Novell Home

AppNote: Open Enterprise Server (OES) services security

Novell Cool Solutions: AppNote
By Thomas Erickson

Digg This - Slashdot This

Posted: 17 Jun 2005
 

Thomas Erickson, CISSP
Master CNE, CDE, CLE, LPIC–1, MCSE, and CCNA
tsepop at yahoo.com

Table of Contents

Abstract
Introduction
Assessment tool
OES Linux Services and suggested action
OES NetWare Services and suggested action
Conclusion
Annotated Bibliography
Appendix A OES Linux Default Assessment
Appendix B OES NetWare Default assessment
Appendix C Post Hardening Comparison of OES NetWare and OES Linux
Appendix D Nessus Assessment -- Post hardening of OES Linux
Appendix E Nessus Assessment -- Post hardening of OES NetWare


PDF Version


Abstract

This document will help you recognize and disable services running by default on OES NetWare and OES Linux. I believe you will be particularly interested in the Nessus Assessment reports in the appendices. This document also documents each open service/port and recommendations relating to those services/ports.

Introduction

This paper and its appendices document and analyze security with respect to ports/services listening in the default configuration for OES Linux and OES NetWare (Netware 6.5 sp3). The focus of this document is based on disabling services you do not need or are not currently using.

There are many other configuration best practices for securing each service. Provided the service is a needed service by your organization, otherwise disable it.

General security best practices:

  1. Disable the service(s) if you are not using them or do not need them. Also keeping services disabled unless or until they are needed, then enable them temperately.
  2. Least privilege – "no more privileges than necessary to be able to fulfill its functions (Harris, p. 209)."
  3. Baseline configuration that is audited (verified) via routine checkups.
  4. Defense–in-depth, Security in layers – Layer 1, Layer 2, Layer 3. Multiple countermeasures and controls to mitigate risk. One application of this principle is filtering the ports and disabling the ports.
  5. Education! From the common worker to the IT professional (of course different awareness training)
  6. Continuous vigilance (process and methods and routines). Do NOT rely on technology, which is ONLY one piece/layer of security.
  7. Availability, Integrity, and Confidentiality (CIA).
    1. Availability – Is the service available? Denial of Service (DOS, DDOS). Capacity, reliability, timely?
    2. Integrity – errors and omissions – accurate? reliability of the system, unauthorized modification, and mistakes.
    3. Confidentiality – secrecy/unauthorized disclosure, (Harris p. 54)
  8. "Security is always a balance between risk and function (Maslowski-Yerges)."

Resources that focus more on securing the service (instead of disabling them):

As a general rule you will want to secure the OES NetWare console at all costs (physically and remotely). The ICSA Compliance Kit can be found at: http://support.novell.com/servlet/filefinder?name=*icsa*.exe
Please be advised that this significantly limits the troubleshooting ability of NetWare and that you must have the ICSA server.exe that matches your current support pack.

Assessment tool

"Nessus is the world's most popular open-source vulnerability scanner used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

The "Nessus" Project was started by Renaud Deraison in 1998 to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. Nessus is currently rated among the top products of its type throughout the security industry and is endorsed by professional information security organizations such as the SANS Institute. It is estimated that the Nessus scanner is used by 75,000 organizations world-wide."

There are many network scanners and assessment tools. Two of the most popular from the open source community are widely used for scanning and assessing (NMAP and NESSUS). I would classify NESSUS as being in the top 5 network security tools category. Nessus is the most used/popular (http://www.insecure.org/tools.html). If you are new to network security and tools, you should spend time reviewing and evaluating these powerful network security tools.

I chose NESSUS as my security assessment tool because of its power and flexibility. NESSUS assesses TCP/UDP, OSes, and applications.

Because it runs on Linux the plug-in development is quickly developed as many organizations use it to assess system wide as well as specific vulnerabilities. When a new vulnerably is published, this can typically be easily scripted into a NESSUS plug-in (there are about 6000 scripted vulnerability checks AKA plug-ins see Appendix E for a list of plug-ins I used to assess OES in this document).

Please note that NESSUS can/has a destructive mode (Denial of Service checks and attack checks) so be sure you use it on your own equipment and or get written approval before pointing at network devices. Only use the attack/destructive mode on pre-production devices.

I booted up an old SUSE 8.2 box collecting dust and updated Nessus on it for this project:

nessusd -v
nessusd (Nessus) 2.2.4 for Linux
(C)1998 - 2004 Renaud Deraison <deraison@nessus.org>

OES Linux Services and suggested action

cat /etc/SUSE-release
SUSE Linux Enterprise Server 9 (i586)
VERSION = 9

cat /etc/novell-release
Novell Open Enterprise Server Linux (i586)
VERSION = 9

/etc/init.d/ndsd status
Tree Name: OES-LINUX-VM-TREE
Server Name: .CN=oes-linux-vm.O=novell.T=OES-LINUX-VM-TREE.
Binary Version: 10551.95
Root Most Entry Depth: 0
Product Version: eDirectory for Linux v8.7.3.5 [DS]

Port(s): 8028, 8030
Nessus rating: High
Summary of Service: iMonitor/dhost – enables administrators to view and troubleshoot the health of edirectory including dstrace. https://hostname:8030/

Details of Service: iMonitor is a wonderful web based tool to analyze NDS/eDirectory/DS. You can compare schema, do health reports, drill down into the details of DS and objects that other tools do not give you. iMonitor is the preferred tool used to check the health of DS on NetWare, Linux and other platforms. Having a web interface is wonderful because it is the same no matter the OS ds is running on.

"Novell® iMonitor provides cross-platform monitoring and diagnostic capability to all servers in your eDirectory™ tree. This utility lets you monitor your servers from any location on your network where a Web browser is available.
iMonitor lets you look at the eDirectory environment in depth on a partition, replica, or server basis. You can also examine what tasks are taking place, when they are happening, what their results are, and how long they are taking.
iMonitor provides a Web-based alternative or replacement for many of Novell's traditional server-based eDirectory tools such as DSBrowse, DSTrace, DSDiag, and the diagnostic features available in DSRepair. Because of this, iMonitor's features are primarily server focused, meaning that they focus on the health of individual eDirectory agents (running instances of the directory service) rather than the entire eDirectory tree."
(http://www.novell.com/documentation/edir87/index.html?page=/documentation/edir87/ edir87/data/agwkqvb.html).

Action Suggested: Disable on Internet facing machines until/unless you need to use this service. Also filter the ports from external networks.

To disable this service:
Follow document http://support.novell.com/cgi-bin/search/searchtid.cgi?/10089098.htm.

Following the above TID failed to stop 8030 from listening. This has been duplicated by Novell and a defect/rfe has been created. Until this issue is resolved you may need to rename /usr/lib/nds-modules/libhttpstk.so to stop 8028 and 8030 from listening.

Nessus reports:
CAN-2003-0543: "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values." (nessus.org)
CAN-2003-0544: "OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used." (nessus.org)
CAN-2003-0545: "Double-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding." (nessus.org)

Why should I disable this port? Although this specific vulnerability has been fixed via a patch from Novell, as a general rule disable services unless/until you need them (or uninstall the service).

"Novell has reported a vulnerability in the eDirectory server. DHost contains a buffer overflow vulnerability that could potentially be exploited by an attacker. This could result in code execution, and privilege escalation. This vulnerability could potentially be a remote issue, though this is unconfirmed."
(http://www.securityfocus.com/bid/6900/discuss)

Details on iMonitor:
"1 (Default) Before iMonitor processes URLs, require successful authentication as some eDirectory identity. In this case, the eDirectory rights of that identity are applied to any request and are, therefore, restricted by those rights. The same DoS vulnerability as level 0 exists, except the attack must be launched by someone who has actually authenticated to the server. Until a successful authentication occurs, the response to any iMonitor URL request is a login dialog box, so iMonitor should be impervious to attacks by unauthenticated users when it is configured in this state.

2 Before iMonitor processes URLs, require successful authentication as an eDirectory identity that has supervisor equivalency on the server that iMonitor is authenticating to. The same DoS vulnerability as level 1 exists, except the attack must now be launched by someone who has actually authenticated as a supervisor of the server. Until a successful authentication occurs, the response to any iMonitor URL request is a login dialog box, so iMonitor should be impervious to attacks by unauthenticated users and non-supervisor authenticated users when it is configured in this state." http://www.novell.com/documentation/edir873/pdfdoc/edir873/edir873.pdf (page 184)

Port(s): 80, 631, 443
Nessus rating: High
Summary of Service: iMonitor/dhost – apache2 – core webserver that other services depend on. For example iPrint (631) and ifolder.

Details of Service: Apache is the framework/foundation of many services that rely on it.

Obviously Apache is a web server (the most popular web server – open source and very secure when properly configured).

iPrint is an Apache 'include', which means iPrint rides on top of Apache. With iPrint you can find and install your printer based on a building map or list on a website. This allows users that move or travel to be able to self service their own printer with logging a help desk call. Also, one can securly print over the Internet with iPrint eliminating the need to fax or ship many print outs.

iFolder also relies on Apache. iFolder securely synchronizes local files on multiple workstations to a server via http/https. The traffic is encrypted as well as the files stored on the file system of the server.

"Novell iFolder® lets your files follow you, everywhere. iFolder allows you to access, organize, and manage your files from anywhere, anytime. iFolder also provides worry-free security, ensuring that all your files are always safe, secure and up to date. Now your files can be as mobile as you are - at work, home or on the go."
(http://www.novell.com/products/ifolder/).
Also, iManager depends on Apache.
"Novell iManager is a state-of-the-art Web-based administration console that provides customized access to network administration utilities and content from any location in the world, whether inside or outside the firewall."
(http://www.novell.com/products/consoles/imanager/)

Action Suggested: This depends on your environment. Not all servers need to run iMonitor, iPrint, nor iManager. Consider running these services on only a few servers. Follow the documentation on hardening theses services on a few servers.

To disable this service:
/etc/init.d/apache2 stop
chkconfig apache2 off

Nessus Reports:
"CAN-2004-0786: The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool." (nessus.org).
CAN-2004-0747: Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables." (nessus.org).
CAN-2004-0751: The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault)." (nessus.org).
CAN-2004-0748: mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop." (nessus.org).
CAN-2004-0809: The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access." (nessus.org).

Port(s): 389 and 636
Summary of Service: LDAP (light weight directory protocol) nldap.nlm
Action Suggested: Disable this service if it is not needed. By default, Novell's ldap does NOT allow clear text ldap (389). The administrator must allow clear text (which is NOT recommended).

Details of Service: LDAP is a wonderful service for cross application authentication. Many many applications can authenticate via LDAP including firewalls, proxies, and web servers/clients. LDAP is also a wonderful tool for administrators to do bulk directory operations. Adding, modifying, deleting users, objects and even schema. All major directory services providers use LDAP (Novell, Microsoft, and Sun). LDAP can be used to batch updates between many different systems like Mainframes and DS (from many vendors). For real time event driven integration look at Identity Manager (IDM 2) which has over 60 default connectors to many databases (CRM, email, Oracle, etc. etc.)
http://www.novell.com/products/nsureidentitymanager/.

If this service is not used on a day to day bases, you should disable it until/unless you need it.

To disable:

To disable this service modify the /usr/lib/nds-modules/ndsmodules.conf and remark out the nldap. Then restart ndsd: /etc/init.d/ndsd restart

Port(s): 9005, 9009, 8180
Summary of Service: novell-tomcat4 which is required for iManager (web based administration tool for managing Novell services, and objects).
iManager can be accessed by https://hostname/nps/servlet/webacc

/var/opt/novell/tomcat4/conf/server.xml

Details of Service:
"...Tomcat 4 Servlet/JSP container. Tomcat 4 implements the Servlet 2.3 and JavaServer Pages 1.2 specifications from Java Software, and includes many additional features that make it a useful platform for developing and deploying web applications and web services."
(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/)

Action Suggested: This depends on your environment, if this is an Internet facing box, consider disabling it until you need to use it. Then ssh into the box and enable it by typing /etc/init.d/novell-tomcat4 start

To disable this service:
/etc/init.d/novell-tomcat4 stop
chkconfig novell-tomcat4 off

Methods: netstat -na > tcbefore.txt before and after stopping the tomcat service. confirming with:
grep -r "9005" /var/opt/novell/tomcat4/conf/
grep -r "9009" /var/opt/novell/tomcat4/conf/
grep -r "8180" /var/opt/novell/tomcat4/conf/
Which outputted xml files that contain these three ports (9005, 9009, and 8180).

Port(s): 8008, 8009
Summary of Service: novell-httpstkd Novell Remote Manager (NRM) AKA portal. Primarily used for server health and statistics and troubleshooting.

Details of Service:

"Novell® Remote Manager for Linux is a browser-based utility that you can use to manage one or more Linux servers from a remote location.

You can use Novell Remote Manager to monitor your server's health, change the configuration of your server, or perform diagnostic and debugging tasks.

The advantages of using Novell Remote Manager for server management are that:

  • It does not require a special client.
  • It provides a graphical interface that makes interpreting diagnostic information much more comprehensive and easier to manage.
  • It provides added functionality that is not available in the other management utilities.
(http://www.novell.com/documentation/oes/index.html?page=/documentation/oes/ remotemgr_lx/data/front.html#bktitle)

Action Suggested: This depends on your environment. Consider enabling this service when you need it.

To disable this service:
/etc/init.d/novell-httpstkd stop
chkconfig novell-httpstkd off

Nessus Reports:
See appendix A under ports 8008 and 8009.

Port(s): 631
Nessus rating: High
Summary of Service: novell-idsd (Novell iPrint DriverStore) and novell-ipsmd (Novell iPrint Manager)

Details of Service:
"iPrint is a printing solution that enables you to send documents to printers located throughout the Net. Using Internet technologies–including the industry-standard Internet Printing Protocol (IPP)–iPrint provides you with global access to printers, customizable views of any print environment, flexible print deployment configurations, and secure printing. iPrint is based on Novell Distributed Print Services™ (NDPS®), a time-tested print solution known for its manageability, scalability, reliability, and ease of use.

Features
The iPrint component of Novell Open Enterprise Server includes several new features:

  • iPrint client for Linux
  • iPrint client for Macintosh
  • Printer Profiles (pre-set printer driver defaults)*
  • NDPS-to-iPrint client migration tools
  • Queue-based printing-to-iPrint migration tool
  • Custom banner pages
  • Auditing
  • Command-line management**
  • Printer consolidation tool
  • Support for Port 9100
  • Hosting of iPrint services on a Linux server
  • *Available only on the Novell NetWare kernel of Open Enterprise Server
  • **Available only on SUSE Linux kernel of Open Enterprise Server"
http://www.novell.com/products/netware/printing/index.html

Action Suggested: Disable if you do not need this service.

To disable this service:
/etc/init.d/novell-idsd stop
chkconfig novell-idsd off
/etc/init.d/novell-ipsmd stop
chkconfig novell-ipsmd off

Nessus Reports:

Port(s): varies
Summary of Service: novell-smdrd -- Novell Storage Management Data Requester daemon. AKA backup/restore frame work.
Details of Service: SMDR is part of SMS.
"NetWare® Storage Management Services™ (SMS) is a collection of software programs that provides backup, restore, and data migration services. SMS allows you to backup targets such as the file system, Novell® eDirectory™, and the GroupWise® on NetWare, to a removable tape media for off-site storage. SMS is cluster-enabled and supports failover or failback of cluster-enabled resources. The backup engines use this infrastructure to provide a complete backup solution."
(http://www.novell.com/documentation/nw65/index.html?page=/documentation/nw65/ smsadmin/data/hut0i3h5.html).

Action Suggested: Disable if you do not need this service.

