# TEST YOUR SECURITY!

## Ventrue

I've installed shorewall, and found this excellent site for remote portscanning. If you need to test security, you can do it here:

[url] http://scan.sygate.com/stealthscan.html [/url]

Every type of scan is avialable, and is great for security testing.

Have fun with it!

----------

## gsurbey

Here's another one by Steve Gibson Research.  He also has some other cool stuff on the site.

https://grc.com/x/ne.dll?bh0bkyd2

----------

## Mr. Hahn

what kind of configuring would I need for sshd so that I'm not at any risk?

I open port 22 and im running sshd, this is what it says:

Secure Shell, a encrypted type of Telnet. If misconfigured it can allow for brute-force attacks on your administration account.

----------

## kashani

Steve Gibson is an alarmist as well as a complete moron in my not so humble opinion. Take anything you read on his site with a grain of salt and cross check it with a several other security sites before believing anything he says.

kashani

----------

## kashani

 *Mr. Hahn wrote:*   

> what kind of configuring would I need for sshd so that I'm not at any risk?
> 
> Secure Shell, a encrypted type of Telnet. If misconfigured it can allow for brute-force attacks on your administration account.

 

I interpret that to mean, "By allowing any sort of access to the server your account could theoretically succumb to a brute force attack over the course of 500-600 years assuming you didn't notice the 100 odd ssh sessions opening and closing all the time. Please buy our firewall so you *feel* safer."

kashani

----------

## BitJam

 *Mr. Hahn wrote:*   

> what kind of configuring would I need for sshd so that I'm not at any risk?.

 

1) Make sure you are running the latest version of sshd: 

```
emerge sync

emerge -up openssh
```

2) Then make sure that you have chosen good (hard to guess) passwords.

3) Be sure that you have not used your passwords via any insecure channel such as ftp or telnet.

----------

## shm

 *kashani wrote:*   

> Steve Gibson is an alarmist as well as a complete moron in my not so humble opinion. Take anything you read on his site with a grain of salt and cross check it with a several other security sites before believing anything he says.

 

Agreed..

----------

## TheWart

 *kashani wrote:*   

> Steve Gibson is an alarmist as well as a complete moron in my not so humble opinion. Take anything you read on his site with a grain of salt and cross check it with a several other security sites before believing anything he says.
> 
> kashani

 

Yea, he has had some credibility problems in the past....but the security test is still useful.

----------

## handsomepete

 *Mr. Hahn wrote:*   

> what kind of configuring would I need for sshd so that I'm not at any risk?
> 
> I open port 22 and im running sshd, this is what it says:
> 
> Secure Shell, a encrypted type of Telnet. If misconfigured it can allow for brute-force attacks on your administration account.

 

If you have a router of some sort you can have it forward from a high numbered port to 22 so people are slightly less likely to screw with it after a port scan.  I use port 6734 and forward it to 22, but I think it's also possible to have sshd listen on a different port.  As others said, a good password is always a plus.

----------

## senectus

 *shm wrote:*   

>  *kashani wrote:*   Steve Gibson is an alarmist as well as a complete moron in my not so humble opinion. Take anything you read on his site with a grain of salt and cross check it with a several other security sites before believing anything he says. 
> 
> Agreed..

 

Ditto..

----------

## madchaz

I'd advise to turn SSH1 protocol support off. It as known flaws in it's security so using SSH2 as your protocol is safer. (you can turn it off in the .conf file)

Also, I'd sujest removing "root" login from SSH. Only allow login from an account that as limited access, but as the wheel group so it can SU to root if needed. Also make sure that account doesn't have the same password as the root. Makes it doubly harder to get in with root access, and not much harder for you to use. Course, this is if you fell paranoid, lol. 

As for gipson, I personaly think that even if he's a bit alarmist, he's one of the very good guys. I can see the logic of making it "look" a litle worst then it actualy is to grab the attention of joe nobody who runs WindowsXP with no patch, no firewall, all the default setings and a passwordless administrator account.  Those are probably more of a security risk to the rest of us then any other factor. Just look how sogig is spreading using those morons. 

Also, another good place to get a security scan is www.securityspace.com

very good scan  :Smile: 

----------

## georwell

setup a firewall and only allow connections to your port 22 from specific subnets.  If you don't need people connecting from Russia, Europe, etc.. then don't let them.

----------

## Landonis

For a clearer explanation of the reasons people dislike gibby, and why I do not think he can be classed as a good guy:

www.grcsucks.com

Making people aware of issues I completely agree with, but deliberate scaremongering and mis-information is not a help.

----------

## Mr. Hahn

 *madchaz wrote:*   

> I'd advise to turn SSH1 protocol support off. It as known flaws in it's security so using SSH2 as your protocol is safer. (you can turn it off in the .conf file)
> 
> Also, I'd sujest removing "root" login from SSH. Only allow login from an account that as limited access, but as the wheel group so it can SU to root if needed. Also make sure that account doesn't have the same password as the root. Makes it doubly harder to get in with root access, and not much harder for you to use. Course, this is if you fell paranoid, lol. 
> 
> As for gipson, I personaly think that even if he's a bit alarmist, he's one of the very good guys. I can see the logic of making it "look" a litle worst then it actualy is to grab the attention of joe nobody who runs WindowsXP with no patch, no firewall, all the default setings and a passwordless administrator account.  Those are probably more of a security risk to the rest of us then any other factor. Just look how sogig is spreading using those morons. 
> ...

 

done  :Smile: 

Protocol 2

rootaccess no 

I forget exactly what the last one was, but it was a mater of uncommenting it.

----------

## jfb3

But how would I get the Sygate site to scan my server?  I don't have any desktop apps on it.

----------

## nikai

You can find out which process listens on which port with

```
lsof -i
```

You'll need sys-apps/lsof for that.

