Rkhunter found vulnerabilities.. .. Eek!

saBrEwolf · #1 11th November 2004, 09:54 PM

Hello all,
I've been trying to make my system more secure and have found some vulnerabilities with rkhunter.

- OpenSSL 0.9.7a [ Vulnerable ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.6.1p2 [ Vulnerable ]

Security advisories
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]

I guess the simple question is; how do I make these applications less vulnerable?

Any help would be greatly appreciated

Jman · #2 12th November 2004, 07:52 AM

Update your system.

Code:

yum update openssh openssl

will only update those.

Edit /etc/ssh/sshd_config and change PermitRootLogin to no and remove the # in front.

saBrEwolf · #3 12th November 2004, 08:59 PM

The versions I had we're already the most up-to-date for FC2 but I did edit /etc/ssh/sshd_config. Ran rkhunter again 'tho strangely, rkhunter still thinks that OpenSSH is still vulnerable.

Jman · #4 12th November 2004, 10:07 PM

Maybe the log file it says it generated will give more details.

Do you login remotely with ssh? If not just leave that port closed in the firewall and you won't have to worry about it much.

saBrEwolf · #5 13th November 2004, 01:21 PM

I've never logged in remotely. I've setup iptables (using system-config-securitylevel) to not provide any services. Will that have blocked the port also? I haven't set any rules apart from the default set.

Jman · #6 14th November 2004, 07:35 PM

If you have not allowed ports to be open they should default to closed if the firewall is on.

saBrEwolf · #7 14th November 2004, 07:58 PM

Ok, thanks very much Jman

lauterm · #8 15th November 2004, 11:39 AM

saBrEwolf, automatic tools don't always recognize the way red hat backports security fixes. You may also want to do a 'service sshd stop' and then a 'chkconfig sshd off' as root to make sure ssh is off and won't restart when you reboot. This goes for any service you aren't using. 'netstat -tuapen | grep LISTEN' will show you services that are listening on ports. If you aren't using it, turn it off.

saBrEwolf · #9 15th November 2004, 07:37 PM

Ok lauterm, I've looked at netstat,

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
0 2360 1481/portmap

This appears good.. It did say that it failed to stop sshd, but I guess thats 'cuz it wasn't running as I looked through my running processes and there doesn't seem to be anything related to it

lauterm and Jman, you've been a great help, I appreciate it.

Thanks

Jman · #10 15th November 2004, 11:13 PM

No problem, glad to ensure you have a secure system.

lauterm · #11 16th November 2004, 09:55 PM

Glad to help. If you aren't using NFS, stop portmap too.

lukasbradley · #12 17th November 2004, 01:19 AM

Quote:

Originally Posted by Jman

Update your system.

Code:

yum update openssh openssl

will only update those.

When I attempt this, I receive:

Code:

[root@www bin]# yum update openssh openssl
Gathering header information file(s) from server(s)
Server: Fedora Core 2 - x86_64 - Base
Server: Fedora Core 2 - x86_64 - Released Updates
Finding updated packages
Downloading needed headers
openssh is installed and the latest version.
openssl is installed and the latest version.
No actions to take

But:

Code:

[root@www bin]# openssl version
OpenSSL 0.9.7a Feb 19 2003

Forgive my ignorance, but are the servers I'm checking not up-to-date?

I feel comfortable with downloading and compiling the openssl source myself. However, I'm extremely uncomfortable with all the dependencies I might be screwing up in that attempt.

Any help is appreciated.

Lukas

lauterm · #13 17th November 2004, 01:27 PM

Red Hat will generally backport security and bugfixes into the current version to keep from breaking applications midway through a release. It does tend to make it hard at times to tell if you are up to date.

http://download.fedora.redhat.com/pu...s/Fedora/RPMS/ lists all the RPMs in Fedora Core 2 as shipped.

http://download.fedora.redhat.com/pu...ates/2/x86_64/ lists all the updates that have been released.

From those two sources I find that the following are the most current Red Hat versions:

Code:

openssh-3.6.1p2-34
openssl-0.9.7a-35

To check if these are what you have installed do:

Code:

rpm -qa openssh
rpm -qa openssl

If these match you can be reasonably assured that you are up to date. If you don't trust Red Hat you can download the source and install yourself. Some skepticism is healthy. However, if it persists for a long time you should probably find another distribution that you can trust. Historically Red Hat has done a good job of keeping things up to date.