Methods: netstat -na > nssmdr.txt before and after stopping the daemon multiple times. Each time the high ports (above 1024) changes.

Port(s): 7966, 9225, 9203, 9181, 9159, 9112, 9071, 9049, 9027, 9005, and 8391
Summary of Service: novell-xregd - This is an xtier daemon. xtier is AKA Middle Tier, which translates http to NCP for netstorage, and ZENworks.

"The Middle Tier server communicates with the NetWare or Linux servers in the network and provides secure authentication using eDirectory and the users' usernames and passwords. NetStorage also provides secure access to files that users have located on Novell iFolder servers.
(http://www.novell.com/documentation/oes/pdfdoc/netstor_lx/netstor_lx.pdf)."

Action Suggested: Disable if you do not need this service.
Methods: netstat -na before and after stopping novell-xregd

To disable this service:
/etc/init.d/novell-xregd stop
chkconfig novell-xregd off

Port(s): 8047, 8060, 8063, 8066, 8069, 8072 , 8089 , 8092 , 8095 , and 8098
Summary of Service: novell-xsrvd another piece of xtier
Details of Service: Disable if you do not need this service.
Methods: netstat -na before and after stopping novell-xsrvd

To disable this service:
/etc/init.d/novell-xsrvd stop
chkconfig novell-xsrvd off

Port(s): 137,138, 139, and 445
Summary of Service: smb (Server message block) AKA samba or Microsoft file sharing

"Samba is an Open Source/Free Software suite that has, since 1992, provided file and print services to all manner of SMB/CIFS clients, including the numerous versions of Microsoft Windows operating systems. Samba is freely available under the GNU General Public License."
(http://us4.samba.org/samba/)

What is Samba?

As the front page at samba.org says, 'Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients.' Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.

Samba-3 by Example explains further, saying:

'Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.'" (http://us4.samba.org/samba/what_is_samba.html)."

Action Suggested: Disable if you do not need this service.
Methods: netstat -na before and after stopping daemon

To disable this service:
/etc/init.d/smb stop
/etc/init.d/smbfs stop
chkconfig smb off
chkconfig smbfs off
rcnmb stop (stops 137 and 138)
rcsmb stop (stops 139 and 445)

:/etc/rc.d # grep -r 'rcnmb' /etc/rc.d
lsof -i tcp:631
/etc/rc.d/nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc3.d/K15nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc3.d/S07nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc5.d/K15nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc5.d/S07nmb:# /usr/sbin/rcnmb

Port(s): 111
Summary of Service: sunrpc AKA nfs

Details of Service:

"NFS: The abbreviation for Network File System, NFS is a protocol suite developed and licensed by Sun Microsystems that allows different makes of computers running different operating systems to share files and disk storage."
(http://www.webmage.com/support/glossary.asp)

Action Suggested: Disable if you do not need this service.

Methods: lsof -i tcp:111
If you need this service running, consider increasing the security per this document: http://www.puschitz.com/SecuringLinux.shtml

To disable this service:
/etc/init.d/portmap stop
chkconfig portmap off

Port(s): 524
Summary of Service: NDS AKA eDirectory, Directory Services
This is the core Novell service for authenticating NCP clients and directory access.

Action Suggested: Leave this service running as it is critical for Novell directory services (it is DS!).

To disable this service:
/etc/init.d/ndsd stop
chkconfig ndsd off

Port(s): tcp 427 udp 427
Summary of Service: SLP (service location protocol)

Action Suggested: Leave this service running as it is critical for Novell name resolution.

To disable this service:
/etc/init.d/slpd stop
chkconfig slpd off

Port(s): 22
Summary of Service: SSH AKA remote secure telnet

Action Suggested: Leave this service running if you want/need to remote shell into your Linux box.

To disable this service:
/etc/init.d/sshd status
chkconfig sshd off

Port(s): 505
Summary of Service: RCD (red carpet daemon). This is used to update systems/patches and to install and keep packages up-to-date.

Details of Service:
"What's Red Carpet?
Red Carpet is the leading software management solution for Linux. The intuitive Red Carpet channel organization and automatic dependency and conflict resolution make it easy to install, update and manage software on Linux workstations and servers. New Red Carpet Services support allows users to manage software from Ximian/Novell, leading Linux distribution providers and a variety of open-source projects. Red Carpet makes it easy to update and manage Linux desktops with improved package inventory, update history, and remote operation. Red Carpet now offers a choice of client interfaces: the redesigned graphical interface, and the "rug" command line interface, which provides simple, powerful commands and easy scriptability."
(http://www.spikesource.com/docs/cs_1.4-linux/doc/redcarpet/redcarpet_release_ alternative to CGInotes.html)
Action Suggested: Disable if you do not need this service.

To disable this service:
/etc/init.d/rcd stop
chkconfig rcd off

Methods:
netstat -na | grep 505
lsof -i tcp:505

Port(s): 5801, 5901, 6001, 6002
Summary of Service: VNC (Virtual Network Computing). A remote control utility for displaying desktop.
Action Suggested: Disable this service unless or until you need to use it (only enable it temporarily).

To disable this service:
Start YAST: Start | system | Yast | Network Services | Remote Administration | chose 'Do not allow remote administration'

Methods:
netstat -na | grep 5801
lsof -i tcp:5801

lsof -i tcp:6001

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Xvnc 27731 nobody 0u IPv6 88773 TCP *:6001 (LISTEN)
Xvnc 27731 nobody 1u IPv4 88774 TCP *:6001 (LISTEN)

Port(s): 5989
Summary of Service: wbem (Web Based Enterprise Management)
To read more about this service see:
http://www.novell.com/coolsolutions/feature/14625.html

Details of Service:
"DMTF, developer of the Common Information Model (CIM), is the technology industry organization leading the development, adoption and interoperability of management standards and initiatives for enterprise and Internet environments. CIM is the breakthrough standard for the exchange of management information in a platform-independent and technology-neutral way, streamlining integration and reducing costs by enabling end-to-end multi-vendor interoperability in management systems.

Key technology vendors and affiliated standards groups that implement CIM deliver a more integrated, costeffective and less crisis-driven approach to management."
(http://www.dmtf.org/newsroom/presskit/DMTF_backgrounder.pdf)
"About the DMTF
With more than 3,000 active participants, the Distributed Management Task Force, Inc. (DMTF) is the industry organization leading the development of management standards and integration technology for enterprise and Internet environments. DMTF standards provide common management infrastructure components for instrumentation, control and communication in a platform-independent and technology neutral way. DMTF technologies include information models (CIM), communication/control protocols (WBEM), and core management services/utilities."
(http://www.dmtf.org/about)

Action Suggested: Disable this service if you don't need it.

To disable this service:
/etc/init.d/owcimomd stop
chkconfig owcimomd off

Methods:
oes-linux-vm:~ # lsof -i tcp:5989

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
owcimomd 2611 root 21u IPv4 4454 TCP*:wbem-https (LISTEN)

oes-linux-vm:~ # netstat -na | grep 5989
tcp       0       0 0.0.0.0:5989       0.0.0.0:*       LISTEN

Port(s): udp 177
Summary of Service: xdm ("xdm is a graphical login screen")
Details of Service: XDM (X Display Manager)
"X display manager. A front-end utility present on many Unix/Linux desktops that functions as a "login" window. "xdm" presents a prompt for both usernames and passwords."
(http://www.scd.ucar.edu/docs/ssh/guide/node32.html)

Action Suggested: Disable this service if you don't need it.

To disable this service:
/etc/init.d/xdm stop
chkconfig xdm off

Methods:
lsof -i udp:177

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
kdm 4238 root 4u IPv4 7603 UDP *:xdmcp
chkconfig | grep dm
xdm                   on

Port(s): 123
Summary of Service: NTP (Network Time Protocol). This is a critical service for eDirectory. eDirectory must maintain current time. Time must be in sync!
Action Suggested: Leave the service running, but block this port at the firewall inbound.

To disable this service:
/etc/init.d/xntpd stop
chkconfig xntpd off

OES NetWare Services and suggested action

NW65-FS1:version
Novell Open Enterprise Server, NetWare 6.5
Support Pack Revision 03
(C) Copyright 1983-2005 Novell Inc. All Rights Reserved. Patent Pending.
Server Version 5.70.03 January 20, 2005
Novell eDirectory Version 8.7.3.5 SMP
NDS Version 10551.78 January 22, 2005
Server License: Novell NetWare 6 Server 650 SN:
User Licenses: Audited

Port(s): 21
Summary of Service: nwftpd.nlm AKA File Transfer Protocol (FTP).
Action Suggested: Disable this service if possible, at least disable anonymous via /etc\ftpserv.cfg
#To Allow or Deny Access to Anonymous Users. Default value is NO
ANONYMOUS_ACCESS=NO

To disable this service:
unload nwftpd
modify sys:\system\autoexec.ncf and remark out nwftpd.nlm
#Added By FTP Server
#ftpstart.ncf
or nwftpd.nlm

Port(s): 80 and 443
Nessus rating: High
Summary of Service: http via Apache. Apache is needed for iManager, and iFolder.
Action Suggested: Disable this service if you do not need it.

To disable this service:
ap2webdn.ncf
Modify the sys:\system\autoexec.ncf and remark out the following lines:
#AP2WEBUP
#Apache2 is now the admin server
#ADMSRVUP

Methods:
NW65-FS1:m apache2

APACHE2.NLM
  Loaded from [SYS:\APACHE2\]
  (Address Space = OS)
  Apache Web Server 2.0.52
  Version 2.00.52 November 3, 2004
  Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved.
APACHE2.NLM
  Loaded from [SYS:\APACHE2\]
  (Address Space = ADMINSRV)
  Apache Web Server 2.0.52
  Version 2.00.52 November 3, 2004
  Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved.
NW65-FS1:

Port(s): 81
Summary of Service: Novell Remote Manager (NRM) AKA portal. Primarily used for server health and statistics and troubleshooting. Sometimes netmail may listen for port 81 instead of NRM.
Details of Service:

"Novell® Remote Manager for NetWare® (portal.nlm) is a browser-based utility that you can use to manage one or more NetWare servers from a remote location. Novell Remote Manager provides all the functionality of Monitor, along with some functionality of other utilities available at the server console; however, Novell Remote Manager makes this functionality available from a Web browser. You can use Novell Remote Manager to monitor your server's health, change the configuration of your server, or perform diagnostic and debugging tasks.
The advantages of using Novell Remote Manager rather than Monitor or RConsolej for server management are:
  • It accesses information much more quickly than other remote management tools.
  • It is installed by default on all NetWare servers and requires no special configuration for most operations.
  • It does not require a special client.
  • It provides a graphical interface that makes interpreting diagnostic information much more comprehensible and easier to manage.
  • It provides added functionality that is not available in the other management utilities."
(http://www.novell.com/documentation/nw65/remotemgr/data/a7m35he.html)

Action Suggested: Disable if this service is not needed.

To disable this service:
unload portal (and supporting modules for example nfsstop.ncf)
unload httpstk (and supporting modules) or remark out httpstk.nlm and portal in the sys:\system\autoexec.ncf and reboot.

Methods:
https://hostname:81 redirects to https://hostname:8009

Port(s): 111 (TCP/UDP), 731 (TCP), 846 (TCP), 847 (TCP), 2049 (TCP), 32779 (udp), 32778(udp), 2049 (udp), 32779(tcp), and 32778(tcp).
Summary of Service: NFS via Native File Access Pack (NFAP). Allows native NFS clients (Linux and Unix) to mount a Novell volume natively as an NFS mount point.
Details of this Service:
"NFS (Network File System) can be called a true distributed file system, and came from "the network is the computer" people at Sun. Technically a client/server application, NFS allows remote clients to "mount" a local file system at designated mount points. To the remote client, the mounted file system looks exactly like a subdirectory branch structure of the local file system. Sun released the specifications for NFS to allow other vendors to get involved, but they remain in control."
(http://www.novell.com/info/collateral/docs/4621202.01/4621202.html)

Action Suggested: Disable this service if it is not needed.

To disable this service:
nfsstop.ncf
Modify the sys:\system\autoexec.ncf and remark out the nfsstart.ncf

Methods:
telnet hostname:port with nfsstart.ncf and without (nfsstop.ncf)

Port(s): 137, and 139
Summary of Service: CIFS AKA Microsoft shares. This allows native MS clients to map a drive to a Novell server.
Details of Service:
"CIFS comes from Microsoft's mediocre MS-NET networking technology using SMB (Server Message Block) from back in the DOS days. SMB technology still powers Windows 95/98 peer-to-peer networking, and the security level, poor early on, deserves a failing mark today.

Trying to update SMB to something more open and reliable, Microsoft sent CIFS to the standards committees. The good news about CIFS over SMB comes from the protocol support: TCP/IP rather than NetBIOS. If nothing else, be thankful that Microsoft finally purged NetBIOS from (most of) their systems, eliminating the need to try and manage a weak, local, insecure communication pseudo-protocol.

When you notice a Linux server includes a SAMBA server, that's an open-systems solution to emulate a Windows server. Handy, but insecure. Novell File Access Protocols for CIFS goes far beyond the standard SAMBA emulation server software."
(http://www.novell.com/info/collateral/docs/4621202.01/4621202.html)

Action Suggested: Disable this service if it is not needed.

To disable this service:
cifsstop.ncf
Modify the sys:\system\autoexec.ncf and remark out the CIFSSTRT.NCF

Port(s): 389 and 636
Summary of Service: LDAP (Lightweight Directory Access Protocol) nldap.nlm
Details of Service:

"LDAP (Lightweight Directory Access Protocol): a popular protocol for providing directory services. Despite the name, LDAP isn't very "light weight": LDAP has been adopted by several companies including Netscape Communications and has become a de facto standard for directory services. Other LDAP-compatible offerings include Novell's Novell Directory Services (NDS) and Microsoft Corporation's Active Directory."
(http://mixonline.com/mag/audio_pedant_big_box_4/)
Action Suggested: Disable this service if it is not needed.
By default, Novell's ldap does NOT allow clear text ldap (389). The administrator must allow clear text (which is NOT recommended).

To disable this service:
unload nldap.nlm
Modify the sys:\system\autoexec.ncf and remark out the LOAD NLDAP.NLM
#LOAD NLDAP.NLM

Port(s): 427
Summary of Service: SLP (service location protocol)
Details of Service:
"The Service Location Protocol (SLP) is an Internet standard protocol (RFC 2165) that enables client applications to dynamically discover services in TCP/IP networks. Novell® provides implementations of SLP for NetWare®, Windows* 95, Windows 98, Windows NT*, and Windows 2000."
(http://www.novell.com/documentation/ndsedir86/taoenu/data/a2iiimc.html)
Action Suggested: This is a critical service for Novell name resolution both for the server(s) and the clients.

To disable this service:
Unload slptcp.nlm (Do NOT do this if you want people to be able to find your server and login!)

Port(s): 548
Summary of Service: AFP (Apple protocol via NFAP). This allows native Macintosh workstations to map a drive to a Novell server and its volumes.
Details of Service:
"Apple Filing Protocol's roots remain in the early AppleTalk days of peer-to-peer, everyone shares everyone's hard disk days. Not secure, not fast. With NFAP for AFP, you gain security through NDS eDirectory, and you gain at least 30 percent faster file service (thanks to TCP/IP) through NetWare emulating an AppleShare server than earlier AFP/NetWare software. Two good reasons to once again use NetWare as your central AppleShare server."
(http://www.novell.com/info/collateral/docs/4621202.01/4621202.html#access)

Action Suggested: Disable this service if it is not needed.

