precisa ter culhao mesmo.<br>soh dei uma olhada no report..<br>nem vou perder meu tempo olhando brechas entre outras coisas...<br>tenho mais o que fazer.. to loco de coisa aqui hasuHUHASUhAHS<br>mas em todo caso, nao eh nada agradavel/indicado fazer uma macarronada de serviços assim<br>
o ideal eh separar os serviços... <br>1 lugar soh com servidor de email<br>outro com http e pode ser BD tb<br>essas coisas assim..<br>senao a brecha de um atrapalha o outro<br>mas isso jah eh assunto pra segurança (e viabilidade) =D<br>
<br>veja a possibilidade de usar um firewall sim.<br>o que com certeza teria reduzido a quantidade de pessoas usando as diversas ferramentas que vc falou ai.<br>afinal.. com um firewall bem estruturados, ele olha primeiro o header, se ai já for proibido, ele descarta sem abrir.<br>
e depois tem as questoes de camadas, e vc ve quais precisam ser monitoradas.<br><br>Alguns proxys e firewalls que eu deixo no ar, possuem verificação até a camada de aplicação, pra verificar se ela nao eh um serviço indevido.<br>
come mais processamento que o normal, mas gera uma segurança maior.. (apesar de nada ser 100% seguro)<br><br>mesmo assim.. eh bom prestar atenção nesse ponto.. e se esse servidor tambem tem asterisk.. eh pior ainda =p<br>
pq o asterisk tb precisa de processamento, disco, entre outras.<br>mas de asterisk nao entendo muito hUASHuAHs<br>entao nao dou pitaco..<br>to aqui pra aprender =D<br><br><br><div class="gmail_quote">On Thu, Oct 8, 2009 at 3:34 PM, Rodrigo Graeff <span dir="ltr"><<a href="mailto:delphusbsd@gmail.com">delphusbsd@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Obrigado pelo relatório Eliel.<br>
<br>
A macarronada de serviços salvam a minha pele, pois são os serviços,<br>
versões e softwares que confio, justamente para deixar sem firewall.<br>
<br>
Este servidor é meu em particular e abriga alem de tudo, meu asterisk<br>
pessoal.<br>
<br>
O servico na porta 6669 é um Unreal IRCd porém quer conexções SSL, quem<br>
quiser entrar e bater um papo estou no canal #asterisk<br>
<br>
Tem que ter culhão pra deixar o IP hein ? E como o itamar falou,<br>
iptables é pra boiola.<br>
<div><div></div><div class="h5"><br>
<br>
<br>
On Thu, 2009-10-08 at 15:00 -0300, Eliel Oliveira wrote:<br>
> Report de 72.55.148.11<br>
><br>
> Porta 6669<br>
> Reported by NVT "Trojan horses" (1.3.6.1.4.1.25623.1.0.11157):<br>
><br>
> An unknown service runs on this port.<br>
> It is sometimes opened by this/these Trojan horse(s):<br>
> Host Control<br>
> Vampire<br>
><br>
> Unless you know for sure what is behind it, you'd better<br>
> check your system<br>
><br>
> *** Anyway, don't panic, Nessus only found an open port. It may<br>
> *** have been dynamically allocated to some service (RPC...)<br>
><br>
> Solution: if a trojan horse is running, run a good antivirus scanner<br>
> Risk factor : Low<br>
><br>
> Porta 111<br>
> The RPC portmapper is running on this port.<br>
><br>
> An attacker may use it to enumerate your list<br>
> of RPC services. We recommend you filter traffic<br>
> going to this port.<br>
><br>
> Risk factor : Low<br>
> CVE : CAN-1999-0632, CVE-1999-0189<br>
> BID : 205<br>
><br>
> Porta 22<br>
> Reported by NVT "SSH Server type and<br>
> version" (1.3.6.1.4.1.25623.1.0.10267):<br>
><br>
> Remote SSH version : SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110<br>
><br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> An ssh server is running on this port<br>
><br>
> porta 25<br>
> smtpscan was not able to reliably identify this server. It might be:<br>
> Qmail 1.0.3<br>
> The fingerprint differs from these known signatures on 1 point(s)<br>
><br>
> If you known precisely what it is, please send this fingerprint<br>
> to <a href="mailto:smtp-signatures@nessus.org">smtp-signatures@nessus.org</a> :<br>
> :250:250:250:250:250:553:553:214:252:502:502:502:502:250:250<br>
><br>
> ====================================================================<br>
> Reported by NVT "SMTP Server type and<br>
> version" (1.3.6.1.4.1.25623.1.0.10263):<br>
><br>
> Remote SMTP server banner :<br>
> 220 <a href="http://mail.thewebsilo.com" target="_blank">mail.thewebsilo.com</a> ESMTP SPF1<br>
><br>
><br>
><br>
> This is probably: Qmail<br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> An SMTP server is running on this port<br>
> Here is its banner :<br>
> 220 <a href="http://mail.thewebsilo.com" target="_blank">mail.thewebsilo.com</a> ESMTP SPF1<br>
><br>
> ====================================================================<br>
> Reported by NVT "Identifies services like FTP, SMTP,<br>
> NNTP..." (1.3.6.1.4.1.25623.1.0.14773):<br>
><br>
> A SMTP server is running on this port<br>
><br>
> porta 995<br>
> A pop3 server is running on this port<br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> A TLSv1 server answered on this port<br>
><br>
> Porta 6667<br>
> An unknown service runs on this port.<br>
> It is sometimes opened by this/these Trojan horse(s):<br>
> Dark FTP<br>
> EGO<br>
> Maniac rootkit<br>
> Moses<br>
> ScheduleAgent<br>
> SubSeven<br>
> Subseven 2.1.4 DefCon 8<br>
> The Thing (modified)<br>
> Trinity<br>
> WinSatan<br>
><br>
> Here is the service banner:<br>
> :<a href="http://irc.thewebsilo.com" target="_blank">irc.thewebsilo.com</a> NOTICE AUTH :*** Looking up your hostname...<br>
