Portaal Portaal Pingviini veeb foorumi pealeht
  Viki  |  IRC  |  Otsing  |  Küsimused ja vastused  |  Profiil  |  Privaatsõnumite vaatamiseks logi sisse  | Logi sisse või Registreeru
<empty>
Vaata järgmist teemat
Vaata eelmist teemat

Postita uus teemaVasta teemale
Autor Sõnum
-IFFI-
Vana Pingviin
Vana Pingviin


Vanus: 48
Liitunud: 25.06.2005
Postitused: 1411
Asukoht: Lappeenranta-Turku
Distributsioon: Linux MX
finland.gif
postituspostitatud: 31.03.2013, 10:59  postituse pealkiri:  Security report domain.com! Mida siit silmas pidada...  

Katsetan igasugu vidinaid test serveris. Paigaldasin järgnevalt aadressilt http://www.howtoforge.com/extending-perfect-server-debian-squeeze-ispconfig-3-p3 PUNKT 8 oleva lisa ning lasin käsukalt käima "tiger" käsu.
Tulem on all olemas. Mida ma peaksin siit arusaama, silmas pidama ja/või ettevõtma?

TIGER VÄLJUND
Kood:
Security scripts *** 3.2.3, 2008.09.10.09.30 ***
Sun Mar 31 10:51:46 CEST 2013
10:51> Beginning security report for domain.com (x86_64 Linux 3.2.13-grsec-xxxx-grs-ipv6-64).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass013w] Username `root' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `daemon' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `bin' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `sys' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `sync' is not using an acceptable password hash
         (x).
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync).
--WARN-- [pass013w] Username `games' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `man' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `lp' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `mail' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `news' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `uucp' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `proxy' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `www-data' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `backup' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `list' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `irc' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `gnats' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `nobody' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `libuuid' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `Debian-exim' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `statd' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `bind' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `sshd' is not using an acceptable password hash
         (x).
--WARN-- [pass015w] Login ID sshd does not have a valid shell
         (/usr/sbin/nologin).
--WARN-- [pass013w] Username `ntp' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `mysql' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `clamav' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `postfix' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `dkimproxy' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `fetchmail' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `amavis' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `dtc' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `tumgreyspf' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `domain' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `vmail' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `getmail' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `ispapps' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `ispconfig' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `web3' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `web4' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `proftpd' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `ftp' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `web6' is not using an acceptable password hash
         (x).
--WARN-- [pass013w] Username `ftpuser' is not using an acceptable password
         hash (x).
--WARN-- [pass013w] Username `munin' is not using an acceptable password hash
         (x).

# Performing check of group files...

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc006w] Login ID mail's home directory (/var/mail) has group `4096'
         write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
         accessible.
--WARN-- [acc006w] Login ID libuuid's home directory (/var/lib/libuuid) has
         group `4096' write access.
--WARN-- [acc021w] Login ID libuuid appears to be a dormant account.
--WARN-- [acc006w] Login ID bind's home directory (/var/cache/bind) has group
         `4096' write access.
--WARN-- [acc021w] Login ID bind appears to be a dormant account.
--WARN-- [acc021w] Login ID sshd appears to be a dormant account.
--WARN-- [acc019w] Login ID vmail may be missing a shell initialization file
         /var/vmail/.shrc.
--WARN-- [acc019w] Login ID getmail may be missing a shell initialization file
         /etc/getmail/.shrc.
--WARN-- [acc019w] Login ID ispapps may be missing a shell initialization file
         /var/www/apps/.shrc.
--WARN-- [acc023w] Login ID ispconfig's parent directory (/usr/local) has
         non-administrative `staff' ownership.
--WARN-- [acc023w] Login ID ispconfig's parent directory (/usr/local/) has
         group `4096' write access.
--WARN-- [acc019w] Login ID ispconfig may be missing a shell initialization
         file /usr/local/ispconfig/.shrc.
--WARN-- [acc022w] Login ID ftpuser home directory (/bin/null) is not
         accessible.