To disable this service:
afpstop.ncf
Modify the sys:\system\autoexec.ncf and remark out the AFPSTRT.NCF
#AFPSTRT.NCF

Port(s): 631
Nessus rating: High
Summary of Service: IPP (Internet Printing Protocol) -- iPrint
Details of Service:

"iPrint is a printing solution that enables you to send documents to printers located throughout the Net. Using Internet technologies–including the industry–standard Internet Printing Protocol (IPP)–iPrint provides you with global access to printers, customizable views of any print environment, flexible print deployment configurations, and secure printing. iPrint is based on Novell Distributed Print Services™(NDPS®), a time-tested print solution known for its manageability, scalability, reliability, and ease of use.

Features
The iPrint component of Novell Open Enterprise Server includes several new features:
  • iPrint client for Linux
  • iPrint client for Macintosh
  • Printer Profiles (pre-set printer driver defaults)*
  • NDPS-to-iPrint client migration tools
  • Queue-based printing-to-iPrint migration tool
  • Custom banner pages
  • Auditing
  • Command-line management**
  • Printer consolidation tool
  • Support for Port 9100
  • Hosting of iPrint services on a Linux server
  • *Available only on the Novell NetWare kernel of Open Enterprise Server
  • **Available only on SUSE Linux kernel of Open Enterprise Server"
(http://www.novell.com/products/netware/printing/index.html)

Action Suggested: Disable this service if it is not needed.

To disable this service:
modify the sys:\apache2\conf\httpd.conf and remark out the iprint include
##### Begin Novell iPrint configuration #####
#include iprint/ipp.conf
##### End Novell iPrint configuration #####
After modifying the conf file type AP2WEBDN.NCF on the console. Then AP2WEBUP.NCF

Port(s): 873
Summary of Service: rsync "open source utility that provides fast incremental file transfer (http://samba.anu.edu.au/rsync)." The author of this document has also written an article on configuring rsync on NetWare. For more details on rsync please see:
http://www.novell.com/coolsolutions/appnote/654.html

Action Suggested: Disable this service if it is not needed.

To disable this service:
unload rsyncnrm.nlm
unload rsync.nlm
unload rsyncst.nlm


Modify the sys:\system\autoexec.ncf and remark out: 
SEARCH ADD SYS:\RSYNC
#LOAD RSYNCNRM

Port(s): 1234 (tcp), 1234 (udp)
Summary of Service: QuickFinder
For more details see: http://www.novell.com/products/openenterpriseserver/quickfinder.html

Action Suggested: Disable this service if it is not needed.

To disable this service:
Modify the sys:\system\autoexec.ncf and remark out: (then reboot)
#LOAD EMBOX.NLM
embox auto loads quickfinder

Port(s): 2034 2036
Nessus rating: High
Summary of Service: rconag6.nlm (remote console IP). This service allows you to remote control the NetWare console.
sys:\system\autoexec.ncf has the following by default:
#RCONAG6.NLM is required by RConsoleJ
#LOAD RCONAG6 <Your Password Here> 2034 16800 2036

Do NOT put your password here. Rather do this.
LOAD RCONAG6 ENCRYPT | enter | follow the prompts and put in your desired rconj password. This will create a sys:\system\ldrconag.ncf

put ldrconag.ncf in the autoexec.ncf.
LOAD RCONAG6 -E 28D5D5BF85614FD1F368D4E171FA110B 2034 16800 2036

This is a hash value of the password, I would not trust this completely.

Action Suggested: Disable this service if it is not needed.

To disable this service:
unload rconag6.nlm (If you are remoted into the server via rconj, you will lose your connection when you unload this)

Modify the sys:\system\autoexec.ncf and remark out:

#ldrconag.ncf

#LOAD RCONAG6 mypassword 2034 16800 2036

Port(s): 2200 and 2211
Nessus rating: High (2200) Summary of Service: Web site, welcome site, and administration server. Details of Service:
"NetWare® Web Manager is a browser-based management tool used to configure and manage the NetWare Enterprise Web server. But it also serves as a front door to other NetWare browser-based management tools, such as NetWare Remote Manager. It can be likened to a Web site's home page with links to other resources and tools.

HINT: Web Manager and many other Web-based management tools used for managing NetWare 6 rely on the industry leading Apache Web server. Therefore, when viewing Web Manager access or error log files, or when shutting down or restarting Web Manager, you are actually affecting the Apache Server, not the NetWare Enterprise Web Server.

Using a workstation and Web browser, you can access Web Manager either locally (from within your WAN or LAN), or from remote locations where you have Internet access. Web Manager lets you
  • Manage the Enterprise Web Server
  • Monitor Web server activity
  • Set up and manage user authentication and access to information on your server using Novell® eDirectory™ or local database modes
  • Access other browser-based management tools such as NetWare Remote Manager or NetWare Web Search Server (see Table 1, NetWare 6 Web-based Management Tools)."

(http://www.novell.com/documentation/nw6p/adminenu/data/ac1kab2.html)

Action Suggested: Chances are you will need this service, if not disable it.

To disable this service:
Modify the the configuration sys:\adminsrv\conf\adminserv.conf and remark out the vhost settings for port 2200.

Port(s): 3306
Summary of Service: mysql (Open source SQL engine).
Details of Service:
"MySQL is an open-source relational database management system that allows you to use Java*, C, Perl, and PHP APIs to access persistent data.

The MySQL database server is the world's most popular open source database. Its architecture makes it extremely fast and easy to customize. Extensive reuse of code within the software and a minimalistic approach to producing functionally-rich features has resulted in a database management system unmatched in speed, compactness, stability, and ease of deployment. The unique separation of the core server from the storage engine makes it possible to run with strict transaction control or with ultra-fast transactionless disk access, whichever is most appropriate for the situation."
(http://forge.novell.com/modules/xfmod/project/?mysql)

Action Suggested: Disable this service if it is not needed.

To disable this service:
unload mysql.nlm
Modify the sys:\system\autoexec.ncf and remark
# -- Added by MYSQL Install --
SEARCH ADD SYS:\mysql\bin
#mysqld_safe --autoclose
# -- End of MYSQL Install --

Port(s): 3351
Summary of Service: Btrieve (Pervasive Software database used by core NetWare).
Details of Service:
"bspxcom.nlm 7.90.000 (Build 230)
  • Handles incoming requests to btrieve.nlm from a remote source via SPX™.
  • If unloaded, remote communication to btrieve.nlm will not be possible.
  • Btrieve* monitor utility is dependent on bspxcom.nlm.
  • Loaded by default only if IPX™ is a loaded protocol.
btcpcom.nlm 7.90.000 (Build 230)
  • Handles incoming requests to btrieve.nlm from a remote source via TCP/IP.
  • If unloaded, remote communication to btrieve.nlm will not be possible.
  • Btrieve monitor utility is dependent on bspxcom.nlm.
Loaded by default only if TCP/IP is a loaded protocol."
(http://www.novell.com/documentation/nw65/nlm_list/data/ai0oeh9.html)

Action Suggested: This is such a core service it may not be possible to disable. Perhaps filtcfg.nlm (Native NetWare firewall) or perimeter firewall rules.

Port(s): 6901
Summary of Service: jstcp.nlm -- Jetstream TCP Transport Layer

Action Suggested: unknown
iChain is an appliance type security device built on the NetWare kernel.

Port(s): 8008 and 8009
Summary of Service: Novell Remote Manager (NRM) AKA portal. Primarily used for server health and statistics and troubleshooting.
Action Suggested: This depends on your environment. Chances are you will want to use this service. Consider enabling it when you need to use it.

To disable this service:
unload portal.nlm (and its dependent processes)
unload httpstk.nlm
Modify the sys:\system\autoexec.ncf and remark
#load httpstk.nlm /SSL /keyfile:"SSL CertificateIP"
#LOAD PORTAL.NLM

Port(s): 9009 (TCP), 9010 (TCP), and 691 (UDP)
Summary of Service: tomcat (extension of the apache web server). Tomcat is required for iManager (web based administration tool for managing Novell services, and objects).
Action Suggested: Disable this service until you need it. Details of Service:
"Tomcat enables the NetWare Enterprise Web Server to execute Java servlets. A servlet can be thought of as a server-side applet without a user interface. Tomcat provides Web application developers with additional functionality. For example, a servlet could be written and deployed to process data obtained from a client via an HTML form and the server-side data processing could manipulate the data and store results in a database. Servlets provide an alternative to CGI." (http://www.novell.com/documentation/nw6p/index.html?page=/documentation/nw6p/ adminenu/data/a3fd4py.html)
Tomcat is a servlet container, which is a runtime shell that manages and invokes servlets when they are requested by a Web browser or by another servlet. Servlets are programs that run on a Web server and automatically generate Web pages as a result of user input. Two or more servlets working together to provide a common set of functions is referred to as a Web application.

Web servers, such the Apache Web server, also included with Open Enterprise Server (OES) NetWare®, depend on a servlet container like Tomcat to process JavaServer Pages (JSPs) and servlets.

Tomcat provides many business benefits to your existing network that can ultimately increase productivity, improve communication between departments and employees. When used in conjunction with the Apache Web server, Tomcat can host powerful Web applications.

Here are some of the key uses and benefits of using Tomcat on NetWare:
  • Offers a highly flexible, robust JSP servlet container that is tightly integrated with NetWare.
  • Provides a simple entry point for organizations planning to prototype and deploy Java* based utilities and solutions on a NetWare server.
  • Works with major development tools available through commercial vendors and open source communities.
  • Tomcat can be deployed with Novell® Cluster Services™ (included with NetWare) to provide high availability, load balancing, and fault tolerance for important business processes running in the Tomcat JSP servlet container."
(http://www.novell.com/documentation/oes/index.html?page=/documentation/oes/web_tomcat/ Chttp://developer.novell.com/repositordata/ahdyran.html)

To disable this service:
tcadmdn.ncf (9009)
tc4stop.ncf (9010, 691)

Modify the sys:\system\autoexec.ncf and remark
#tcadmup.ncf
#sys:/tomcat/4/bin/tomcat4.ncf

Port(s): 161
Nessus rating: High (with default public string)
Summary of Service: SNMP (Simple Network Management Protocol) – AKA Security not my problem). SNMP alerts OS and application level alerts to a site server (ZFS among others).

Action Suggested: Disable this service if possible. If not, make sure you change the control and public community strings to something that is not in the dictionary and change it often (every 60 days or per your Security Policy). To change the strings modify the sys:\etc\netinfo.cfg (or change it in inetcfg (I recommend you do it via inetcfg.nlm)

LOAD SNMP MonitorCommunity=nowatchme ControlCommunity=nohackme TrapCommunity=noalertme

To disable this service:
This may be a project in and of itself. Remark it out of the netinfo.cfg (if you hack the netinfo.cfg file, remember to delete/clear the netinfo.chk file (doing it this way is not supported by Novell).

Port(s): 123
Summary of Service: NTP (Network Time Protocol) – provides time services to edir/nds.

Action Suggested: This is a critical service for DS to be in timesync. Use your perimeter firewall rules to increase security for NTP.

Port(s): 902, 903, 904
Nessus rating: High (903)
Summary of Service: unknown
Action Suggested:
Methods: When I went back to figure out what these services were, they were not listening.

"ideafarm
-chatt 902/tcp ideafarm
-chatt
ideafarm
-chatt 902/udp ideafarm
-chatt
ideafarm
-catch 903/tcp ideafarm
-catch
ideafarm
-catch 903/udp ideafarm
-catch
904-910 Unassigned." (http://www.iana.org/assignments/port-numbers)

Conclusion:

From this document you learn of the many ports and services listening by default on Linux and NetWare (both running Novell services). This is a classic case of ease-of-use vs security. My recommendation is to research diligently whether or not you 'need' the service(s), if you do not need the service disable it or uninstall the service. If you must keep the service running to provide functionality to your users/customers then you must research how to increase the security of these services via configuration, firewall rules (inbound/outbound), IDS (host and network), patches, baselines, best practices, and continual vigilance. The introduction of this document pointed you to many good references for securing services that must be keep running.

This document showed step-by-step how to disable potentially unneeded default services on OES NetWare and OES Linux.

Annotated Bibliography

Anderson, A. (2003) Introduction to Nessus
Retrieved April 28, 2005 from
http://www.securityfocus.com/infocus/1741
Mr. Anderson wrote three introductory articles on installing, configuring and using Nessus.
"Nessus is a great tool designed to automate the testing and discovery of known security problems. Typically someone, a hacker group, a security company, or a researcher discovers a specific way to violate the security of a software product. The discovery may be accidental or through directed research; the vulnerability, in various levels of detail, is then released to the security community. Nessus is designed to help identify and solve these known problems, before a hacker takes advantage of them."
Apache.org (n.d.) apache.org
Retrieved May 16, 2005

This web site is the apache project's interface. This defines and explains what apache is, including Tomcat.
Deraison, R. (2004) Nessus Open Source Vulnerability Scanner Project
Retrieved April 21, 2005 from Nessus.org

Renaud Deraison is the main author of the Nessus Open Source tool for assessing known vulnerabilities. Nessus is able to assess the OS, applications and networking protocols.
Harris, S. (2003). CISSP® Certification All-in-One Exam Guide, Second Edition.
I plan to quote and or paraphrase security principles from this book. I read and re-read this book when I studied to challenge the CISSP exam. Now, after passing the exam I find myself going back to it as a reference book. This book covers well the 10 common body of knowledge (CBK). The 10 CBK's are: Security Management Practices, Access Control, Security Models and Architecture, Physical Security, Telecommunications and Networking Security, Cryptology, Business Continuity Planning, 'Law, Investigation, and Ethics', Application and System Development, Operations Security.
Reschke J. (2004) Apache.org defect/bug report referenced in a Nessus scan report
Retrieved April 28, 2005 from
http://issues.apache.org/bugzilla/show_bug.cgi?id=31183

This bug report details the Denial of Service Attack that OES Linux with default configuration is susceptible to. Nessus report "Solution : Upgrade to Apache 2.0.51 Risk factor : High"
Nessus.org (n.d) CAN report on OpenSSL 0.9.6 and 0.9.7 vulnerability (NetWare and SLES)
Retrieved April 28, 2005 from
http://cgi.nessus.org/cve.php3?cve=CAN-2003-0543

Similar to a bug report, but has a brief description of the vulnerability. "Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values."
Nessus.org (n.d) CAN report on remote RPC buffer overflow vulnerability (NetWare)
Retrieved April 29, 2005 from
http://cgi.nessus.org/cve.php3?cve=CVE-2001-0779

"Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username."

Nessus.org (n.d) CAN report CAN-2004-1147 in phpMyAdmin 2.6.0-pl2 vulnerability (NetWare)
Retrieved April 29, 2005 from
http://cgi.nessus.org/cve.php3?cve=CAN-2004-1147

"phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters.rname."
Nessus.org (n.d) CAN report CAN-1999-0509 perl, sh, cgi vulnerability (NetWare)
Retrieved April 29, 2005 from
http://cgi.nessus.org/cve.php3?cve=CAN-1999-0509

"Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands."
Nessus.org (n.d) CAN report CAN-1999-0517 SNMP default read community (public)(NetWare)
Retrieved April 29, 2005 from
http://cgi.nessus.org/cve.php3?cve=CAN-1999-0517

"An SNMP community name is the default (e.g. public), null, or missing."
Novell Inc. (n. d.) Novell Online Documentation
Retrieved May 16, 2005 from
novell.com

Novell.com will be referenced for details of services. Typically the 'Summary of Service' will be in my own words, however for the 'Details of Service' I will quote novell.com.
Maslowski-Yerges (2004) Novell AppNote: Securing a Novell Nterprise Linux Services Server: Step-by-Step (SUSE 8, NNLS 1.0)
Retrieved April 29, 2005 from
http://www.novell.com/coolsolutions/appnote/1651.html

This is a lengthy (52 pages) step-by-step process/checklist for increasing the security of SLES with Novell services on it (pre-OES Linux). NovaCoast is a respected services organization. The author of this document has many SANS.ORG certifications. I plan to reference this appnote in my paper.
Samba.org (n.d.) Samba project documentation and collaboration website.
Retrieved May 16, 2005

Samba.org is a wonderful resource to explain the details of Samba.

