[AsteriskBrasil] Segurança, Iptable, ip valido no servidor, servidor na dmz...

Eliel Oliveira slayer.r0x em gmail.com
Quinta Outubro 8 15:47:27 BRT 2009


precisa ter culhao mesmo.
soh dei uma olhada no report..
nem vou perder meu tempo olhando brechas entre outras coisas...
tenho mais o que fazer.. to loco de coisa aqui hasuHUHASUhAHS
mas em todo caso, nao eh nada agradavel/indicado fazer uma macarronada de
serviços assim
o ideal eh separar os serviços...
1 lugar soh com servidor de email
outro com http e pode ser BD tb
essas coisas assim..
senao a brecha de um atrapalha o outro
mas isso jah eh assunto pra segurança (e viabilidade) =D

veja a possibilidade de usar um firewall sim.
o que com certeza teria reduzido a quantidade de pessoas usando as diversas
ferramentas que vc falou ai.
afinal.. com um firewall bem estruturados, ele olha primeiro o header, se ai
já for proibido, ele descarta sem abrir.
e depois tem as questoes de camadas, e vc ve quais precisam ser monitoradas.

Alguns proxys e firewalls que eu deixo no ar, possuem verificação até a
camada de aplicação, pra verificar se ela nao eh um serviço indevido.
come mais processamento que o normal, mas gera uma segurança maior.. (apesar
de nada ser 100% seguro)

mesmo assim.. eh bom prestar atenção nesse ponto.. e se esse servidor tambem
tem asterisk.. eh pior ainda =p
pq o asterisk tb precisa de processamento, disco, entre outras.
mas de asterisk nao entendo muito hUASHuAHs
entao nao dou pitaco..
to aqui pra aprender =D


On Thu, Oct 8, 2009 at 3:34 PM, Rodrigo Graeff <delphusbsd em gmail.com> wrote:

> Obrigado pelo relatório Eliel.
>
> A macarronada de serviços salvam a minha pele, pois são os serviços,
> versões e softwares que confio, justamente para deixar sem firewall.
>
> Este servidor é meu em particular e abriga alem de tudo, meu asterisk
> pessoal.
>
> O servico na porta 6669 é um Unreal IRCd porém quer conexções SSL, quem
> quiser entrar e bater um papo estou no canal #asterisk
>
> Tem que ter culhão pra deixar o IP hein ? E como o itamar falou,
> iptables é pra boiola.
>
>
>
> On Thu, 2009-10-08 at 15:00 -0300, Eliel Oliveira wrote:
> > Report de 72.55.148.11
> >
> > Porta 6669
> > Reported by NVT "Trojan horses" (1.3.6.1.4.1.25623.1.0.11157):
> >
> > An unknown service runs on this port.
> > It is sometimes opened by this/these Trojan horse(s):
> >  Host Control
> >  Vampire
> >
> > Unless you know for sure what is behind it, you'd better
> > check your system
> >
> > *** Anyway, don't panic, Nessus only found an open port. It may
> > *** have been dynamically allocated to some service (RPC...)
> >
> > Solution: if a trojan horse is running, run a good antivirus scanner
> > Risk factor : Low
> >
> > Porta 111
> > The RPC portmapper is running on this port.
> >
> > An attacker may use it to enumerate your list
> > of RPC services. We recommend you filter traffic
> > going to this port.
> >
> > Risk factor : Low
> > CVE : CAN-1999-0632, CVE-1999-0189
> > BID : 205
> >
> > Porta 22
> > Reported by NVT "SSH Server type and
> > version" (1.3.6.1.4.1.25623.1.0.10267):
> >
> > Remote SSH version : SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
> >
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > An ssh server is running on this port
> >
> > porta 25
> > smtpscan was not able to reliably identify this server. It might be:
> > Qmail 1.0.3
> > The fingerprint differs from these known signatures on 1 point(s)
> >
> > If you known precisely what it is, please send this fingerprint
> > to smtp-signatures em nessus.org :
> > :250:250:250:250:250:553:553:214:252:502:502:502:502:250:250
> >
> > ====================================================================
> > Reported by NVT "SMTP Server type and
> > version" (1.3.6.1.4.1.25623.1.0.10263):
> >
> > Remote SMTP server banner :
> > 220 mail.thewebsilo.com ESMTP SPF1
> >
> >
> >
> > This is probably: Qmail
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > An SMTP server is running on this port
> > Here is its banner :
> > 220 mail.thewebsilo.com ESMTP SPF1
> >
> > ====================================================================
> > Reported by NVT "Identifies services like FTP, SMTP,
> > NNTP..." (1.3.6.1.4.1.25623.1.0.14773):
> >
> > A SMTP server is running on this port
> >
> > porta 995
> > A pop3 server is running on this port
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > A TLSv1 server answered on this port
> >
> > Porta 6667
> > An unknown service runs on this port.
> > It is sometimes opened by this/these Trojan horse(s):
> >  Dark FTP
> >  EGO
> >  Maniac rootkit
> >  Moses
> >  ScheduleAgent
> >  SubSeven
> >  Subseven 2.1.4 DefCon 8
> >  The Thing (modified)
> >  Trinity
> >  WinSatan
> >
> > Here is the service banner:
> > :irc.thewebsilo.com NOTICE AUTH :*** Looking up your hostname...
> >
> >
> > Unless you know for sure what is behind it, you'd better
> > check your system
> >
> > *** Anyway, don't panic, Nessus only found an open port. It may
> > *** have been dynamically allocated to some service (RPC...)
> >
> > Solution: if a trojan horse is running, run a good antivirus scanner
> > Risk factor : Low
> >
> > ====================================================================
> > Reported by NVT "Unknown services
> > banners" (1.3.6.1.4.1.25623.1.0.11154):
> >
> > An unknown server is running on this port.
> >
> > Porta 6668
> > An unknown server is running on this port.
> > If you know what it is, please send this banner to the Nessus team:
> > 0x00:  3A 69 72 63 2E 74 68 65 77 65 62 73 69 6C 6F
> > 2E    :irc.thewebsilo.
> > 0x10:  63 6F 6D 20 4E 4F 54 49 43 45 20 41 55 54 48 20    com NOTICE
> > AUTH
> > 0x20:  3A 2A 2A 2A 20 4C 6F 6F 6B 69 6E 67 20 75 70 20    :*** Looking
> > up
> > 0x30:  79 6F 75 72 20 68 6F 73 74 6E 61 6D 65 2E 2E 2E    your
> > hostname...
> > 0x40:  0D
> > 0A                                              ..
> >
> > Porta 9993
> > The remote imap server banner is :
> > * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL
> > ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,
> > Inc.  See COPYING for distribution information.
> > Versions and types should be omitted where possible.
> > Change the imap banner to something generic.
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > An IMAP server is running on this port through SSL
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > A TLSv1 server answered on this port
> >
> > Porta 143
> > The remote imap server banner is :
> > * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> > THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL
> > ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,
> > Inc.  See COPYING for distribution information.
> > Versions and types should be omitted where possible.
> > Change the imap banner to something generic.
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > An IMAP server is running on this port
> >
> > porta 113
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > An identd server is running on this port
> >
> >
> > General UDP
> > Reported by NVT "Traceroute" (1.3.6.1.4.1.25623.1.0.10287):
> >
> > For your information, here is the traceroute to 72.55.148.11 :
> > 192.168.1.128
> > 192.168.1.1
> > 201.21.160.1
> > 189.4.0.98
> > 201.64.76.1
> > 200.244.168.150
> > 200.230.251.70
> > 200.230.251.78
> > 4.71.230.5
> > 4.68.16.62
> > 4.69.134.113
> > 4.69.141.5
> > 4.59.176.10
> >
> > porta 21
> > Remote FTP server banner :
> > 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
> >
> > ====================================================================
> > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> >
> > An FTP server is running on this port.
> > Here is its banner :
> > 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
> >
> > ====================================================================
> > Reported by NVT "Identifies services like FTP, SMTP,
> > NNTP..." (1.3.6.1.4.1.25623.1.0.14773):
> >
> > A SMTP server is running on this port
> >
> > porta 53
> > Reported by NVT "DNS Server Detection" (1.3.6.1.4.1.25623.1.0.11002):
> >
> >
> > A DNS server is running on this port. If you do not use it, disable
> > it.
> >
> > Risk factor : Low
> >
> >
> >
> > QUE MACARRONADA DE SERVIÇOS
> >
> >
> > =p
> >
> > _______________________________________________
> > http://www.voipmania.com.br
> > Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
> > Promoção por tempo limitado!
> > Acesse agora http://promo.voipmania.com.br
> >
> > _______________________________________________
> > Lista de discussões AsteriskBrasil.org
> > AsteriskBrasil em listas.asteriskbrasil.org
> > http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
> --
> --
>
> Rodrigo Graeff
> ICQ: 9636816
> http://www.delphus.org
>
>
> _______________________________________________
> http://www.voipmania.com.br
> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.
> Promoção por tempo limitado!
> Acesse agora http://promo.voipmania.com.br
>
> _______________________________________________
> Lista de discussões AsteriskBrasil.org
> AsteriskBrasil em listas.asteriskbrasil.org
> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
>
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20091008/4a689c1a/attachment-0001.htm 


Mais detalhes sobre a lista de discussão AsteriskBrasil