# Performing check of /etc/hosts.equiv and .rhosts files...

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...
--WARN-- [root001w] Remote root login allowed in /etc/ssh/sshd_config

# Performing check of PATH components...
# Only checking user 'root'
--WARN-- [path002w] /usr/bin/bsd-write in root's PATH from default is not
         owned by root (owned by tty).
--WARN-- [path002w] /usr/bin/chage in root's PATH from default is not owned by
         root (owned by shadow).
--WARN-- [path002w] /usr/bin/crontab in root's PATH from default is not owned
         by root (owned by Debian-exim).
--WARN-- [path002w] /usr/bin/dotlockfile in root's PATH from default is not
         owned by root (owned by mail).
--WARN-- [path002w] /usr/bin/expiry in root's PATH from default is not owned
         by root (owned by shadow).
--WARN-- [path002w] /usr/bin/locate in root's PATH from default is not owned
         by root (owned by mlocate).
--WARN-- [path002w] /usr/bin/mlocate in root's PATH from default is not owned
         by root (owned by mlocate).
--WARN-- [path002w] /usr/bin/mlock in root's PATH from default is not owned by
         root (owned by mail).
--WARN-- [path002w] /usr/bin/screen in root's PATH from default is not owned
         by root (owned by utmp).
--WARN-- [path002w] /usr/bin/ssh-agent in root's PATH from default is not
         owned by root (owned by ssh).
--WARN-- [path002w] /usr/bin/wall in root's PATH from default is not owned by
         root (owned by tty).
--WARN-- [path002w] /usr/bin/write in root's PATH from default is not owned by
         root (owned by tty).
--WARN-- [path002w] /usr/sbin/postdrop in root's PATH from default is not
         owned by root (owned by postdrop).
--WARN-- [path002w] /usr/sbin/postqueue in root's PATH from default is not
         owned by root (owned by postdrop).

# Performing check of anonymous FTP...

# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.

# Performing check of `cron' entries...
--WARN-- CRON file `' is owned by Debian-exim.
--WARN-- Found cron file for unknown user .
--WARN-- CRON file `' is owned by Debian-exim.
--WARN-- Found cron file for unknown user .
--WARN-- [cron005w] Use of cron is not restricted

# Performing check of 'inetd'...
--ERROR-- [init006e] `/usr/lib/tiger/systems/default/inetd' does not exist (file definition INETDFILE).

# Performing check of services with tcp wrappers...
--ERROR-- [init006e] `/usr/lib/tiger/systems/default/inetd' does not exist (file definition INETDFILE).

# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service pop-2 is also assigned to service
         pop2.
--WARN-- [inet003w] The port for service x400-snd is also assigned to service
         acr-nema.

# Performing NFS exports check...

# Performing check of system file permissions...
--ERROR-- [init004e] `/usr/lib/tiger/systems/default/gen_mounts' is not executable (command GET_MOUNTS).

# Checking for known intrusion signs...
--ERROR-- [init004e] `/usr/lib/tiger/systems/default/gen_mounts' is not executable (command GET_MOUNTS).

# Performing check for rookits...

# Performing system specific checks...

# Performing check of root directory...

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/block resides in a device directory.
--WARN-- [dev003w] The directory /dev/bsg resides in a device directory.
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
--WARN-- [dev003w] The directory /dev/cpu resides in a device directory.

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/wtmp permission should be 644
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 600
--FAIL-- [logf005f] Log file /var/run/utmp permission should be 644
--FAIL-- [logf005f] Log file /var/log/messages permission should be 640

# Checking for correct umask settings...
--FAIL-- [misc022f] The umask setting in /etc/profile is insecure

# Checking listening processes
--WARN-- [lin003w] The process `amavisd-n' is listening on socket TCP (0t0 on
         TCP interface) is run by amavis.
--WARN-- [lin003w] The process `apache2' is listening on socket TCP (0t0 on
         TCP interface) is run by root.
--WARN-- [lin003w] The process `apache2' is listening on socket TCP (0t0 on
         TCP interface) is run by www-data.
--WARN-- [lin003w] The process `couriertc' is listening on socket TCP (0t0 on
         TCP interface) is run by root.
--WARN-- [lin003w] The process `dkimproxy' is listening on socket TCP (0t0 on
         TCP interface) is run by dkimproxy.
--WARN-- [lin003w] The process `lwresd' is listening on socket UDP (0t0 on UDP
         interface) is run by root.
--WARN-- [lin003w] The process `master' is listening on socket TCP (0t0 on TCP
         interface) is run by root.
--WARN-- [lin003w] The process `miniserv.' is listening on socket TCP (0t0 on
         TCP interface) is run by root.
--WARN-- [lin003w] The process `miniserv.' is listening on socket UDP (0t0 on
         UDP interface) is run by root.
--WARN-- [lin003w] The process `munin-nod' is listening on socket TCP (0t0 on
         TCP interface) is run by root.
--WARN-- [lin003w] The process `mysqld' is listening on socket TCP (0t0 on TCP
         interface) is run by mysql.
--WARN-- [lin003w] The process `named' is listening on socket TCP (0t0 on TCP
         interface) is run by bind.
--WARN-- [lin003w] The process `named' is listening on socket UDP (0t0 on UDP
         interface) is run by bind.
--WARN-- [lin003w] The process `ntpd' is listening on socket UDP (0t0 on UDP
         interface) is run by ntp.
--WARN-- [lin003w] The process `pure-ftpd' is listening on socket TCP (0t0 on
         TCP interface) is run by root.
--WARN-- [lin003w] The process `sshd' is listening on socket TCP (0t0 on TCP
         interface) is run by root.

# Checking sshd_config configuration files...
--WARN-- [ssh004w] The PasswordAuthentication directive in
         /etc/ssh/sshd_config is set to the unapproved defult value: yes.

# Checking printer configuration files...
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition infile).

# Performing common access checks for root...
--FAIL-- [netw018f] Administrative user gnats allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user libuuid allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user Debian-exim allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user statd allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user bind allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user sshd allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user ntp allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user mysql allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user clamav allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user postfix allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user dkimproxy allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user fetchmail allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user amavis allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user dtc allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user tumgreyspf allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user proftpd allowed access in
         /etc/ftpusers
--FAIL-- [netw018f] Administrative user ftp allowed access in /etc/ftpusers
--FAIL-- [netw018f] Administrative user munin allowed access in /etc/ftpusers

# Checking ntpd configuration...
--ERROR-- [init001e] Don't have required command NETSTAT.
--ERROR-- [init004e] `/usr/lib/tiger/systems/default/getdisks' is not executable (command GETDISKS).

# Performing check of embedded pathnames...
--WARN-- [embed002w] Path `/usr/lib/apache2/suexec' is not owned by root
         (owned by www-data).
         Embedded references in: /usr/sbin/apache2->/default(PATH)
10:52> Security report completed for domain.com.


obundra
Vana Pingviin
Vana Pingviin


Vanus: 49
Liitunud: 04.08.2005
Postitused: 1213
Asukoht: 127.0.0.1
Distributsioon: RHEL, Solaris, Debian, Gentoo
estonia.gif
postituspostitatud: 31.03.2013, 12:43  postituse pealkiri:  (teema puudub)  

Lase käima tiger -e, siis jagab iga asja kohta selgitusi.Ma pole küll tigeri hingeeluga lähemalt tuttav, aga esmapilgul paistab, et kõike raporteeritut ei saa kohe "parandama" tormata.Näiteks see paroolide kohta käiv hoiatus tuleb sellest, et kui kasutusel on shadow paroolid, siis tiger ei saa sellest aru.Lisaks paistab bugisid olema üksjagu http://bugs.debian.org/cgi-bin/pkgreport.cgi?package=tiger

_________________
IT teenused

-IFFI-
Vana Pingviin
Vana Pingviin


Vanus: 48
Liitunud: 25.06.2005
Postitused: 1411
Asukoht: Lappeenranta-Turku
Distributsioon: Linux MX
finland.gif
postituspostitatud: 31.03.2013, 12:56  postituse pealkiri:  (teema puudub)  

Ühesõnaga tegemist on "prahiga" ja see jutt mida ta tututab seal väljundis ei oma miskit kritilist reageerimise vajadust Very Happy


obundra
Vana Pingviin
Vana Pingviin


Vanus: 49
Liitunud: 04.08.2005
Postitused: 1213
Asukoht: 127.0.0.1
Distributsioon: RHEL, Solaris, Debian, Gentoo
estonia.gif
postituspostitatud: 31.03.2013, 13:00  postituse pealkiri:  (teema puudub)  

Ma päris nii ei ütleks, aga väljundit peaks ikka mõttega lugema.

_________________
IT teenused

Näita (aja järgi):      
Postita uus teemaVasta teemale


Vaata järgmist teemat
Vaata eelmist teemat
Powered by phpBB2 Plus based on phpBB © 2001/7 phpBB Group