Appendix A OES Linux Default Assessment

Network Vulnerability Assessment Report 24.04.2005
Sorted by host names

Session name: OES Linux Start Time:24.04.2005 08:28:04
  Finish Time: 24.04.2005 11:06:38
 Elapsed: 0 day(s) 02:38:33

Total records generated: 108
high severity: 4
medium severity: 25
informational: 79

10.10.10.15
Service Severity Description
ssh
(22/tcp)
Info Port is open
http
(80/tcp)
Info Port is open
sunrpc
(111/tcp)
Info Port is open
netbios
-ssn
(139/tcp)
Info Port is open
ldap
(389/tcp)
Info Port is open
svrloc
(427/tcp)
Info Port is open
https
(443/tcp)
Info Port is open
microsoft-ds
(445/tcp)
Info Port is open
mailbox-lm
(505/tcp)
Info Port is open
ncp
(524/tcp)
Info Port is open
ipp
(631/tcp)
Info Port is open
ldaps
(636/tcp)
Info Port is open
unknown
(5801/tcp)
Info Port is open
unknown
(5901/tcp)
Info Port is open
wbem-https
(5989/tcp)
Info Port is open
x11
(6001/tcp)
Info Port is open
x11
(6002/tcp)
Info Port is open
http-alt
(8008/tcp)
Info Port is open
unknown
(8009/tcp)
Info Port is open
unknown
(8028/tcp)
Info Port is open
unknown
(8030/tcp)
Info Port is open
unknown
(8180/tcp)
Info Port is open
unknown
(9009/tcp)
Info Port is open
xdmcp
(177/udp)
Info Port is open
ntp
(123/udp)
Info Port is open
sunrpc
(111/udp)
Info Port is open
netbios-ns
(137/udp)
Info Port is open
unknown
(8030/tcp)
High The remote host seem to be running a version of OpenSSL which is older than 0.9.6k or 0.9.7c.

There is a heap corruption bug in this version which might be exploited by an attacker to gain a shell on this host.

Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or 0.9.7c or newer
Risk factor : High
CVE : CAN-2003-0543, CAN-2003-0544, CAN-2003-0545 BID : 8732
Other references : IAVA:2003-A-0015, RHSA:RHSA-2003:291-01, SUSE:SUSE-SA:2003:043
ipp
(631/tcp)
High The remote host is running a version of Apache2 which is older than 2.0.51.

It is reported that versions prior 2.0.51 are prone to a remote denial of service issue. An attacker may issue a specific sequence of DAV LOCK commands to crash the process. If Apache is configured to use threads, it may completely crash the Apache process.

In addition to this, versions prior 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this flaw to execute arbitrary code on the remote host or to deny service to legitimate users.

See also : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183
Solution : Upgrade to Apache 2.0.51
Risk factor : High
CVE : CAN-2004-0786, CAN-2004-0747, CAN-2004-0748, CAN-2004-0751, CAN-2004-0809
BID : 11185, 11187
https
(443/tcp)
High The remote host is running a version of Apache2 which is older than 2.0.51.

It is reported that versions prior 2.0.51 are prone to a remote denial of service issue. An attacker may issue a specific sequence of DAV LOCK commands to crash the process. If Apache is configured to use threads, it may completely crash the Apache process.

In addition to this, versions prior 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this flaw to execute arbitrary code on the remote host or to deny service to legitimate users.

See also : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183
Solution : Upgrade to Apache 2.0.51
Risk factor : High
CVE : CAN-2004-0786, CAN-2004-0747, CAN-2004-0751, CAN-2004-0748, CAN-2004-0809
BID : 11185, 11187
http
(80/tcp)
High The remote host is running a version of Apache2 which is older than 2.0.51.

It is reported that versions prior 2.0.51 are prone to a remote denial of service issue. An attacker may issue a specific sequence of DAV LOCK commands to crash the process. If Apache is configured to use threads, it may completely crash the Apache process.

In addition to this, versions prior 2.0.51 are prone to a remote buffer overflow when parsing an URI sent over IPv6. An attacker may use this flaw to execute arbitrary code on the remote host or to deny service to legitimate users.

See also : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183
Solution : Upgrade to Apache 2.0.51
Risk factor : High
CVE : CAN-2004-0786, CAN-2004-0747, CAN-2004-0751, CAN-2004-0748, CAN-2004-0809
BID : 11185, 11187
ipp
(631/tcp)
Medium The remote host appears to be running a version of Apache 2.x which is older than 2.0.50.

There is denial of service in apache httpd 2.0.x by sending a specially crafted HTTP request. It is possible to consume arbitrary amount of memory. On 64 bit systems with more than 4GB virtual memory this may lead to heap based buffer overflow. See also http://www.guninski.com/httpd1.html

There is also a denial of service vulnerability in mod_ssl's ssl_io_filter_cleanup function. By sending a request to vulnerable server over SSL and closing the connection before the server can send a response, an attacker can cause a memory violation that crashes the server.

Solution : Upgrade to Apache/2.0.50 or newer
Risk factor : Medium
CVE : CAN-2004-0493
BID : 10619, 12877
Other references : OSVDB:7269
http
(80/tcp)
Medium The remote host appears to be running a version of Apache 2.x which is older than 2.0.50.

There is denial of service in apache httpd 2.0.x by sending a specially crafted HTTP request. It is possible to consume arbitrary amount of memory. On 64 bit systems with more than 4GB virtual memory this may lead to heap based buffer overflow. See also http://www.guninski.com/httpd1.html

There is also a denial of service vulnerability in mod_ssl's ssl_io_filter_cleanup function. By sending a request to vulnerable server over SSL and closing the connection before the server can send a response, an attacker can cause a memory violation that crashes the server.

Solution : Upgrade to Apache/2.0.50 or newer
Risk factor : Medium
CVE : CAN-2004-0493
BID : 10619, 12877
Other references : OSVDB:7269
ldap
(389/tcp)
Medium The server's directory base is set to NULL. This allows information to be enumerated without any prior knowledge of the directory struture.

The following information was pulled from the server via a LDAP request:

Solution: Disable or restrict anonymous binds in LDAP if not required
See also: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10077872.htm
Risk Factor: Medium
https
(443/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client> If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See:
http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593

Risk factor : Medium
BID : 9506, 9561, 11604
ssh
(22/tcp)
Medium The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
mailbox-lm
(505/tcp)
Medium The SSL certificate of the remote service expired 030724183953Z!
ipp
(631/tcp)
Medium ht://Dig's configuration file is located at:

CVE : CAN-2000-1191
ipp
(631/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:

<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See:
http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593

Risk factor : Medium
BID : 9506, 9561, 11604
http
(80/tcp)
Medium ht://Dig's configuration file is located at:

CVE : CAN-2000-1191
https
(443/tcp)
Medium ht://Dig's configuration file is located at:

CVE : CAN-2000-1191
https
(443/tcp)
Medium The remote host appears to be running a version of Apache 2.x which is older than 2.0.50.

There is denial of service in apache httpd 2.0.x by sending a specially crafted HTTP request. It is possible to consume arbitrary amount of memory. On 64 bit systems with more than 4GB virtual memory this may lead to heap based buffer overflow. See also http://www.guninski.com/httpd1.html

There is also a denial of service vulnerability in mod_ssl's ssl_io_filter_cleanup function. By sending a request to vulnerable server over SSL and closing the connection before the server can send a response, an attacker can cause a memory violation that crashes the server.

Solution : Upgrade to Apache/2.0.50 or newer
Risk factor : Medium
CVE : CAN-2004-0493
BID : 10619, 12877
Other references : OSVDB:7269
microsoft-ds
(445/tcp)
Medium Here is the browse list of the remote host :

NOVL_CPU2X ( os: 0.0 )
OES-LINUX-VM-W ( os: 0.0 )

This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low
unknown
(8028/tcp)
Medium The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request).

The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.

Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url : http://10.10.10.15:8028/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp

Risk factor : Medium

Solutions:


CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
unknown
(8030/tcp)
Medium The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
Sample url : http://10.10.10.15:8030/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp

Risk factor : Medium

Solutions:


CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
unknown
(8009/tcp)
Medium The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url : http://10.10.10.15:8009/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp

Risk factor : Medium

Solutions:


CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
xdmcp
(177/udp)
Medium The remote host is running XDMCP. This protocol is used to provide X display connections for X terminals. XDMCP is completely insecure, since the traffic and passwords are not encrypted.

An attacker may use this flaw to capture all the keystrokes of the users using this host through their X terminal, including passwords.

Also XDMCP is an additional login mechanism that you may not have been aware was enabled, or may not be monitoring failed logins on.

Solution : Disable XDMCP
Risk factor : Medium
unknown
(8030/tcp)
Medium The remote host is running Serendipity, a weblog written in PHP.

The remote version of this software is vulnerable to cross-site scripting attack due to a lack of sanity checks on searchTerm parameter in the compat.php script.

With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Solution : Upgrade to Serendipity 0.7.1 or newer
Risk factor : Medium
BID : 11790
Other references : OSVDB:12177
http
(80/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See
http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593

Risk factor : Medium
BID : 9506, 9561, 11604
general/
icmp
Medium The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
netbios-ns
(137/udp)
Medium The following 5 NetBIOS names have been gathered : OES-LINUX-VM-W = This is the computer name registered for workstation services by a WINS client.
OES-LINUX-VM-W = This is the current logged in user registered for this workstation.
OES-LINUX-VM-W = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)

This SMB server seems to be a SAMBA server (this is not a security risk, this is for your information). This can be told because this server claims to have a null MAC address.

If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
ldap
(389/tcp)
Medium Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'

Solution: Disable NULL BASE queries on your LDAP server

Risk factor : Medium
ldap
(389/tcp)
Medium Improperly configured LDAP servers will allow any user to connect to the server and query for information.

Solution: Disable NULL BIND on your LDAP server

In addition, the LDAP bind function in Exchange 5.5 has a buffer overflow that allows a user to conduct a denial of service or execute commands in all versions prior to Exchange server SP2. Coupled with a NULL BIND, an anonymous user can mount a remote attack against your server.

Note: no test was done to see what version of Exchange server is running, nor attempt to verify the service pack.

Solution: see http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Risk factor: Medium
CVE : CVE-1999-0385
BID : 503
ncp
(524/tcp)
Medium Server Name: OES-LINUX-VM
NDS Tree Name: OES-LINUX-VM-TREE
NDS Users: ADMIN, EGUIDEPUBLICUSER_19226
http-alt
(8008/tcp)
Medium The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url : http://10.10.10.15:8008/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp

Risk factor : Medium

Solutions:
CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
unknown
(8028/tcp)
Medium The remote host is running Serendipity, a weblog written in PHP.

The remote version of this software is vulnerable to cross-site scripting attack due to a lack of sanity checks on searchTerm parameter in the compat.php script.

With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Solution : Upgrade to Serendipity 0.7.1 or newer
Risk factor : Medium
BID : 11790
Other references : OSVDB:12177
ssh
(22/tcp)
Info Remote SSH version : SSH-1.99-OpenSSH_3.8p1

Remote SSH supported authentication : publickey,keyboard-interactive
microsoft-ds
(445/tcp)
Info A CIFS server is running on this port
unknown
(8180/tcp)
Info A web server is running on this port
unknown
(8028/tcp)
Info A web server is running on this port
wbem-https (5989/tcp) Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress= root@localhost.localdomain
Validity
Not Before: Apr 24 05:45:03 2005 GMT
Not After : Apr 24 05:45:03 2006 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit,
CN=localhost.localdomain/emailAddress= root@localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:69:5e:a0:0b:2a:81:38:94:af:14:6d:85:94:
d5:ae:62:b5:ae:88:fd:b1:63:d5:28:9c:c1:d4:7d:
ac:b0:05:d2:85:f8:47:90:9d:e0:21:fa:a3:80:2e:
ba:f9:6b:f7:a9:14:01:e6:3a:27:9d:15:61:e6:24:
4d:06:22:3f:99:98:5e:7f:24:0e:ff:4e:22:31:c2:
3f:15:14:01:b9:0b:1d:f9:1d:73:58:85:1e:4d:d5:
00:77:2d:80:78:c5:05:f0:20:1a:02:28:13:74:dd:
e3:00:ea:99:69:45:cd:cc:65:15:1b:9f:3b:b7:27:
60:a1:de:24:a2:aa:91:de:99
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
69:2c:64:cd:d1:7a:db:3e:9b:4b:f3:bf:4b:e4:af:09:ae:c1:
d7:c1:14:7b:e6:88:6f:96:9a:23:d6:1c:86:aa:cf:52:3c:3d:
fb:af:44:66:25:fc:7e:94:12:47:5b:a0:57:da:f0:9d:2e:29:
42:39:bd:79:d1:66:ac:d4:73:69:27:0b:89:85:9e:cd:2b:05:
5f:d8:b1:d3:85:38:15:b3:65:77:28:f1:74:36:12:52:38:b0:
d7:93:24:cd:c1:bd:89:3e:eb:44:6e:f1:9a:48:b5:bd:49:a1:
28:4a:3e:a0:73:a9:d1:18:3f:46:f7:1a:86:e7:48:25:07:c2:
33:4e
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack.

