Security Analysis Report Scan Date: January 14, 2002 Hosts Scanned: samplesystem.whoi.edu (128.128.64.250) Requested By: J. Random User Analysis By: Karl A. Krueger ** CONTENTS OF THIS REPORT ** Host Information -- basic facts about your computer. Health Evaluation -- an overview of your computer's security. Red Hat Network -- how to use Red Hat's automatic upgrade service. Vulnerabilities -- critical security holes found, and how to fix them. Precautions -- other recommendations to improve your system's security. Upgrading Your System -- how to upgrade to the latest Red Hat release. CIS Contact Information -- whom to contact for additional help. ** HOST INFORMATION ** Architecture: i386 (Intel PC) Operating System: Red Hat Linux 6.1 Major network services: * FTP server -- ProFTPd 1.2.0pre9 * Secure Shell (SSH) server -- SSH 1.2.27 * Telnet server * Finger server * Web (HTTP) server -- Apache 1.3.x * Remote Procedure Call (RPC) services: + rpc.statd + rpc.mountd + rpc.nfsd * X Window System (X11) ** HEALTH EVALUATION ** This system is at significant risk of being compromised. It harbors two major security holes through which other WHOInet hosts have been compromised: one in the FTP daemon and one in the SSH daemon. In addition, it is running an older version of Red Hat Linux which is no longer being supported by the vendor. ** RED HAT NETWORK ** If you have ever purchased a boxed version of Red Hat Linux, you are eligible to use the Red Hat Network facility to automatically download and install upgrades. This makes it much easier to keep your system up to date and secure. You can do this with your current Red Hat release, or after upgrading to Red Hat 7.2 (see below). To register for the Red Hat Network, you will need the serial number that came in your Red Hat Linux boxed set. With this number in hand, run the command "rhn_register" to begin the registration process. Once you are registered, you can use the command "up2date" (as root) to keep your system's software up to date. ** VULNERABILITIES ** ProFTPd 1.2.x Vulnerability: This system is running the ProFTPd FTP server, version 1.2.0pre9. All versions of ProFTPd prior to 1.2.0rc3 contain a security hole that allows an attacker to gain superuser (root) access. You can close this hole by running the following commands (as root): wget http://mirror.example.net/rh6.2/i386/proftpd-1.2.4-1.i386.rpm /etc/rc.d/init.d/proftpd stop rpm --upgrade proftpd-1.2.4-1.i386.rpm /etc/rc.d/init.d/proftpd start This will download and install a new version of ProFTPd, without altering your FTP server configuration. Secure Shell (SSH) Vulnerability: This system is running an SSH.COM version of the Secure Shell server (sshd), version 1.2.27. All versions of this SSH daemon prior to 1.2.32 contain a security hole that allows an attacker to gain superuser (root) access. This is a very important hole to close, as six WHOInet systems running Red Hat 6.x have already been compromised via this hole. This hole will be fixed if you upgrade to Red Hat 7.2. You can also fix it by running the following commands (as root): wget ftp://ftp.cis.fed.gov/pub/ssh/rpms/ssh-3.1.0-8.i386.rpm /etc/rc.d/init.d/ssh stop rpm --upgrade ssh-3.1.0-8.i386.rpm /etc/rc.d/init.d/ssh start This will download and install a new version of the SSH.COM Secure Shell server. ** PRECAUTIONS ** Telnet: This system us running a Telnet server (telnetd). Telnet is a remote-login service that is unencrypted -- meaning that anyone who can monitor network traffic to/from this system can obtain the usernames and passwords of any account accessed via Telnet. CIS recommends that Telnet be phased out in favor of Secure Shell (SSH), which prevents this sort of attack. Your system already has an SSH daemon running. Provided that you no longer need the Telnet daemon, you can disable it by running the following commands (as root): /etc/rc.d/init.d/telnet stop rpm --erase telnet-server This will *not* remove your ability to use the "telnet" command to connect to remote systems. It will only remove other hosts' ability to access this one via Telnet. Finger: Finger is a service that provides information about the user accounts on your system. This is not often useful information for ordinary users, and may help an attacker by giving away information such as usernames. Since it serves little purpose on a modern system, we recommend that it be turned off. This can be done by commenting out the line beginning with "finger" in /etc/inetd.conf. To comment it out, edit the file (as root) and insert a # (hash mark) character at the beginning of the line, then save the file. Restart inetd by running: /etc/rc.d/init.d/inet restart Anonymous FTP: It appears that your FTP server allows anonymous access. This is not a security hole in and of itself, but it is easy for an anonymous FTP system to be misconfigured and allow unauthorized upload. CIS operates a central, secure anonymous FTP server at ftp.whoi.edu. Accounts are available at no charge, although disk space is not unlimited. Please contact the CIS Helpdesk if you are interested in this service. Access Restriction: CIS recommends that access to network services be restricted to allow access only from those hosts which need it. For instance, if you need FTP service only to allow another WHOI host to download files from your system, you should configure your FTP daemon to allow access only from that host. The way to do this varies extensively from service to service. If this is something you are interested in, please contact CIS. ** UPGRADING YOUR SYSTEM ** This system is currently running Red Hat Linux release 6.1. CIS advises that all Red Hat 6.x systems be upgraded to the latest release, 7.2. The earlier versions shipped with a large number of security problems which have been closed in the latest release. (This is especially important with systems older than Red Hat 6.2, since Red Hat is no longer releasing security patches for those systems.) The upgrade also adds a number of useful security features, such as a host-based firewall and an improved Internet superserver (xinetd). CD-ROMs of Red Hat 7.2 are available through the CIS Helpdesk. To upgrade, boot from the first CD-ROM. After the first few screens (which will ask about your language preference, mouse settings, and so forth) you will be asked whether you wish to do a new installation or an upgrade. Select "Upgrade". The installer will analyze the packages you have installed, then install new versions of them. During the upgrade you will be asked whether to migrate your filesystems to the new Extended-3 (ext3) format. This is recommended, as ext3 provides improved reliability and speeds filesystem checks (fsck). You will also be asked whether to use the new GRUB bootloader. This is also recommended. Please note that nonstandard drivers, such as NVIDIA graphics drivers, may be removed in such an upgrade. You should have the installers for these on hand prior to beginning the process. ** CIS CONTACT INFORMATION ** If you would like a CIS staff member to perform the upgrades listed above, or other system administration work on this computer, please contact: Jonathan Murray Telephone: x2877 or Karl A. Krueger Telephone: x2769