Koozali.org: home of the SME Server
Obsolete Releases => SME Server 5.x => Topic started by: tdekeizer on March 07, 2006, 01:43:26 AM
-
We have a client who has a version 5.5 SME server installed in server only mode in their network. It has operated faultlessly for 4 years.
They have just been informed that the server is particpating in DDoS attacks because the DNS server installed on it is "Open". The exact text is :
"The IP addresses listed below have been reported as being open DNS servers and used in an ongoing DDoS attack via DNS amplification."
I was wondering if this issue is easily solved without resorting to a complete upgrade to a version 6 or 7 server.
Kind Regards
Tony De Keizer
-
You will get an answer like...
I would strongly advise you update as there may be security issue's with what ever version of DNS is on 5.5, that's why it's no longer supported because packages are fixed and updated..
Sorry cant help you anymore but your'll probably find that's what everyone will suggest
-
Can I just add to what byte said....
You also need to get that server off the internet, you are doing your client no favours leaving it connected.
As byte said upgrade is your only route, SME5 has not been supported for a long time.
Dave
-
Thanks Guys.
Thought this would be the response. Unit is not directly attached to Internet but on large network that was recently audited for these vulnerabilities. Will address asap.
Is it possible to do an inplace upgrade from 5.5 -> 6.5 or later versions. The unit is a pretty basic install plus Hylafax and some standard contribs.
-
No-one I know of has tried a 5.5 > 7.0preX upgrade, although some have done a 5.6 > 7.0preX upgrade...
Not tried but what I would attempt is one of two way's...
Upgrade 5.5 > 6.0.1 > 7.0preX
or
Upgrade 5.5 > 5.6 > 7.0preX
I would personally go for the 5.5 > 5.6 only because I know of the difference's between 5.5 and 5.6...
You could attempt a 5.5 > 7.0preX and open any issue's on the Bug Tracker...(Not sure whether they will be able to help as you really are on a old release 2001 IIRC?)
HTH
-
Unit is not directly attached to Internet but on large network that was recently audited for these vulnerabilities.
There's also the possibility that there has been a false diagnosis. Were you given details of what is supposedly happening?
-
Hi, i'm new here!
I saw this on NANOG explaining the attack and what to do
http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
-
There's also the possibility that there has been a false diagnosis.
From reading the paper and looking at the bind (named) configuration in 5.5 it looks like the diagnosis is reasonable. The bind configuration in 5.5 does support promiscuous recursive lookups, which you have presumably exposed to the Internet by opening a UDP port 53 hole in your firewall (or worse still, you do not have a firewall). The quickest fix is to disable the named service, and add a custom template for /etc/resolv.conf to use another (properly secured) name server.
The best solution is to upgrade to a supported version.
5.5 has been unsupported and deprecated for a long time now. You have no excuses for still running it.