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
unknown
(8030/tcp)
Info A web server is running on this port through SSL
unknown
(8030/tcp)
Info A SSLv2 server answered on this port
unknown
(8009/tcp)
Info A web server is running on this port through SSL
mailbox-lm
(505/tcp)
Info Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress= root@localhost.localdomain
Validity
Not Before: Jul 24 18:39:53 2002 GMT
Not After : Jul 24 18:39:53 2003 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress= root@localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:46:f6:1f:76:8a:b2:ec:18:6c:1f:6f:a6:fb:
8a:36:84:df:19:7e:e4:c0:ae:74:83:7a:23:6e:77:
86:17:c8:e1:a1:8c:f0:de:fa:82:3c:eb:07:df:fa:
e9:e8:7e:c0:e5:66:7f:f2:c3:c7:38:8d:65:26:93:
aa:47:0f:6d:75:69:8f:b8:f5:e0:00:f9:f3:4f:da:
c9:27:80:29:51:95:5a:00:40:76:6c:11:6c:74:0c:
8f:9f:87:f3:41:3c:59:03:f7:b1:8a:a1:19:0b:b7:
e0:49:2b:96:d1:1d:27:27:3a:92:cc:c6:7e:66:27:
dd:d6:fa:67:8f:f1:7f:0f:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1F:68:3C:69:DB:98:C6:F3:0A:D0:A7:2B:E6:B9:50:0F:53:C4:70:39
X509v3 Authority Key Identifier:
keyid:1F:68:3C:69:DB:98:C6:F3:0A:D0:A7:2B:E6:B9:50:0F:53:C4:70:39
DirName:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/ OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress= root@localhost.localdomain
serial:00

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
0c:3d:58:10:d4:61:c4:b1:33:3e:ed:a8:bc:63:1e:2b:90:00:
11:24:84:aa:32:f6:82:1f:5c:05:62:01:89:a4:38:19:b0:07:
2c:b5:e2:ab:70:75:45:07:9f:2e:2c:20:63:39:34:03:a6:59:
f3:8d:67:91:1f:93:db:8d:d2:9b:74:ba:ae:0b:59:c2:a6:61:
57:36:3b:c9:b4:8d:25:e2:b4:aa:a8:58:df:1d:ec:c3:4d:3e:
32:09:97:6f:44:aa:24:ff:81:19:2e:69:ca:14:69:f4:ef:02:
63:2b:31:5d:dd:43:df:18:d1:64:cb:96:5c:bf:ef:8c:f1:82:
31:f3
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.
https
(443/tcp)
Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=YaST Default CA (oes-linux-vm)/emailAddress=postmaster@thomaserickson.com
Validity
Not Before: Apr 24 06:04:04 2005 GMT
Not After : Apr 24 06:04:04 2006 GMT
Subject: C=US, CN=oes-linux-vm.thomaserickson.com/emailAddress= postmaster@thomaserickson.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a2:9b:0c:5d:0b:e5:5c:24:cc:46:a1:75:4f:06:
de:47:f3:57:dc:f9:09:39:ed:cb:52:10:2e:f1:c7:
4f:17:08:fc:e2:26:f4:4e:78:92:4c:e9:0d:a6:b7:
56:53:3b:9c:42:f8:ed:3b:50:aa:03:49:e5:7d:89:
91:8e:8d:5b:05:ce:7e:02:fa:7b:5d:4f:00:5f:b8:
95:6f:b0:a8:32:78:89:dd:a7:a0:dd:f4:e3:28:bd:
ca:aa:44:85:eb:ff:b7:35:82:db:70:bb:23:e6:70:
f7:35:db:98:33:fa:7a:a6:46:16:c5:31:6e:96:d1:
6b:60:32:05:e2:81:dd:41:9e:74:25:6a:a5:87:0b:
3c:79:bf:45:19:7d:d3:30:21:61:53:bd:a6:8e:e5:
c2:95:1d:4e:02:c1:c9:13:78:79:54:39:61:d5:31:
dc:c8:89:73:72:e2:ea:33:c0:1b:86:b9:3e:6f:59:
b2:ee:00:bd:f2:c0:51:99:dd:b4:3d:c9:ff:fe:64:
72:a0:aa:f2:ad:e8:6c:fd:7b:ac:6b:63:7e:46:2e:
fa:06:28:2e:3c:fd:5f:ec:e4:3d:cd:02:6c:66:ad:
1c:22:a0:44:cf:9c:7c:5f:d1:b9:4e:22:8f:9a:23:
1f:ec:5a:c7:98:ae:b2:fe:ed:7a:f9:c3:3d:5f:3d:
e5:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
YaST Generated Server Certificate
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Key Encipherment
X509v3 Subject Key Identifier:
2C:5F:86:3D:71:8C:2F:17:65:C8:6E:AC:CE:95:14:F6:C8:A1:0B:B4
X509v3 Authority Key Identifier:
keyid:F6:08:67:4B:D4:74:16:DE:F4:91:7E:F8:27:2A:7D:20:1A:EB:AD:26
DirName:/C=US/CN=YaST Default CA (oes-linux-vm)/emailAddress= postmaster@thomaserickson.com
serial:00

X509v3 Subject Alternative Name:
email:postmaster@thomaserickson.com
X509v3 Issuer Alternative Name:
email:postmaster@thomaserickson.com
Signature Algorithm: sha1WithRSAEncryption
a6:91:69:f3:bb:23:4f:dd:c7:a5:eb:b6:6d:89:91:62:0c:8d:
eb:1d:7b:a9:7b:6b:84:62:08:e1:9f:91:8f:c7:c6:13:7d:cf:
0d:52:e1:92:a7:1a:22:35:0f:0d:76:55:e2:bb:c4:09:c8:19:
05:f3:8d:53:d8:12:ce:28:09:7c:67:77:80:51:19:f1:f6:c2:
1e:60:6f:f0:98:c6:40:77:29:52:2b:0e:4b:e0:aa:01:a8:28:
22:92:d6:1f:57:d1:f9:15:12:91:52:b1:f1:0c:63:ef:1f:e8:
45:d4:6f:90:5b:ee:ba:0a:4d:d3:ee:56:cf:50:37:a4:d0:9a:
16:94:52:a7:4d:f5:96:71:f6:d8:03:52:7a:6b:77:e4:13:01:
2a:ee:f5:2c:06:29:42:2f:67:5e:10:bf:04:6a:84:67:74:c5:
82:87:e3:2b:ef:af:75:3c:07:15:b3:d4:2d:c3:c0:a8:a5:6d:
73:5d:45:d9:67:2a:09:3a:6c:e7:07:a7:8a:7e:5f:2e:5c:f4:
30:79:ff:ba:c7:cc:1c:a0:52:1c:5e:1f:21:4c:93:50:d9:c8:
94:51:99:8f:ca:3b:45:b2:2f:df:ed:20:12:2e:9e:5b:c2:21:
65:76:f6:18:d6:fa:11:49:ce:68:c7:78:a3:38:5d:30:e0:e7:
6d:3d:d9:11
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack.

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
ldaps
(636/tcp)
Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:14:e1:6e:79:e7:a8:0c:4f:5a:15:fb:0e:75:24:80:da:a0:e3: b6:39:7e:cb:03:61:3b:a4:d5: 8b:02:02:01:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=OES-LINUX-VM-TREE
Validity
Not Before: Apr 22 06:06:19 2005 GMT
Not After : Apr 24 06:06:19 2007 GMT
Subject: CN=oes-linux-vm.thomaserickson.com, O=OES-LINUX-VM-TREE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:ca:65:cf:30:8e:76:66:c0:ee:c4:ab:bf:a6:
f0:20:03:bb:6d:01:82:b6:2e:21:00:55:7f:9b:66:
53:66:30:8a:99:0d:41:21:80:81:e9:d9:7f:92:35:
93:70:a7:83:8f:08:eb:0b:d0:68:bc:d9:67:8f:1e:
e3:61:e8:6d:fb:5d:19:03:aa:82:e5:5e:61:cf:55:
54:0b:07:91:92:71:6d:f2:49:59:0e:fb:48:e6:5b:
74:d6:a6:c5:33:2d:63:03:b3:77:e4:91:19:b8:46:
fa:0a:c2:1c:bd:9f:af:e7:3e:75:18:18:05:b4:8c:
c7:4b:83:43:3d:5a:1b:9d:05:d0:80:90:24:50:ee:
25:e0:6e:1d:cf:8c:fc:ac:0b:54:90:d5:72:e3:4b:
a0:d5:2b:48:44:b3:a7:4f:8d:a1:38:ae:0d:e3:97:
39:92:9a:49:c0:38:5c:9b:b4:86:29:df:59:0c:73:
eb:8b:77:5a:dc:81:0a:8a:f0:89:b5:87:e3:f6:1d:
b5:68:56:5a:2a:7c:9c:a7:53:b2:e6:e0:d6:f0:82:
e2:19:29:bc:df:de:31:87:d4:5c:4b:85:12:a8:a8:
78:06:27:3a:e9:9c:4c:99:53:a9:b2:ca:2c:ed:e0:
1e:ac:15:31:12:43:0b:1b:c3:c2:04:4d:9f:fa:c3:
6f:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D0:AD:65:81:3E:E7:2C:88:9E:D1:32:73:DF:63:B9:08:F7:6A:B9:3F
X509v3 Authority Key Identifier:
keyid:31:1D:CD:47:BD:D0:8C:5A:CC:05:3E:A8:E9:AF:9E:99:29:E4:99:1B

X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security ttribute(tm).Chttp://developer.novell.com/repository/ attributes/certattrs_v10.htm 0..H.....0.0......F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0.....................ny0.0.....................ny.N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
ae:b2:bc:ff:c2:e4:37:16:82:47:3e:b0:58:5c:d9:f0:5a:8e:
51:ea:2f:82:f9:95:13:90:57:03:97:63:ec:85:da:6b:0d:6a:
e0:7f:75:ca:db:7c:c7:c3:b5:eb:35:50:d1:db:0e:1d:b0:89:
ab:d4:6b:94:70:74:14:18:ff:18:23:a5:bd:f6:48:12:78:68:
67:7e:71:e2:08:86:21:30:4f:0d:73:cd:4b:83:74:fe:d9:5d:
f2:58:d4:88:4c:4b:09:68:bf:08:1e:2e:80:a7:cc:a7:de:2a:
41:b2:bd:dc:d8:8a:41:c3:b5:99:a7:44:14:43:1e:99:db:48:
ef:c9:47:60:e4:a5:a7:2f:79:79:b1:5a:13:e8:fa:d0:b2:4a:
02:a0:74:eb:b2:d2:22:e4:9b:2e:1b:86:a4:a5:72:7d:a4:e5:
23:3c:7a:3c:48:b1:6c:c1:46:a6:f5:ea:60:e9:dc:fc:66:40:
19:37:26:06:78:74:ba:8a:31:3f:38:6c:61:51:d5:47:9f:01:
67:e8:d6:56:0b:36:37:cb:01:1f:b1:b5:6f:90:d4:da:23:85:
8f:bb:c8:c6:b2:a4:1b:59:d2:7b:47:c8:23:69:a5:60:9c:6e:
c5:e1:c0:01:38:f3:c6:ec:c5:e2:4e:5c:18:4d:6f:1f:b8:33:
4b:7c:47:81
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack.

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
unknown
(8009/tcp)
Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Organization, OU=Organizational Unit, CN=10.10.10.15
Validity
Not Before: Apr 24 05:56:39 2005 GMT
Not After : Apr 24 05:56:39 2009 GMT
Subject: C=AU, ST=Some-State, O=Organization, OU=Organizational Unit, CN=10.10.10.15
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ac:30:58:1b:0e:0c:1f:7b:a6:82:d9:40:28:66:
fb:60:d8:e6:15:1b:68:e2:fc:19:c7:a8:e7:02:b8:
cf:ce:88:22:d5:e3:99:1e:c7:92:e5:ef:d0:56:65:
8f:4c:5a:d2:00:fb:03:41:04:3c:78:e6:13:90:48:
c5:8c:5c:92:8a:78:a8:06:2c:31:e5:9f:49:82:0c:
b4:cd:ce:6e:0f:1b:ea:fa:4d:22:a1:d0:cf:cf:e5:
f9:11:91:0e:92:67:52:3a:97:84:78:ca:10:45:1d:
54:16:25:44:19:4a:d1:4f:62:3e:42:c1:d7:c4:15:
fc:1a:cd:3f:93:58:3e:34:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D7:D1:08:93:10:9E:33:D2:CA:A5:A3:71:80:0F:00:E5:9B:ED:AC:2D
X509v3 Authority Key Identifier:
keyid:D7:D1:08:93:10:9E:33:D2:CA:A5:A3:71:80:0F:00:E5:9B:ED:AC:2D
DirName:/C=AU/ST=Some-State/O=Organization/OU=Organizational Unit/CN=10.10.10.15
serial:00

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
02:cd:7e:b9:13:05:22:4c:c1:87:f4:33:55:b3:52:c8:20:db:
11:34:19:43:c2:c3:a4:80:cd:e5:ca:29:e9:ba:75:52:03:74:
fd:d1:19:4f:55:c7:1b:45:29:33:95:06:fc:65:72:22:05:35:
94:7d:29:ca:32:a9:f6:91:68:56:7f:d6:5a:ec:9b:d7:dd:8c:
f7:d0:94:e8:47:31:e2:85:80:4f:6d:3d:3d:9f:6f:4a:b9:8d:
32:6c:42:40:a6:80:40:37:c0:2c:d9:88:69:26:7f:fd:74:c0:
23:05:b0:08:54:39:11:2d:b5:9a:5f:d7:b4:43:96:ef:43:68:
44:ff
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack.

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
microsoft-ds
(445/tcp)
Info - NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'

CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CVE-2002-1117
BID : 494, 990, 11199
unknown
(8030/tcp)
Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:14:e1:6e:79:e7:a8:0c:4f:5a:15:fb:0e:75:24:80:da:a0:e3:b6:39:7e:cb: 03:61:3b:a4:d5:8b:02:02:01:0f
Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=OES-LINUX-VM-TREE
Validity
Not Before: Apr 22 06:06:33 2005 GMT
Not After : Apr 24 06:06:33 2007 GMT
Subject: CN=10.10.10.15, O=OES-LINUX-VM-TREE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a1:38:c7:ed:9a:ae:de:9b:4b:5b:f6:c5:71:a5:
40:d2:60:01:6a:8f:aa:2f:c2:81:46:c7:31:5e:74:
e7:b9:49:16:83:9e:c5:44:40:aa:e3:f0:d9:be:47:
7e:f3:a5:45:63:02:b9:14:db:1e:b4:43:96:d2:e4:
dd:9f:44:48:bb:58:69:a5:04:13:65:52:2b:b8:28:
00:8b:18:fb:2a:f1:13:2e:45:51:03:27:f3:8d:80:
fa:3d:f0:5c:84:ad:9e:f8:67:ff:cc:cc:39:d3:1c:
61:35:f4:b9:21:3a:27:cc:44:bc:aa:90:1e:66:ea:
16:df:64:35:2c:e2:4f:e9:d4:97:c8:9d:39:9e:24:
21:ba:7d:97:27:eb:8d:92:9c:ce:5f:15:03:59:87:
a8:52:ae:44:49:3d:00:17:73:f1:94:68:83:8b:04:
f4:cb:b3:b5:48:bb:ee:d1:88:fd:11:1e:c9:e4:9f:
20:86:20:1b:67:77:81:17:a1:f7:6a:b1:48:5f:86:
83:4d:38:62:13:cd:28:73:f7:f7:3f:3b:9b:0b:03:
16:91:e6:84:f0:1a:02:e9:23:97:31:13:12:3b:92:
88:c0:7a:00:76:c8:ea:fb:1c:9c:46:70:7b:22:fd:
60:72:3d:19:31:22:49:6d:d9:46:6e:e5:19:2c:77:
e6:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DB:7A:6B:AC:D0:E9:0F:F8:36:F1:2C:6E:CF:CD:E6:9C:42:81:72:40
X509v3 Authority Key Identifier:
keyid:31:1D:CD:47:BD:D0:8C:5A:CC:05:3E:A8:E9:AF:9E:99:29:E4:99:1B

X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security Attribute(tm).Chttp://developer.novell.com/repository/attributes/ certattrs_v10.htm0 ..H.....0.0......F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0.....................ny0.0.....................ny.N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
85:26:26:12:c6:e1:80:70:f8:5a:34:ac:46:26:f5:83:52:d7:
2a:66:53:3e:9a:12:23:b2:a7:e2:cd:18:f5:6d:79:5b:48:f2:
92:0a:48:7f:66:2f:99:61:f5:f5:78:aa:ed:36:c3:4e:f2:3e:
73:b1:41:36:77:0d:27:9d:0a:6d:0b:14:f6:f3:b3:66:af:29:
68:96:bf:b5:c4:0d:93:43:b7:cc:70:8a:de:4b:87:15:60:57:
b9:b9:00:ca:6a:33:ab:2e:79:88:31:80:ea:89:9b:ea:32:6e:
da:0e:58:c5:58:7b:0d:9b:82:d5:96:e6:de:0a:a1:da:9d:e7:
3f:90:6f:be:1b:ef:c5:7a:2c:d3:df:b4:ff:11:97:f2:5e:f7:
8a:0d:1f:85:10:7c:41:d2:6d:0e:92:9d:42:83:f3:45:66:a6:
3f:48:17:35:bb:6d:19:59:69:c3:8a:2a:a4:f7:88:b3:f0:b4:
28:a0:2a:81:2a:5f:a5:ea:ae:44:e5:31:24:57:e3:10:f1:18:
4b:22:e1:2c:bd:30:ec:6c:67:a2:68:00:86:6b:dd:ac:59:ca:
f3:2a:5f:c6:23:af:f9:3e:a4:02:ee:6d:d5:6a:51:db:72:62:
ed:9c:83:c5:b7:c4:2d:7f:cc:30:0d:29:84:c4:9e:9a:bb:59:
55:da:f0:a1
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack.

