts the users. Don't get me wrong, I love SME's capabilities, I even wrote an article about it with our LUG members. But I'm very worried about the current status of the old/vulnerable packages being used in its latest ISO and yet no updates. So that you know, I don't even use it right now but I like to see contribs to be alive, well known for a good GPL server suite.

[jcoleman]

I'm so glad that contribs.org's here, but if it continues to use old/vulnerable software, it really hurts the users.

Can you tell me which packages you believe to be vulnerable?  And what base features of the SME Server do you believe are inoperable due to age or security problems?

-jeff

[quattro]

I'm so glad that contribs.org's here, but if it continues to use old/vulnerable software, it really hurts the users.

Can you tell me which packages you believe to be vulnerable?  And what base features of the SME Server do you believe are inoperable due to age or security problems?

-jeff

Jeff,

I believe the followings are vulnerable

1. Apache < 1.3.29 vulnerable multiple stack-based buffer overflows in mod_alias and mod_rewrite. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
2. openssl see openssl.org
3. 6.0.1's kernel is vulnerable to do_brk bug. I tested on vmware and it rebooted the server as expected.
4. tcpdump
5. php: 6.0.1 still uses 4.1, IIRC, is vuln to cross site scripting.

[mbachmann]

I nessus'd against my SME 6.0.1-01 from internal network. It says:

"You are running OpenSSH 3.7p1 or 3.7.1p1. These verions are vulnerable to a flas in the way the handle PAM authentication and may allow an attacker to gain a shell on this host.

Note that Nessus did not detect wether PAM is being enabled in the remote ssh or not, so this might be a false positive.

Solution: Upgrade to OpenSSH 3.7.1p2 or diable PAM support in sshd_config."

Then there are holes on port netbios-ssn (139/tcp), port ldap (389/tcp), https (443/tcp), squid-http (3128).

As all previous mentioned services are configured to be available only to local networks there should be no problmes. Will Nessus from outside later that week.