><br>
><br>
> Unless you know for sure what is behind it, you'd better<br>
> check your system<br>
><br>
> *** Anyway, don't panic, Nessus only found an open port. It may<br>
> *** have been dynamically allocated to some service (RPC...)<br>
><br>
> Solution: if a trojan horse is running, run a good antivirus scanner<br>
> Risk factor : Low<br>
><br>
> ====================================================================<br>
> Reported by NVT "Unknown services<br>
> banners" (1.3.6.1.4.1.25623.1.0.11154):<br>
><br>
> An unknown server is running on this port.<br>
><br>
> Porta 6668<br>
> An unknown server is running on this port.<br>
> If you know what it is, please send this banner to the Nessus team:<br>
> 0x00: 3A 69 72 63 2E 74 68 65 77 65 62 73 69 6C 6F<br>
> 2E :irc.thewebsilo.<br>
> 0x10: 63 6F 6D 20 4E 4F 54 49 43 45 20 41 55 54 48 20 com NOTICE<br>
> AUTH<br>
> 0x20: 3A 2A 2A 2A 20 4C 6F 6F 6B 69 6E 67 20 75 70 20 :*** Looking<br>
> up<br>
> 0x30: 79 6F 75 72 20 68 6F 73 74 6E 61 6D 65 2E 2E 2E your<br>
> hostname...<br>
> 0x40: 0D<br>
> 0A ..<br>
><br>
> Porta 9993<br>
> The remote imap server banner is :<br>
> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE<br>
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL<br>
> ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,<br>
> Inc. See COPYING for distribution information.<br>
> Versions and types should be omitted where possible.<br>
> Change the imap banner to something generic.<br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> An IMAP server is running on this port through SSL<br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> A TLSv1 server answered on this port<br>
><br>
> Porta 143<br>
> The remote imap server banner is :<br>
> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE<br>
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL<br>
> ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,<br>
> Inc. See COPYING for distribution information.<br>
> Versions and types should be omitted where possible.<br>
> Change the imap banner to something generic.<br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> An IMAP server is running on this port<br>
><br>
> porta 113<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> An identd server is running on this port<br>
><br>
><br>
> General UDP<br>
> Reported by NVT "Traceroute" (1.3.6.1.4.1.25623.1.0.10287):<br>
><br>
> For your information, here is the traceroute to 72.55.148.11 :<br>
> 192.168.1.128<br>
> 192.168.1.1<br>
> 201.21.160.1<br>
> 189.4.0.98<br>
> 201.64.76.1<br>
> 200.244.168.150<br>
> 200.230.251.70<br>
> 200.230.251.78<br>
> 4.71.230.5<br>
> 4.68.16.62<br>
> 4.69.134.113<br>
> 4.69.141.5<br>
> 4.59.176.10<br>
><br>
> porta 21<br>
> Remote FTP server banner :<br>
> 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------<br>
><br>
> ====================================================================<br>
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):<br>
><br>
> An FTP server is running on this port.<br>
> Here is its banner :<br>
> 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------<br>
><br>
> ====================================================================<br>
> Reported by NVT "Identifies services like FTP, SMTP,<br>
> NNTP..." (1.3.6.1.4.1.25623.1.0.14773):<br>
><br>
> A SMTP server is running on this port<br>
><br>
> porta 53<br>
> Reported by NVT "DNS Server Detection" (1.3.6.1.4.1.25623.1.0.11002):<br>
><br>
><br>
> A DNS server is running on this port. If you do not use it, disable<br>
> it.<br>
><br>
> Risk factor : Low<br>
><br>
><br>
><br>
> QUE MACARRONADA DE SERVIÇOS<br>
><br>
><br>
> =p<br>
><br>
</div></div><div><div></div><div class="h5">> _______________________________________________<br>
> <a href="http://www.voipmania.com.br" target="_blank">http://www.voipmania.com.br</a><br>
> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.<br>
> Promoção por tempo limitado!<br>
> Acesse agora <a href="http://promo.voipmania.com.br" target="_blank">http://promo.voipmania.com.br</a><br>
><br>
> _______________________________________________<br>
> Lista de discussões AsteriskBrasil.org<br>
> <a href="mailto:AsteriskBrasil@listas.asteriskbrasil.org">AsteriskBrasil@listas.asteriskbrasil.org</a><br>
> <a href="http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil" target="_blank">http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil</a><br>
--<br>
--<br>
<br>
Rodrigo Graeff<br>
ICQ: 9636816<br>
<a href="http://www.delphus.org" target="_blank">http://www.delphus.org</a><br>
<br>
<br>
_______________________________________________<br>
<a href="http://www.voipmania.com.br" target="_blank">http://www.voipmania.com.br</a><br>
Telefone IP sem fio Gigaset A580IP por 6 x R$59,90.<br>
Promoção por tempo limitado!<br>
Acesse agora <a href="http://promo.voipmania.com.br" target="_blank">http://promo.voipmania.com.br</a><br>
<br>
_______________________________________________<br>
Lista de discussões AsteriskBrasil.org<br>
<a href="mailto:AsteriskBrasil@listas.asteriskbrasil.org">AsteriskBrasil@listas.asteriskbrasil.org</a><br>
<a href="http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil" target="_blank">http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil</a><br>
</div></div></blockquote></div><br>