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
microsoft-ds
(445/tcp)
Info The remote native lan manager is : Samba 3.0.9-2.6-SUSE
The remote Operating System is : Unix
The remote SMB Domain Name is : WORKGROUP
unknown
(8009/tcp)
Info A SSLv2 server answered on this port
(general/
tcp)
Info The remote host is running Linux Kernel 2.6.5-7.147-default (i386)
(general/
tcp)
Info The remote host is running one of these operating systems :
Linux Kernel 2.6
Linux Kernel 2.4
(ipp/
631/tcp)
Info The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/gif/ (C=S
O [A] C=N
O [D] C=M
O [A] C=D
O [A] )
/nps/servlet/webacc (taskId [fw.Startup] )
. (C=S
O [A] C=N
O [D] C=M
O [A] C=D
O [A] )

Directory index found at /
Directory index found at /gif/
(ssh/
22/tcp)
Info The remote host seem to be running an SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login.

An attacker may use this flaw to set up a brute force attack against the remote host.

Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH

Risk factor : Low
CVE : CAN-2003-0190
BID : 7342, 7467, 7482, 11781
http-alt
(8008/tcp)
Info A web server is running on this port
unknown
(5801/tcp)
Info This web server is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map, search page or authentication page instead.

Unfortunately, we were unable to find a way to recognize this page, so some CGI-related checks have been disabled.

To work around this issue, please contact the Nessus team.
wbem-https
(5989/tcp)
Info The remote web server type is :

openwbem/3.1.0 (CIMOM)
mailbox-lm
(505/tcp)
Info The remote web server type is :

Red Carpet Daemon/2.4.5
https
(443/tcp)
Info The remote web server type is :

Apache/2.0.49 (Linux/SUSE)

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
http
(80/tcp)
Info The remote web server type is :

Apache/2.0.49 (Linux/SUSE)

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
ipp
(631/tcp)
Info The remote web server type is :

Apache/2.0.49 (Linux/SUSE)

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
unknown
(8030/tcp)
Info The remote web server type is :

DHost/9.0 HttpStk/1.0
unknown
(8028/tcp)
Info The remote web server type is :

DHost/9.0 HttpStk/1.0
unknown
(8180/tcp)
Info The remote web server type is :

Apache-Coyote/1.1

and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.
ldaps
(636/tcp)
Info A SSLv2 server answered on this port
ipp
(631/tcp)
Info A web server is running on this port
sunrpc
(111/udp)
Info RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
sunrpc
(111/tcp)
Info RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
ssh
(22/tcp)
Info The remote SSH daemon supports the following versions of the SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0

SSHv1 host key fingerprint : 8e:0c:5e:3f:51:81:33:bd:6c:e9:13:4a:e2:00:9d:ff
SSHv2 host key fingerprint : 74:89:cb:61:2d:c6:eb:1c:e3:99:5f:5d:0b:85:a0:35
unknown
(5801/tcp)
Info A web server is running on this port
http
(80/tcp)
Info A web server is running on this port
https
(443/tcp)
Info A web server is running on this port through SSL
https
(443/tcp)
Info An SSLv2 server answered on this port
mailbox-lm
(505/tcp)
Info A web server is running on this port through SSL
mailbox-lm
(505/tcp)
Info A TLSv1 server answered on this port
wbem-https
(5989/tcp)
Info A web server is running on this port through SSL
wbem-https
(5989/tcp)
Info An SSLv2 server answered on this port
ssh
(22/tcp)
Info An ssh server is running on this port
sunrpc
(111/tcp)
Info The RPC portmapper is running on this port.

An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port.

Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189 BID : 205
ntp
(123/udp)
Info It is possible to determine a lot of information about the remote host by querying the NTP (Network Time Protocol) variables - these include OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

version='ntpd 4.2.0a@1.1213-r Wed Jan 26 17:44:09 UTC 2005 (1)',

processor='i686', system='Linux/2.6.5-7.147-default', leap=0,

stratum=11, precision=-19, rootdelay=0.000, rootdispersion=45.006,

peer=32660, refid=127.127.1.0, reftime=0xc6164ab6.218eda22, poll=10,

clock=0xc6164bf4.87401c4f, state=4, offset=0.000, frequency=0.000,

error=0.002, jitter=0.000, stability=0.000


Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low
netbios
-ssn
(139/tcp)
Info An SMB server is running on this port
ldap
(389/tcp)
Info An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 30 24 02 01 0$..
unknown
(5901/tcp)
Info An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 52 46 42 20 30 30 33 2e 31 33 30 0a RFB 003.130.
x11
(6002/tcp)
Info This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
http-alt
(8008/tcp)
Info This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
unknown
(8009/tcp)
Info This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin

Appendix B OES NetWare Default Assessment

Network Vulnerability Assessment Report 23.04.2005
Sorted by host names

Session name: NW65SP3_AKA_OES Start Time:23.04.2005 21:50:35
  Finish Time: 23.04.2005 23:32:50
 Elapsed: 0 day(s) 01:42:14

Total records generated: 140
high severity: 8
medium severity: 23
informational: 109

10.10.10.6
Service Severity Description
ftp
(21/tcp)
Info Port is open
http
(80/tcp)
Info Port is open
hosts2-ns
(81/tcp)
Info Port is open
sunrpc
(111/tcp)
Info Port is open
netbios
-ssn
(139/tcp)
Info Port is open
ldap
(389/tcp)
Info Port is open
svrloc
(427/tcp)
Info Port is open
https
(443/tcp)
Info Port is open
ncp
(524/tcp)
Info Port is open
afpovertcp
(548/tcp)
Info Port is open
ipp
(631/tcp)
Info Port is open
ldaps
(636/tcp)
Info Port is open
netviewdm3
(731/tcp)
Info Port is open
unknown
(846/tcp)
Info Port is open
dhcp-
failover2
(847/tcp)
Info Port is open
rsync
(873/tcp)
Info Port is open
search
-agent
(1234/tcp)
Info Port is open
scoremgr
(2034/tcp)
Info Port is open
unknown
(2036/tcp)
Info Port is open
nfs
(2049/tcp)
Info Port is open
ici
(2200/tcp)
Info Port is open
unknown
(2211/tcp)
Info Port is open
mysql
(3306/tcp)
Info Port is open
btrieve
(3351/tcp)
Info Port is open
unknown
(6901/tcp)
Info Port is open
http-alt
(8008/tcp)
Info Port is open
unknown
(8009/tcp)
Info Port is open
unknown
(9009/tcp)
Info Port is open
unknown
(9010/tcp)
Info Port is open
netbios-ns
(137/udp)
Info Port is open
snmp
(161/udp)
Info Port is open
unknown
(32779
/udp)
Info Port is open
unknown
(32778/udp)
Info Port is open
nfs
(2049/udp)
Info Port is open
search
-agent
(1234/udp)
Info Port is open
ntp
(123/udp)
Info Port is open
unknown
(961/udp)
Info Port is open
ideafarm
-chatt
(902/udp)
Info Port is open
sunrpc
(111/udp)
Info Port is open
unknown
(32779/tcp)
Info Port is open
unknown
(32778/tcp)
High Port is open
ideafarm
-catch
(903/udp)
Info Port is open
unknown
(904/udp)
Info Port is open
unknown
(2036/tcp)
High The remote host seems to be using a version of OpenSSL which is older than 0.9.6e or 0.9.7-beta3

This version is vulnerable to a buffer overflow which, may allow an attacker to obtain a shell on this host.

*** Note that since safe checks are enabled, this check
*** might be fooled by non-openssl implementations and
*** produce a false positive.
*** In doubt, re-execute the scan without the safe checks

Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer  Risk factor : High
CVE : CAN-2002-0656, CAN-2002-0655, CAN-2002-0657, CAN-2002-0659, CVE-2001-1141
BID : 3004, 4316, 5363
Other references : IAVA:2002-A-0009, SUSE:SUSE-SA:2002:033
ideafarm
-catch
(903/udp)
High The remote RPC service 100009 (yppasswdd) may be vulnerable to a buffer overflow which would allow any user to obtain a root shell on this host.

*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.

Solution : disable this service if you don't use it, or contact Sun for a patch.
Risk factor : High
CVE : CVE-2001-0779
BID : 2763
ici
(2200/tcp)
High The remote host is running phpMyAdmin, an open-source software written in PHP to handle the administration of MySQL over the Web.

The remote version of this software is vulnerable to one (or both) of the following flaws :

- An attacker may be able to exploit this software to execute arbitrary commands on the remote host on a server which does not run PHP in safe mode.

- An attacker may be able to read arbitrary files on the remote host through the argument 'sql_localfile' of the file 'read_dump.php'.

Solution : Upgrade to version 2.6.1-rc1 or newer
Risk factor : High
CVE : CAN-2004-1147, CAN-2004-1148
BID : 11886
ici
(2200/tcp)
High The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody).

Solution : remove it from /cgi-bin

Risk factor : High
CVE : CAN-1999-0509
ipp
(631/tcp)
High The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody).

Solution : remove it from /cgi-bin

Risk factor : High
CVE : CAN-1999-0509
http
(80/tcp)
High The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody).

Solution : remove it from /cgi-bin

Risk factor : High
CVE : CAN-1999-0509
https
(443/tcp)
High The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody).

Solution : remove it from /cgi-bin

Risk factor : High
CVE : CAN-1999-0509
snmp
(161/udp)
High SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
http-alt
(8008/tcp)
Medium This web server leaks a private IP address through its HTTP headers : /10.10.10.6

This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.
There is a known issue with IIS 4.0 doing this in its default configuration.
See http://support.microsoft.com/kb/q218180/

See the Bugtraq reference for a full discussion.

Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
snmp
(161/udp)
High SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
hosts2-ns
(81/tcp)
Medium This web server leaks a private IP address through its HTTP headers : /10.10.10.6

This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.
There is a known issue with IIS 4.0 doing this in its default configuration.
See http://support.microsoft.com/kb/q218180/

See the Bugtraq reference for a full discussion.

Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
ici
(2200/tcp)
Medium The remote host is running phpMyAdmin, an open-source software written in PHP to handle the administration of MySQL over the Web.

This version is vulnerable to cross-site scripting attacks threw read_dump.php script.

With a specially crafted URL, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Solution : Upgrade to version 2.6.0-pl3 or newer
Risk factor : Medium
BID : 11707
general
/tcp
Medium The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host.

An attacker may use this feature to determine traffic patterns within your network. A few examples (not at all exhaustive) are:

1. A remote attacker can determine if the remote host sent a packet in reply to another request. Specifically, an attacker can use your server as an unwilling participant in a blind portscan of another network.

2. A remote attacker can roughly determine server requests at certain times of the day. For instance, if the server is sending much more traffic after business hours, the server may be a reverse proxy or other remote access device. An attacker can use this information to concentrate his/her efforts on the more critical machines.

3. A remote attacker can roughly estimate the number of requests that a web server processes over a period of time.

Solution : Contact your vendor for a patch
Risk factor : Low
nfs
(2049/udp)
Medium The nfsd RPC service is running. In the past, this service has had bugs which allow an intruder to execute arbitrary commands on your system. In addition, FreeBSD 4.6.1 RELEASE-p7 and earlier, NetBSD 1.5.3 and earlier have a bug wherein sending a zero length packet to the RPC service will cause the operating system to hang.

Solution : Make sure that you have the latest version of nfsd

Risk factor : High
CVE : CVE-1999-0832, CVE-2002-0830
BID : 782
ici
(2200/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BID : 9506, 9561, 11604
i66
(631/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BID : 9506, 9561, 11604
http
(80/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BID : 9506, 9561, 11604
unknown
(904/udp)
Medium The remote host is a NIS server. NIS is used to share password files among the hosts of a given network, which must not be intercepted by an attacker.

Usually, the first step of their attack is to determine whether they are attacking a NIS server, which make the host a more valuable target.

Since we could determine that the remote host is a NIS server, they can determine too, which is not a good thing.

Solution : filter incoming TCP and UDP traffic to prevent them from connecting to the portmapper and to the NIS server.
Risk factor : Low
CVE : CAN-1999-0620
https
(443/tcp)
Medium Default files, such as documentation, default Servlets and JSPs were found on the Apache Tomcat servlet/JSP container.

Solution: Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container.

These files should be removed as they may help an attacker to guess the exact version of Apache Tomcat which is running on this host and may provide other useful information.

The following default files were found :
/tomcat-docs/index.html

Risk factor : Low
http
(80/tcp)
Medium Default files, such as documentation, default Servlets and JSPs were found on the Apache Tomcat servlet/JSP container.

Solution: Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container.

These files should be removed as they may help an attacker to guess the exact version of Apache Tomcat which is running on this host and may provide other useful information.

The following default files were found :
/tomcat-docs/index.html
Risk factor : Low
ipp
(631/tcp)
Medium Default files, such as documentation, default Servlets and JSPs were found on the Apache Tomcat servlet/JSP container.

Solution: Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container.

These files should be removed as they may help an attacker to guess the exact version of Apache Tomcat which is running on this host and may provide other useful information.

The following default files were found :
/tomcat-docs/index.html
Risk factor : Low
unknown
(32778/udp)
Medium The statd RPC service is running. This service has a long history of security holes, so you should really know what you are doing if you decide to let it run.

*** No security hole regarding this program have been tested, so
*** this might be a false positive.

Solution : We suggest that you disable this service.
Risk factor : High
CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493
BID : 127, 450, 6831, 11785
netbios-ns
(137/udp)
Medium The following 3 NetBIOS names have been gathered :
NW65-FS1-W = This is the computer name registered for workstation services by a WINS client.
NW65-FS1-W = Computer name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:0c:29:d7:6c:c6

If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
https
(443/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BID : 9506, 9561, 11604
unknown
(2211/tcp)
Medium Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution: Disable these methods.

If you are using Apache, add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy.

If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>

If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile the NSAPI plugin located at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1

See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-50603-1
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
BID : 9506, 9561, 11604
snmp
(161/udp)
Medium It was possible to obtain the list of network interfaces of the remote host via SNMP :

. AMD PCNTNW

An attacker may use this information to gain more knowledge about the target host.
Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port
Risk factor : Low
ldap
(389/tcp)
Medium Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'

Solution: Disable NULL BASE queries on your LDAP server

Risk factor : Medium
unknown
(32779
/udp)
Medium The nlockmgr RPC service is running.

If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered.

Risk factor : Low
CVE : CVE-2000-0508
BID : 1372
ldap
(389/tcp)
Medium The server's directory base is set to NULL. This allows information to be enumerated without any prior knowledge of the directory struture.