You can see established connections with

```
netstat -tu
```

and active servers with

```
netstat -lp
```

And please don't trust sites that offer to scan you.

----------

## sa

check out http://nessus.org/. that program is _much_ more thorough than just a portscan. and theres an ebuild for it too.

----------

## satria

 *sa wrote:*   

> check out http://nessus.org/. that program is _much_ more thorough than just a portscan. and theres an ebuild for it too.

 

Right. I always use nessus to audit my server security. It could find vulnerabilities and sometimes give apropriate suggestion.

----------

## 18371

For nessus, i'm need standalone machine, before this router and firewall, right ? 

so, if I'm need test any computer, i'm need another, connected on his network interface, through is it connected to internet ?

----------

## sschlueter

 *madchaz wrote:*   

> 
> 
> Also, I'd sujest removing "root" login from SSH. Only allow login from an account that as limited access, but as the wheel group so it can SU to root if needed. Also make sure that account doesn't have the same password as the root. Makes it doubly harder to get in with root access, and not much harder for you to use. Course, this is if you fell paranoid, lol.
> 
> 

 

Even better: Disable password authentication and use publickey authentication.

----------

## Steffen

Nessus gives me the following output, no matter whether teh safe setting ist set to ye sor no in nessusd.conf:

```
 . Vulnerability found on port imaps (993/tcp) :

    The remote host seems to be using a version of OpenSSL which is

    older than 0.9.6e or 0.9.7-beta3

    This version is vulnerable to a buffer overflow which,

    may allow an attacker to obtain a shell on this host.

    *** Note that since safe checks are enabled, this check

    *** might be fooled by non-openssl implementations and

    *** produce a false positive.

    *** In doubt, re-execute the scan without the safe checks

    Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer

    Risk factor : High

    CVE : CAN-2002-0656, CAN-2002-0655, CAN-2002-0657, CAN-2002-0659,

     CVE-2001-1141

    BID : 5363
```

And yes, I have restarted nessusd after changing the mentioned option.

----------

## Steffen

Nessus gives me the following output, no matter whether teh safe setting ist set to ye sor no in nessusd.conf:

```
 . Vulnerability found on port imaps (993/tcp) :

    The remote host seems to be using a version of OpenSSL which is

    older than 0.9.6e or 0.9.7-beta3

    This version is vulnerable to a buffer overflow which,

    may allow an attacker to obtain a shell on this host.

    *** Note that since safe checks are enabled, this check

    *** might be fooled by non-openssl implementations and

    *** produce a false positive.

    *** In doubt, re-execute the scan without the safe checks

    Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer

    Risk factor : High

    CVE : CAN-2002-0656, CAN-2002-0655, CAN-2002-0657, CAN-2002-0659,

     CVE-2001-1141

    BID : 5363
```

And yes, I have restarted nessusd after changing the mentioned option.

----------

## Steffen

Nessus gives me the following output, no matter whether teh safe setting ist set to ye sor no in nessusd.conf:

```
 . Vulnerability found on port imaps (993/tcp) :

    The remote host seems to be using a version of OpenSSL which is

    older than 0.9.6e or 0.9.7-beta3

    This version is vulnerable to a buffer overflow which,

    may allow an attacker to obtain a shell on this host.

    *** Note that since safe checks are enabled, this check

    *** might be fooled by non-openssl implementations and

    *** produce a false positive.

    *** In doubt, re-execute the scan without the safe checks

    Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer

    Risk factor : High

    CVE : CAN-2002-0656, CAN-2002-0655, CAN-2002-0657, CAN-2002-0659,

     CVE-2001-1141

    BID : 5363
```

And yes, I have restarted nessusd after changing the mentioned option.

----------

## Steffen

Nessus gives me the following output, no matter whether teh safe setting ist set to ye sor no in nessusd.conf:

```
 . Vulnerability found on port imaps (993/tcp) :

    The remote host seems to be using a version of OpenSSL which is

    older than 0.9.6e or 0.9.7-beta3

    This version is vulnerable to a buffer overflow which,

    may allow an attacker to obtain a shell on this host.

    *** Note that since safe checks are enabled, this check

    *** might be fooled by non-openssl implementations and

    *** produce a false positive.

    *** In doubt, re-execute the scan without the safe checks

    Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer

    Risk factor : High

    CVE : CAN-2002-0656, CAN-2002-0655, CAN-2002-0657, CAN-2002-0659,

     CVE-2001-1141

    BID : 5363
```

And yes, I have restarted nessusd after changing the mentioned option.

----------

## Steffen

Sorry for posting this multiple times, could a moderator please delete some of them?   :Sad: 

----------

## ixion

I'm having this same issue.... Apache correctly reports it's running the latest OpenSSL, but nessus insists that it isn't.. this wouldn't be a big deal to me otherwise, but Nessus reports a remote shell is obtainable through older OpenSSLs!  :Shocked: 

Is this just a bug in Nessus? I didn't have this reported on my server before updating Nessus and nessus-plugins.

----------

## ramon

 *BitJam wrote:*   

>  *Mr. Hahn wrote:*   what kind of configuring would I need for sshd so that I'm not at any risk?. 
> 
> 1) Make sure you are running the latest version of sshd: 
> 
> ```
> ...

 

Better yet, create a ssh2 public / private key pair. Load your public key on a USB stick or whatever and never ever log in with a password again  :Smile: 

If you grow annoyed with typing your passphrase read daniels excellent article on keychain. (It's on the gentoo-site somewhere)

Also be sure to disable password, rootlogins, and ssh1 protocol on your server as somebody else already noted somewhere in this thread.

Grtz Ramon

----------

## professorn

You can delete the messega yourself, click on the cross, beside the edit button

----------

