| Security Issues and Fixes: 192.168.1.10 |
| Type |
Port |
Issue and Fix |
| Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
| Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
| Informational |
general/tcp |
The remote host is up
Nessus ID : 10180 |
| Informational |
general/tcp |
TCP inject NIDS evasion function is enabled. Some tests might
run slowly and you may get some false negative results.
Nessus ID : 10889 |
| Informational |
general/tcp |
The remote host is running Linux Kernel 2.4
Nessus ID : 11936 |
| Informational |
ftp (21/tcp) |
An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330 |
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.8.1p1
Nessus ID : 10267 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 95:00:eb:a0:b0:54:3e:62:94:44:5e:ec:5b:44:ac:18
SSHv2 host key fingerprint : b2:4f:73:86:8a:62:20:9d:eb:67:50:80:a3:df:47:ac
Nessus ID : 10881 |
| Informational |
smtp (25/tcp) |
An SMTP server is running on this port
Here is its banner :
220 vmware-linu.local.net ESMTP Sendmail 8.12.11/8.12.11; Wed, 1 Sep 2004 15:39:50 -0400
Nessus ID : 10330 |
| Informational |
smtp (25/tcp) |
Remote SMTP server banner :
220 vmware-linu.local.net ESMTP Sendmail 8.12.11/8.12.11; Wed, 1 Sep 2004 15:40:07 -0400
This is probably: Sendmail version 8.12.11
Nessus ID : 10263 |
| Informational |
smtp (25/tcp) |
This server could be fingerprinted as being Sendmail 8.12.2-8.12.5
Nessus ID : 11421 |
| Informational |
time (37/tcp) |
A time server seems to be running on this port
Nessus ID : 10330 |
| Warning |
domain (53/tcp) |
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : Serious
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539 |
| Informational |
domain (53/tcp) |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
| Informational |
domain (53/tcp) |
BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
The remote bind version is : 9.2.3
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.
Nessus ID : 10028 |
| Warning |
http (80/tcp) |
The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.
Solution : Disable this service, as you do not use it
Risk factor : Low
Nessus ID : 11422 |
| Warning |
http (80/tcp) |
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
Nessus ID : 11213 |
| Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
http (80/tcp) |
This web server was fingerprinted as Apache/1.3.27-31 (Unix)
which is consistent with the displayed banner: Apache/1.3.31 (Unix)
Nessus ID : 11919 |
| Informational |
http (80/tcp) |
The remote web server type is :
Apache/1.3.31 (Unix)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 |
| Informational |
http (80/tcp) |
An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.
Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low
CVE : CAN-2001-1013
BID : 3335
Nessus ID : 10766 |
| Informational |
sunrpc (111/tcp) |
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223 |
| Informational |
sunrpc (111/tcp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Warning |
ident (113/tcp) |
The remote host is running an ident (also known as 'auth') daemon.
The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.
Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd
Risk factor : Low
CVE : CAN-1999-0629
Nessus ID : 10021 |
| Informational |
ident (113/tcp) |
An identd server is running on this port
Nessus ID : 10330 |
| Informational |
submission (587/tcp) |
An SMTP server is running on this port
Here is its banner :
220 vmware-linu.local.net ESMTP Sendmail 8.12.11/8.12.11; Wed, 1 Sep 2004 15:39:50 -0400
Nessus ID : 10330 |
| Informational |
submission (587/tcp) |
Remote SMTP server banner :
220 vmware-linu.local.net ESMTP Sendmail 8.12.11/8.12.11; Wed, 1 Sep 2004 15:40:09 -0400
This is probably: Sendmail version 8.12.11
Nessus ID : 10263 |
| Informational |
submission (587/tcp) |
This server could be fingerprinted as being Sendmail 8.12.2-8.12.5
Nessus ID : 11421 |
| Informational |
sunrpc (111/udp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Warning |
general/icmp |
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114 |
| Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.10 :
192.168.1.3
192.168.1.10
Nessus ID : 10287 |