The following information was pulled from the server via a LDAP request:
LDAP Server - NW65-FS1,o=novell0
M0
extensionInfo1
DE#2.16.840.1.113719.1.142.100.1#2.16.840.1.113719.1.142.100.2#lburp
DE#2.16.840.1.113719.1.142.100.4#2.16.840.1.113719.1.142.100.5#lburp
DE#2.16.840.1.113719.1.142.100.6#2.16.840.1.113719.1.142.100.7#lburp
CE#2.16.840.1.113719.1.27.100.1#2.16.840.1.113719.1.27.100.2#ldapxs
CE#2.16.840.1.113719.1.27.100.3#2.16.840.1.113719.1.27.100.4#ldapxs
CE#2.16.840.1.113719.1.27.100.5#2.16.840.1.113719.1.27.100.6#ldapxs
CE#2.16.840.1.113719.1.27.100.7#2.16.840.1.113719.1.27.100.8#ldapxs
EE#2.16.840.1.113719.1.27.100.11#2.16.840.1.113719.1.27.100.12#ldapxs
EE#2.16.840.1.113719.1.27.100.13#2.16.840.1.113719.1.27.100.14#ldapxs
EE#2.16.840.1.113719.1.27.100.15#2.16.840.1.113719.1.27.100.16#ldapxs
EE#2.16.840.1.113719.1.27.100.17#2.16.840.1.113719.1.27.100.18#ldapxs
EE#2.16.840.1.113719.1.27.100.19#2.16.840.1.113719.1.27.100.20#ldapxs
EE#2.16.840.1.113719.1.27.100.21#2.16.840.1.113719.1.27.100.22#ldapxs
EE#2.16.840.1.113719.1.27.100.23#2.16.840.1.113719.1.27.100.24#ldapxs
EE#2.16.840.1.113719.1.27.100.25#2.16.840.1.113719.1.27.100.26#ldapxs
EE#2.16.840.1.113719.1.27.100.27#2.16.840.1.113719.1.27.100.28#ldapxs
EE#2.16.840.1.113719.1.27.100.29#2.16.840.1.113719.1.27.100.30#ldapxs
EE#2.16.840.1.113719.1.27.100.31#2.16.840.1.113719.1.27.100.32#ldapxs
EE#2.16.840.1.113719.1.27.100.33#2.16.840.1.113719.1.27.100.34#ldapxs
EE#2.16.840.1.113719.1.27.100.35#2.16.840.1.113719.1.27.100.36#ldapxs
EE#2.16.840.1.113719.1.27.100.37#2.16.840.1.113719.1.27.100.38#ldapxs
EE#2.16.840.1.113719.1.27.100.39#2.16.840.1.113719.1.27.100.40#ldapxs
EE#2.16.840.1.113719.1.27.100.41#2.16.840.1.113719.1.27.100.42#ldapxs
OE#2.16.840.1.113719.1.39.42.100.1#2.16.840.1.113719.1.39.42.100.2
#nmasldap.nlm
OE#2.16.840.1.113719.1.39.42.100.3#2.16.840.1.113719.1.39.42.100.4
#nmasldap.nlm
OE#2.16.840.1.113719.1.39.42.100.5#2.16.840.1.113719.1.39.42.100.6
#nmasldap.nlm
OE#2.16.840.1.113719.1.39.42.100.7#2.16.840.1.113719.1.39.42.100.8
#nmasldap.nlm
PE#2.16.840.1.113719.1.39.42.100.9#2.16.840.1.113719.1.39.42.100.10
#nmasldap.nlm
QE#2.16.840.1.113719.1.39.42.100.11#2.16.840.1.113719.1.39.42.100.12
#nmasldap.nlm
QE#2.16.840.1.113719.1.39.42.100.13#2.16.840.1.113719.1.39.42.100.14
#nmasldap.nlm
QE#2.16.840.1.113719.1.39.42.100.15#2.16.840.1.113
Novell NetWare 5.70.03[DS]

Solution: Disable or restrict anonymous binds in LDAP if not required

See also: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10077872.htm
Risk Factor: Medium
ncp
(524/tcp)
Medium Server Name: NW65-FS1
NDS Tree Name: NW65_TREE
NDS Users: ADMIN, EGUIDEPUBLICUSER1795, LDAPUSER, MINIME, NFAUUSER, USER1, USER2, USER3, USER321
ldap
(389/tcp)
Medium Improperly configured LDAP servers will allow any user to connect to the server and query for information. Solution: Disable NULL BIND on your LDAP server In addition, the LDAP bind function in Exchange 5.5 has a buffer overflow that allows a user to conduct a denial of service or execute commands in all versions prior to Exchange server SP2. Coupled with a NULL BIND, an anonymous user can mount a remote attack against your server.

Note: no test was done to see what version of Exchange server is running, nor attempt to verify the service pack.

Solution: see http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Risk factor: Medium
CVE : CVE-1999-0385
BID : 503
unknown
(8009/tcp)
Medium This web server leaks a private IP address through its HTTP headers : /10.10.10.6

This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.

There is a known issue with IIS 4.0 doing this in its default configuration.
See http://support.microsoft.com/kb/q218180/

See the Bugtraq reference for a full discussion.

Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
general
/udp
Info For your information, here is the traceroute to 10.10.10.6 :
10.10.10.82
10.10.10.6
hosts2-ns
(81/tcp)
Info A web server is running on this port
sunrpc
(111/tcp)
Info The RPC portmapper is running on this port.

An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port.

Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
https
(443/tcp)
Info A SSLv3 server answered on this port
https
(443/tcp)
Info A web server is running on this port through SSL
ici
(2200/tcp)
Info A SSLv3 server answered on this port
snmp
(161/udp)
Info Using SNMP, we could determine that the remote operating system is :
Novell NetWare 5.70.03 January 20, 2005

null
unknown
(32779
/udp)
Info RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 2 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
rsync
(873/tcp)
Info An unknown service is running on this port.
It is usually reserved for Rsyncd
unknown
(32778/udp)
Info RPC program #100024 version 1 'status' is running on this port
ici
(2200/tcp)
Info A web server is running on this port through SSL
ideafarm
-chatt
(902/udp)
Info The ypbind RPC service is running. If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered.

Risk factor : Low
CVE : CVE-1999-0312
BID : 52
nfs
(2049/udp)
Info RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
ntp
(123/udp)
Info A NTP (Network Time Protocol) server is listening on this port.

Risk factor : Low
unknown
(8009/tcp)
Info A SSLv3 server answered on this port
http-alt
(8008/tcp)
Info A web server is running on this port
search
-agent
(1234/udp)
Info RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
ftp
(21/tcp)
Info Remote FTP server banner :
220 Service Ready for new User
netbios
-ssn
(139/tcp)
Info An SMB server is running on this port
ftp
(21/tcp)
Info Remote FTP server banner :
220 Service Ready for new User
unknown
(2036/tcp)
Info A SSLv2 server answered on this port
ftp
(21/tcp)
Info An FTP server is running on this port.
Here is its banner :
220 Service Ready for new User
netbios
-ssn
(139/tcp)
Info - NULL sessions are enabled on the remote host

CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CVE-2002-1117
BID : 494, 990, 11199
netbios
-ssn
(139/tcp)
Info The remote native lan manager is : NetWare 6.5
The remote Operating System is : NetWare 6.5
The remote SMB Domain Name is : WORKGROUP
netbios
-ssn
(139/tcp)
Info The remote registry can be accessed remotely using the login / password combination used for the SMB tests.
general
/tcp
Info The remote host is running Novell NetWare 5.7
netbios
-ssn
(139/tcp)
Info The domain SID can be obtained remotely. Its value is :

0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
netbios
-ssn
(139/tcp)
Info The host Security Identifier (SID) can be obtained remotely. Its value is :

0-0

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
ici
(2200/tcp)
Info The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/welcome/LoginPage (UserContext [cn=admin,o=novell] Password [] ProviderPort [636] strUseSSL [] InitialContext [o=novell] LoginImage [LoginImage] Login [Login] )
unknown
(961/udp)
Info RPC program #100004 version 1 'ypserv' (ypprog) is running on this port
ici
(2200/tcp)
Info Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14:43: a2:a8:92:12:95:b1:ae:c9:02:01:12

Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=NW65_TREE
Validity
Not Before: Aug 5 02:50:35 2004 GMT
Not After : Aug 5 02:50:35 2006 GMT
Subject: CN=NW65-FS1.THOMASERICKSON.COM, O=.NW65_TREE.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
a3:8e:f1:07:56:db:ac:bf:e9:48:b1:6d:4e:87:bd:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
27:ba:a2:5f:51:bc:20:df:45:bb:fa:cc:4d:9b:7a:
c9:fb:34:f1:79:c2:ac:65:aa:15:23:fa:bc:2c:5d:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
75:4f:e1:e6:2e:82:71:ff:29:cc:e4:5a:d1:ff:aa:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:1F
X509v3 Authority Key Identifier:
keyid:95:2D:72:53:4C:78:AA:10:53:9A:81:2A:89:EB:CC:71:30:1C:05:FE

X509v3 Subject Alternative Name:
DirName:/CN=NW65-FS1/O=novell
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security
Attribute(tm).Chttp://developer.novell.com/repository/attributes
/certattrs_v10.htm0..H.....0.0......F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0....................b.]0.0....................b.].N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
82:06:1a:da:0a:be:aa:5b:67:a4:89:dc:cf:f3:73:13:62:b4:
e6:7c:95:46:2b:b7:6e:e9:b1:fa:4c:58:5c:43:d0:5a:a8:3b:
09:99:c3:43:21:d8:34:1e:00:e4:b2:73:8b:98:7d:b9:5b:69:
93:5f:1d:cc:8f:be:2c:90:8b:d7:53:03:27:25:43:dc:70:f8:
06:c9:ca:75:39:c3:91:b3:19:7d:78:9e:2e:e8:a1:d9:88:56:
17:a0:1a:6a:5e:31:15:ec:40:4c:51:7d:d0:27:cf:0a:f3:43:
15:b5:ef:28:04:33:c4:7e:b6:02:cc:d9:a0:c1:03:4b:57:72:
e3:ad:85:8e:05:ab:22:0e:45:7e:49:57:ca:07:99:bb:cf:de:
30:35:f6:ef:3f:81:f5:b0:e5:d7:8a:64:83:94:1c:76:e0:75:
8e:a6:19:57:cd:0b:b4:f4:01:ed:b4:3d:e8:36:9b:00:f3:51:
c9:91:1c:61:25:2c:0e:c6:74:1b:de:8e:18:11:fe:16:ba:cd:
3c:0e:7e:28:16:64:c4:aa:70:1d:44:b1:d7:6d:25:ad:a1:f4:
54:58:66:00:36:fc:41:08:00:bb:5e:e4:65:0f:5e:64:a6:37:
b7:85:56:53:4d:84:9c:58:11:9f:1b:6a:ee:91:a9:de:44:31:
41:f6:72:97
This SSLv3 server does not accept SSLv2 connections.
This SSLv3 server does not accept TLSv1 connections.
unknown
(2036/tcp)
Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14:43:a2:a8: 92:12:95:b1:ae:c9:02:01:12

Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=NW65_TREE
Validity
Not Before: Aug 5 02:50:35 2004 GMT
Not After : Aug 5 02:50:35 2006 GMT
Subject: CN=NW65-FS1.THOMASERICKSON.COM, O=.NW65_TREE.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
a3:8e:f1:07:56:db:ac:bf:e9:48:b1:6d:4e:87:bd:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
27:ba:a2:5f:51:bc:20:df:45:bb:fa:cc:4d:9b:7a:
c9:fb:34:f1:79:c2:ac:65:aa:15:23:fa:bc:2c:5d:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
75:4f:e1:e6:2e:82:71:ff:29:cc:e4:5a:d1:ff:aa:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:1F
X509v3 Authority Key Identifier:
keyid:95:2D:72:53:4C:78:AA:10:53:9A:81:2A:89:EB:CC:71:30:1C:05:FE

X509v3 Subject Alternative Name:
DirName:/CN=NW65-FS1/O=novell
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security
Attribute(tm).Chttp://developer.novell.com/repository/attributes/
certattrs_v10.htm0..H.....0.0.
.....F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0....................b.]0.0....................b.].N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
82:06:1a:da:0a:be:aa:5b:67:a4:89:dc:cf:f3:73:13:62:b4:
e6:7c:95:46:2b:b7:6e:e9:b1:fa:4c:58:5c:43:d0:5a:a8:3b:
09:99:c3:43:21:d8:34:1e:00:e4:b2:73:8b:98:7d:b9:5b:69:
93:5f:1d:cc:8f:be:2c:90:8b:d7:53:03:27:25:43:dc:70:f8:
06:c9:ca:75:39:c3:91:b3:19:7d:78:9e:2e:e8:a1:d9:88:56:
17:a0:1a:6a:5e:31:15:ec:40:4c:51:7d:d0:27:cf:0a:f3:43:
15:b5:ef:28:04:33:c4:7e:b6:02:cc:d9:a0:c1:03:4b:57:72:
e3:ad:85:8e:05:ab:22:0e:45:7e:49:57:ca:07:99:bb:cf:de:
30:35:f6:ef:3f:81:f5:b0:e5:d7:8a:64:83:94:1c:76:e0:75:
8e:a6:19:57:cd:0b:b4:f4:01:ed:b4:3d:e8:36:9b:00:f3:51:
c9:91:1c:61:25:2c:0e:c6:74:1b:de:8e:18:11:fe:16:ba:cd:
3c:0e:7e:28:16:64:c4:aa:70:1d:44:b1:d7:6d:25:ad:a1:f4:
54:58:66:00:36:fc:41:08:00:bb:5e:e4:65:0f:5e:64:a6:37:
b7:85:56:53:4d:84:9c:58:11:9f:1b:6a:ee:91:a9:de:44:31:
41:f6:72:97
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
ldaps
(636/tcp)
Info Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14:43:a2:a8: 92:12:95:b1:ae:c9:02:01:12

Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=NW65_TREE
Validity
Not Before: Aug 5 02:50:35 2004 GMT
Not After : Aug 5 02:50:35 2006 GMT
Subject: CN=NW65-FS1.THOMASERICKSON.COM, O=.NW65_TREE.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
a3:8e:f1:07:56:db:ac:bf:e9:48:b1:6d:4e:87:bd:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
27:ba:a2:5f:51:bc:20:df:45:bb:fa:cc:4d:9b:7a:
c9:fb:34:f1:79:c2:ac:65:aa:15:23:fa:bc:2c:5d:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
75:4f:e1:e6:2e:82:71:ff:29:cc:e4:5a:d1:ff:aa:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:1F
X509v3 Authority Key Identifier:
keyid:95:2D:72:53:4C:78:AA:10:53:9A:81:2A:89:EB:CC:71:30:1C:05:FE

X509v3 Subject Alternative Name:
DirName:/CN=NW65-FS1/O=novell
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security
Attribute(tm).Chttp://developer.novell.com/repository/attributes/
certattrs_v10.htm0..H.....0.0.
.....F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0....................b.]0.0....................b.].N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
82:06:1a:da:0a:be:aa:5b:67:a4:89:dc:cf:f3:73:13:62:b4:
e6:7c:95:46:2b:b7:6e:e9:b1:fa:4c:58:5c:43:d0:5a:a8:3b:
09:99:c3:43:21:d8:34:1e:00:e4:b2:73:8b:98:7d:b9:5b:69:
93:5f:1d:cc:8f:be:2c:90:8b:d7:53:03:27:25:43:dc:70:f8:
06:c9:ca:75:39:c3:91:b3:19:7d:78:9e:2e:e8:a1:d9:88:56:
17:a0:1a:6a:5e:31:15:ec:40:4c:51:7d:d0:27:cf:0a:f3:43:
15:b5:ef:28:04:33:c4:7e:b6:02:cc:d9:a0:c1:03:4b:57:72:
e3:ad:85:8e:05:ab:22:0e:45:7e:49:57:ca:07:99:bb:cf:de:
30:35:f6:ef:3f:81:f5:b0:e5:d7:8a:64:83:94:1c:76:e0:75:
8e:a6:19:57:cd:0b:b4:f4:01:ed:b4:3d:e8:36:9b:00:f3:51:
c9:91:1c:61:25:2c:0e:c6:74:1b:de:8e:18:11:fe:16:ba:cd:
3c:0e:7e:28:16:64:c4:aa:70:1d:44:b1:d7:6d:25:ad:a1:f4:
54:58:66:00:36:fc:41:08:00:bb:5e:e4:65:0f:5e:64:a6:37:
b7:85:56:53:4d:84:9c:58:11:9f:1b:6a:ee:91:a9:de:44:31:
41:f6:72:97 Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack.

