Topic: Securing Down 6.0

[Brenno]

It's certainly comforting to hear administrators talk here of the security of this product.  Your confidence says a lot about this issue.

I've had no evidence of compromise on my 6.0b2 system at all.  The only funny thing I've seen in my logs is the occassional port scan or failed FTP authentication.

Overall, I must emphasize that I am extremely satisfied with SME, and will continue to use it for as long as continues to be the robust and simple to use product that it is.

[Krisen]

Jeff,

In my previous post I stated that my sme5.6 server was hacked.  I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  I am quite willing to upgrade to 6.x after your email stating that 6.x has no known security issues. Does this mean that any future exploits eg: apache, ssh,  kernel etc. will be given a priority fix.

I love my SME servers and the simplicity it provides, however, I've lost  credibility after my last hack and while I know that there isn't a 100% gaurantee against a hack, I need to ensure that I have the ability to at least patch known exploits.  And yes I am willing to pay for an update feature.

Krisen

There are always concerns about boxes being hacked.  That is life.  

However, there are NO secuirty issues with 6.x to be fixed at the moment.

The SSH exploit is only on the older boxen, not on 6.x.    There have been NO reports of hack attempts where there was any information that could lead us to believe that an exploit was available under the current rev.

While Brian reported his box being hacked, remember that his hacked box was an older version with known exploits available.

BTW, if SME Server is dead, why are our usage stats on the website going up by an average of 300K hits per month?  We should get almost 3 million hits this month alone.

One of the issues that caused consternation in the community with the Mitel version was that they end-of-life'd their versions about evvery 6 months.  That caused great problems in the field with upgrading boxes to remain current.

SME Server is committed to giving a longer term life cycle to the distro than Mitel did.  Additionally, there have been no security releases because they haven't been required.

If it ain't broke, don't fix it.

Cheers,

-jeff

[Ed]

I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  

What you mean that there are no patches for the 5.6.  I believe that the SSH exploit was patched in the Update6.

I still have several boxes running 5.6 and so if this is not true, tell me quick!  

SME is very secure expecially if you are careful about what addon's / contribs you install.  

Ed

[Krisen]

According to Jeff's post, 5.6 has known unpatch vulnerabilities and only 6.x is proven to have no security issues. see Jeff's posting in this thread.  I am considering upgrading to 6.x or switching to another distro that posts security fixes as exploits are discovered.

I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  

What you mean that there are no patches for the 5.6.  I believe that the SSH exploit was patched in the Update6.

I still have several boxes running 5.6 and so if this is not true, tell me quick!  

SME is very secure expecially if you are careful about what addon's / contribs you install.  

Ed

[Krisen]

The SSH vulnerability was discovered in March after the update 6 was released for 5.x

According to Jeff's post, 5.6 has known unpatch vulnerabilities and only 6.x is proven to have no security issues. see Jeff's posting in this thread.  I am considering upgrading to 6.x or switching to another distro that posts security fixes as exploits are discovered.

I don't know if it was an SSH exploit but was concerned to see that there was no patches for it. I was not aware that 5.6 was not supported with latest security patches.  

What you mean that there are no patches for the 5.6.  I believe that the SSH exploit was patched in the Update6.

I still have several boxes running 5.6 and so if this is not true, tell me quick!  

SME is very secure expecially if you are careful about what addon's / contribs you install.  

Ed

[Anonymous]

The SSH vulnerability was discovered in March after the update 6 was released for 5.x

I don't see it mentioned anywhere in the OpenSSH security pages

http://www.openssh.com/security.html

It says that OpenSSH 3.7.1 (Which was included in the Update6) is not affected by the reported problems.

Can anyone point to a specific advisory which says that OpenSSH 3.7.1  has security issues?

Thanks,
Ed

[quattro]

I have not really looked at the source code but briefly looking at SME6.0.1 I just install for testing purpose, php is *really* old, 4.1.2? I believe there was heap-based buffer overflow in php prior to 4.2.x Apache is 1.3.27 (date build was Sep 2002). All apache up to 1.3.29 has remote xploit issue. These alone could let crackers go right to your front door.

I hope my explanation above is all wrong. otherwise, all SME users are not secure at all with the current release. I just check out update mirror, the only I see there is initscripts? So, there has been no update for the above packages at all?

[dreamcat]

I would suggest a primary firewall in front of the SME server. My opinion of stock SME server security is low. I would suggest reading "Securing & Optimizing Linux: The Ultimate Solution" from The Linux Documentation Project. It is a little dated but almost all of it still applies in full.

Also, looking at the major version numbers is not always accurate on SME. SME uses a lot of Red Hat RPMS. RedHat does not change version numbers for several of the packages, instead they add a "-01", "-02", etc... suffix to the original version RPM. Many production distributions do this, instead of upgrading to new versions. They patch the security hole in the existing version which does not denote a change to the version number.



Securing & Optimizing Linux: The Ultimate Solution
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf

[quattro]

I would suggest a primary firewall in front of the SME server. My opinion of stock SME server security is low. I would suggest reading "Securing & Optimizing Linux: The Ultimate Solution" from The Linux Documentation Project. It is a little dated but almost all of it still applies in full.

Also, looking at the major version numbers is not always accurate on SME. SME uses a lot of Red Hat RPMS. RedHat does not change version numbers for several of the packages, instead they add a "-01", "-02", etc... suffix to the original version RPM. Many production distributions do this, instead of upgrading to new versions. They patch the security hole in the existing version which does not denote a change to the version number.



Securing & Optimizing Linux: The Ultimate Solution
http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-The-Ultimate-Solution-v2.0.pdf

Are you saying after they patched a rpm package, the build date is still in 2002? I'm no rpm expert but that does not sound right.

BTW, even when you have a firewall, the damage is still great if you run vulnerable application/software.

I'm so glad that contribs.org's here, but if it continues to use old/vulnerable software, it really hurts the users. Don't get me wrong, I love SME's capabilities, I even wrote an article about it with our LUG members. But I'm very worried about the current status of the old/vulnerable packages being used in its latest ISO and yet no updates. So that you know, I don't even use it right now but I like to see contribs to be alive, well known for a good GPL server suite.

[jcoleman]

I'm so glad that contribs.org's here, but if it continues to use old/vulnerable software, it really hurts the users.

Can you tell me which packages you believe to be vulnerable?  And what base features of the SME Server do you believe are inoperable due to age or security problems?

-jeff

[quattro]

I'm so glad that contribs.org's here, but if it continues to use old/vulnerable software, it really hurts the users.

Can you tell me which packages you believe to be vulnerable?  And what base features of the SME Server do you believe are inoperable due to age or security problems?

-jeff

Jeff,

I believe the followings are vulnerable

1. Apache < 1.3.29 vulnerable multiple stack-based buffer overflows in mod_alias and mod_rewrite. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542
2. openssl see openssl.org
3. 6.0.1's kernel is vulnerable to do_brk bug. I tested on vmware and it rebooted the server as expected.
4. tcpdump
5. php: 6.0.1 still uses 4.1, IIRC, is vuln to cross site scripting.

[mbachmann]

I nessus'd against my SME 6.0.1-01 from internal network. It says:

"You are running OpenSSH 3.7p1 or 3.7.1p1. These verions are vulnerable to a flas in the way the handle PAM authentication and may allow an attacker to gain a shell on this host.

Note that Nessus did not detect wether PAM is being enabled in the remote ssh or not, so this might be a false positive.

Solution: Upgrade to OpenSSH 3.7.1p2 or diable PAM support in sshd_config."

Then there are holes on port netbios-ssn (139/tcp), port ldap (389/tcp), https (443/tcp), squid-http (3128).

As all previous mentioned services are configured to be available only to local networks there should be no problmes. Will Nessus from outside later that week.