Re: Vulnerabilities found by Nessus

To: Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: debian-security@lists.debian.org
Subject: Re: Vulnerabilities found by Nessus
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Tue, 15 Oct 2002 15:58:47 +0200
Message-id: <[🔎] 200210151558.47392.kjetil@kjernsmo.net>
In-reply-to: <[🔎] 20021015125932.GA10759@dat.etsit.upm.es>
References: <[🔎] 200210151333.38607.kjetil@kjernsmo.net> <[🔎] 200210151411.51741.kjetil@kjernsmo.net> <[🔎] 20021015125932.GA10759@dat.etsit.upm.es>

On Tuesday 15 October 2002 14:59, Javier Fernández-Sanguino Peña wrote:
> jOn Tue, Oct 15, 2002 at 02:11:51PM +0200, Kjetil Kjernsmo wrote:
> > On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña 
wrote:
> > >         Try to reproduce this behavior. You can launch the
> > > attacks manually using 'nasl name-of-the-script' 

OK, I needed libnasl-dev for that apparently. 

The plugin in question is apparently slmail_helo.nasl

Mmmm, doesn't seem to work...:
owl:/usr/lib/nessus/plugins# nasl slmail_helo.nasl
slmail_helo.nasl : Warning : evaluating unknown variable - description

...?

> Ok. If you trace the mail daemon with:
>
> $ strace -f -p process_id_mail

OK.

> $ perl -e 'print "EHLO"; print "a" x 500;' | nc localhost 25

root@pooh:~> perl -e 'print "EHLO"; print "a" x 500;' | nc localhost 25
220 pooh.kjernsmo.net ESMTP Exim 3.35 #1 Tue, 15 Oct 2002 15:34:24 +0200
421 pooh.kjernsmo.net: SMTP command timeout - closing connection

root@pooh:/var/run>  strace -f -p 4456
read(0, 0x80c7ff8, 8192)                = ? ERESTARTSYS (To be 
restarted)
--- SIGALRM (Alarm clock) ---
time(NULL)                              = 1034689164
open("/var/log/exim/mainlog", O_WRONLY|O_APPEND) = 2
fcntl64(2, F_GETFD)                     = 0
fcntl64(2, F_SETFD, FD_CLOEXEC)         = 0
fstat64(2, {st_mode=S_IFREG|0640, st_size=134036, ...}) = 0
write(2, "2002-10-15 15:39:24 SMTP command"..., 82) = 82
write(1, "421 pooh.kjernsmo.net: SMTP comm"..., 66) = 66
munmap(0x40014000, 4096)                = 0
_exit(1)                                = ?

It didn't tell me a lot, I guess... 


(launched from /var/run just because I was looking if there was a 
pid-file there)

> Regarding the other vulnerability, you should see if the system is
> running out of file descriptors. See if, during the attack, 'netstat
> -an' returns a huge number of open connections to port 25. All
> systems are vulnerable to file descriptor exhaustion unless you
> configure limits.

Sure.

> You might want to take a look at Bastille-linux (there is a Debian
> package for it) on how to configure some of this stuff automatically.

OK, I'll install it. 

> You should also read the "Debian Securing Manual" for more in-depth
> information.

Yeah, I've read it, and done much of it, but understood all is of course 
another matter. :-)

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/

Reply to:

References:
- Vulnerabilities found by Nessus
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Vulnerabilities found by Nessus
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Vulnerabilities found by Nessus
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Vulnerabilities found by Nessus
Next by Date: Re: Vulnerabilities found by Nessus
Previous by thread: Re: Vulnerabilities found by Nessus
Next by thread: apache and postgresql in woody still have a security problem?
Index(es):
- Date
- Thread