Solution: disable those ciphers and upgrade your client software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
https
(443/tcp)
Info Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14:43:a2:a8: 92:12:95:b1:ae:c9:02:01:12
Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=NW65_TREE
Validity
Not Before: Aug 5 02:50:35 2004 GMT
Not After : Aug 5 02:50:35 2006 GMT
Subject: CN=NW65-FS1.THOMASERICKSON.COM, O=.NW65_TREE.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
a3:8e:f1:07:56:db:ac:bf:e9:48:b1:6d:4e:87:bd:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
27:ba:a2:5f:51:bc:20:df:45:bb:fa:cc:4d:9b:7a:
c9:fb:34:f1:79:c2:ac:65:aa:15:23:fa:bc:2c:5d:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
75:4f:e1:e6:2e:82:71:ff:29:cc:e4:5a:d1:ff:aa:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:1F
X509v3 Authority Key Identifier:
keyid:95:2D:72:53:4C:78:AA:10:53:9A:81:2A:89:EB:CC:71:30:1C:05:FE

X509v3 Subject Alternative Name:
DirName:/CN=NW65-FS1/O=novell
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security
Attribute(tm).Chttp://developer.novell.com/repository/attributes/
certattrs_v10.htm0..H.....0.0..
....F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0....................b.]0.0....................b.].N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
82:06:1a:da:0a:be:aa:5b:67:a4:89:dc:cf:f3:73:13:62:b4:
e6:7c:95:46:2b:b7:6e:e9:b1:fa:4c:58:5c:43:d0:5a:a8:3b:
09:99:c3:43:21:d8:34:1e:00:e4:b2:73:8b:98:7d:b9:5b:69:
93:5f:1d:cc:8f:be:2c:90:8b:d7:53:03:27:25:43:dc:70:f8:
06:c9:ca:75:39:c3:91:b3:19:7d:78:9e:2e:e8:a1:d9:88:56:
17:a0:1a:6a:5e:31:15:ec:40:4c:51:7d:d0:27:cf:0a:f3:43:
15:b5:ef:28:04:33:c4:7e:b6:02:cc:d9:a0:c1:03:4b:57:72:
e3:ad:85:8e:05:ab:22:0e:45:7e:49:57:ca:07:99:bb:cf:de:
30:35:f6:ef:3f:81:f5:b0:e5:d7:8a:64:83:94:1c:76:e0:75:
8e:a6:19:57:cd:0b:b4:f4:01:ed:b4:3d:e8:36:9b:00:f3:51:
c9:91:1c:61:25:2c:0e:c6:74:1b:de:8e:18:11:fe:16:ba:cd:
3c:0e:7e:28:16:64:c4:aa:70:1d:44:b1:d7:6d:25:ad:a1:f4:
54:58:66:00:36:fc:41:08:00:bb:5e:e4:65:0f:5e:64:a6:37:
b7:85:56:53:4d:84:9c:58:11:9f:1b:6a:ee:91:a9:de:44:31:
41:f6:72:97
This SSLv3 server does not accept SSLv2 connections.
This SSLv3 server does not accept TLSv1 connections.
unknown
(8009/tcp)
Info Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14:43:a2:a8: 92:12:95:b1:ae:c9:02:01:0e

Signature Algorithm: sha1WithRSAEncryption
Issuer: OU=Organizational CA, O=NW65_TREE
Validity
Not Before: Aug 5 02:50:35 2004 GMT
Not After : Aug 5 02:50:35 2006 GMT
Subject: CN=10.10.10.6, O=.NW65_TREE.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a3:3e:21:a1:5e:af:c5:fd:66:67:49:97:bb:7c:
14:10:d7:b6:8a:c7:26:9f:b9:9e:0b:0b:69:5e:3b:
32:02:e2:e9:06:bc:93:ba:67:c5:f6:d0:1d:35:5a:
12:da:62:15:7f:1b:da:8e:22:8c:04:08:33:6f:96:
7c:e0:6c:6c:e0:c4:16:61:5d:cd:7f:68:11:96:40:
d2:a9:6b:be:53:39:e3:39:cf:b9:d7:4c:16:a8:52:
52:cc:b1:89:1c:0c:68:2d:4d:e8:6b:08:b8:27:99:
ed:28:33:77:fd:c7:24:a3:9d:e9:ba:31:05:a6:29:
e1:05:6d:0f:61:00:ba:c1:57:dc:9c:fa:29:1f:70:
62:f2:37:b5:55:f6:fb:6e:8a:8a:d6:a2:48:5b:37:
d8:85:df:a4:14:d7:2f:e8:5b:da:9f:f7:bc:39:4a:
f1:ab:c3:92:f7:56:39:0b:e7:90:e3:e2:19:0c:78:
6f:51:17:40:9c:02:92:f1:13:23:5e:c4:1d:de:38:
c7:1b:17:2f:03:7d:ab:45:9f:df:e5:e5:4a:49:3a:
39:51:a8:ef:cc:29:9c:9c:3c:fd:db:a8:65:e7:79:
2a:1c:1a:9a:d7:ab:0e:23:77:23:76:05:c3:3c:be:
25:25:32:db:89:d2:a0:ce:59:e3:ed:4e:cd:b8:ed:
aa:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:D9:BA:5A:FA:DA:52:17:2E:86:11:E4:F9:77:AB:D5:DC:A0:65:4D
X509v3 Authority Key Identifier:
keyid:95:2D:72:53:4C:78:AA:10:53:9A:81:2A:89:EB:CC:71:30:1C:05:FE

X509v3 Subject Alternative Name:
DirName:/CN=NW65-FS1/O=novell
X509v3 Key Usage:
Digital Signature, Key Encipherment
2.16.840.1.113719.1.9.4.1:
0............Novell Security
Attribute(tm).Chttp://developer.novell.com/repository/attributes/
certattrs_v10.htm0..H.....0.0..
....F0.0......
..i.....0.0......F0.0......
..i.............X...........
........................0.0......................H0.0......................H.X...........
.@..............@.......0.0....................b.]0.0....................b.].N0L...........
........................0.0.................0.0.................
Signature Algorithm: sha1WithRSAEncryption
84:cd:87:51:c8:92:f8:ba:39:ee:a0:72:5c:53:86:ed:bb:cc:
d9:8a:95:93:d2:de:36:67:94:91:1a:10:c9:08:eb:ef:89:7b:
af:d7:ee:fa:df:b5:ac:d2:d9:c5:d1:f6:0b:8b:cd:db:d1:ba:
f7:26:ef:36:0e:24:3b:b2:33:6c:eb:1d:78:c2:0a:27:93:41:
c3:94:14:76:ef:57:c5:67:e9:7b:2d:57:5a:62:8d:57:1a:eb:
ef:02:98:ce:ad:75:fd:7f:57:91:92:ca:30:72:6b:4b:e2:0f:
d9:0e:29:31:f3:d1:93:23:eb:b4:7b:5c:ed:01:63:48:a3:c1:
16:83:60:86:08:6b:66:ca:18:c6:fc:0d:e1:6a:e9:55:a0:e0:
03:ba:9e:d7:ae:a3:89:68:63:cd:db:9b:34:98:d7:24:fa:35:
48:09:b1:19:76:e3:73:67:a4:63:b3:2a:65:9f:fb:11:f3:88:
ef:68:01:f1:15:f7:a3:f5:d2:54:db:ad:4b:8c:24:44:9b:6d:
ce:64:db:c6:b6:2c:cf:9b:f6:64:97:95:db:a0:b9:06:e3:98:
8f:1e:0e:33:f2:41:14:00:4f:b2:b0:5d:60:2e:35:1a:8e:48:
e9:9d:32:ee:ee:53:5c:f0:21:19:75:ee:80:e5:38:f7:11:aa:
77:dc:f5:d9
This SSLv3 server does not accept SSLv2 connections.
This SSLv3 server does not accept TLSv1 connections.
ici
(2200/tcp)
Info The remote web server type is :

Apache/2.0.52 (NETWARE) mod_jk/1.2.6a PHP/5.0.3

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
ipp
(631/tcp)
Info The remote web server type is :

Apache/2.0.52 (NETWARE) mod_jk/1.2.6a

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
http
(80/tcp)
Info The remote web server type is :

Apache/2.0.52 (NETWARE) mod_jk/1.2.6a

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
unknown
(2211/tcp)
Info The remote web server type is :

Apache/2.0.52 (NETWARE) mod_jk/1.2.6a PHP/5.0.3

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
hosts2-ns
(81/tcp)
Info The remote web server type is :

NetWare HTTP Stack
https
(443/tcp)
Info The remote web server type is :

Apache/2.0.52 (NETWARE) mod_jk/1.2.6a

Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
http-alt
(8008/tcp)
Info The remote web server type is :

NetWare HTTP Stack
unknown
(8009/tcp)
Info The remote web server type is :

NetWare HTTP Stack
unknown
(904/udp)
Info RPC program #100004 version 2 'ypserv' (ypprog) is running on this port
ideafarm
-catch
(903/udp)
Info RPC program #100009 version 1 'yppasswdd' (yppasswd) is running on this port
ipp
(631/tcp)
Info A web server is running on this port
ici
(2200/tcp)
Info phpMyAdmin 2.6.0-pl2 was detected on the remote host under the path /phpMyAdmin.

phpMyAdmin is a web based MySQL administration tool written in PHP. See http://www.phpmyadmin.net/home_page/index.php for more information.
ideafarm
-chatt
(902/udp)
Info RPC program #100007 version 2 'ypbind' is running on this port
ldaps
(636/tcp)
Info A SSLv2 server answered on this port
sunrpc
(111/udp)
Info RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
http
(80/tcp)
Info A web server is running on this port
unknown
(32779/tcp)
Info RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 2 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
ideafarm
-catch
(903/udp)
Info The yppasswd RPC service is running. If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered.

Risk factor : Low
afpovertcp
(548/udp)
Info This host is running an AppleShare File Services over IP.
Machine type: Novell NetWare 5.70.03
Server name: NW65-FS1
UAMs: Randnum Exchange/2-Way Randnum exchange
AFP Versions: AFPVersion 1.1/AFPVersion 2.0/AFPVersion 2.1/AFP2.2/AFPX03/AFP3.1
unknown
(32778/tcp)
Info RPC program #100024 version 1 'status' is running on this port
nfs
(2049/tcp)
Info RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
search
-agent
(1234/tcp)
Info RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
dhcp-
failover2
(847/tcp)
Info RPC program #100004 version 2 'ypserv' (ypprog) is running on this port
unknown
(846/tcp)
Info RPC program #100009 version 1 'yppasswdd' (yppasswd) is running on this port
netviewdm3
(731/tcp)
Info RPC program #100004 version 1 'ypserv' (ypprog) is running on this port
sunrpc
(111/tcp)
Info RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
unknown
(2211/tcp)
Info A web server is running on this port
nfs
(2049/tcp)
Info You are running a superfluous NFS daemon.
You should consider removing it.

CVE : CAN-1999-0554, CAN-1999-0548
unknown
(8009/tcp)
Info A web server is running on this port through SSL
mysql
(3306/tcp)
Info An unknown service is running on this port.
It is usually reserved for MySQL
ldap
(389/tcp)
Info An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 30 24 02 01 0$..

Appendix C Post Hardening Comparison of OES NetWare and OES Linux

Summary of scanned hosts
Host Holes Warnings Open ports State
10.10.10.15 (Linux) 0 2 4 Finished
10.10.10.6 (NW) 0 2 4 Finished

Appendix D Nessus Assessment -- Post hardening of OES Linux

10.10.10.15 (OES Linux)
Service Severity Description
ntp (123/udp) Info Port is open
svrloc
(427/tcp)
Info Port is open
ncp
(524/tcp)
Info Port is open
ssh
(22/tcp)
Info Port is open
general
/tcp
Medium The remote host does not discard TCP SYN packets which have the FIN flag set.

Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
ssh
22/tcp
Medium The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
ntp
(123/udp)
Info It is possible to determine a lot of information about the remote host by querying the NTP (Network Time Protocol) variables - these include OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

version='ntpd 4.2.0a@1.1213-r Wed Jan 26 17:44:09 UTC 2005 (1)',

processor='i686', system='Linux/2.6.5-7.147-default', leap=0,

stratum=11, precision=-19, rootdelay=0.000, rootdispersion=44.776,

peer=29180, refid=127.127.1.0, reftime=0xc625406f.b379c842, poll=10,

clock=0xc625419f.ba95421c, state=4, offset=0.000, frequency=0.000,

error=0.002, jitter=0.000, stability=0.000


Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low
ssh
(22/tcp)
Info Remote SSH version : SSH-1.99-OpenSSH_3.8p1

Remote SSH supported authentication : publickey,keyboard-interactive
ssh
(22/tcp)
Info An ssh server is running on this port
general
/udp
Info For your information, here is the traceroute to 10.10.10.15 :
10.10.10.82
10.10.10.15
general
/icmp
Info The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
general
/tcp
Info The remote host is running Linux Kernel 2.6.5-7.147-default (i386)
ssh
22/tcp
Info The remote SSH daemon supports the following versions of the SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0

SSHv1 host key fingerprint : 8e:0c:5e:3f:51:81:33:bd:6c:e9:13:4a:e2:00:9d:ff
SSHv2 host key fingerprint : 74:89:cb:61:2d:c6:eb:1c:e3:99:5f:5d:0b:85:a0:35
general
/tcp
Info The remote host is running one of these operating systems :
Linux Kernel 2.6
Linux Kernel 2.4

Appendix E Nessus Assessment -- Post hardening of OES NetWare

10.10.10.15 (OES Linux)
Service Severity Description
unknown
(6901/tcp)
Info Port is open
ncp
(524/tcp)
Info Port is open
ntp
(123/udp)
Info Port is open
svrloc
(427/tcp)
Info Port is open
general
/tcp
Medium The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host.

An attacker may use this feature to determine traffic patterns within your network. A few examples (not at all exhaustive) are:

1. A remote attacker can determine if the remote host sent a packet in reply to another request. Specifically, an attacker can use your server as an unwilling participant in a blind portscan of another network.

2. A remote attacker can roughly determine server requests at certain times of the day. For instance, if the server is sending much more traffic after business hours, the server may be a reverse proxy or other remote access device. An attacker can use this information to concentrate his/her efforts on the more critical machines.

3. A remote attacker can roughly estimate the number of requests that a web server processes over a period of time.

Solution : Contact your vendor for a patch
Risk factor : Low
ncp
524/tcp
Medium Server Name: NW65-FS1
NDS Tree Name: NW65_TREE
NDS Users: ADMIN, EGUIDEPUBLICUSER1795, LDAPUSER, MINIME, NFAUUSER, USER1, USER2, USER3, USER321
ntp
123/udp
Info A NTP (Network Time Protocol) server is listening on this port.

Risk factor : Low
general
/udp
Info For your information, here is the traceroute to 10.10.10.6 :
10.10.10.82
10.10.10.6
general
/tcp
Info Nessus was not able to reliably identify the remote operating system. It might be:
Novell Netware 6.0
The fingerprint differs from these known signatures on 2 points.
If you know what operating system this host is running, please send this signature to os-signatures@nessus.org :
:1:1:0:128:0:128:1:0:128:1:0:128:1:8:128:0:1:1:2:1:1:1:1:1:128:6143: MWNSNN:0:N:N

PDF Version of this document.



Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell