Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 14:59, Javier Fernández-Sanguino Peña wrote:
> jOn Tue, Oct 15, 2002 at 02:11:51PM +0200, Kjetil Kjernsmo wrote:
> > On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña
wrote:
> > > Try to reproduce this behavior. You can launch the
> > > attacks manually using 'nasl name-of-the-script'
OK, I needed libnasl-dev for that apparently.
The plugin in question is apparently slmail_helo.nasl
Mmmm, doesn't seem to work...:
owl:/usr/lib/nessus/plugins# nasl slmail_helo.nasl
slmail_helo.nasl : Warning : evaluating unknown variable - description
...?
> Ok. If you trace the mail daemon with:
>
> $ strace -f -p process_id_mail
OK.
> $ perl -e 'print "EHLO"; print "a" x 500;' | nc localhost 25
root@pooh:~> perl -e 'print "EHLO"; print "a" x 500;' | nc localhost 25
220 pooh.kjernsmo.net ESMTP Exim 3.35 #1 Tue, 15 Oct 2002 15:34:24 +0200
421 pooh.kjernsmo.net: SMTP command timeout - closing connection
root@pooh:/var/run> strace -f -p 4456
read(0, 0x80c7ff8, 8192) = ? ERESTARTSYS (To be
restarted)
--- SIGALRM (Alarm clock) ---
time(NULL) = 1034689164
open("/var/log/exim/mainlog", O_WRONLY|O_APPEND) = 2
fcntl64(2, F_GETFD) = 0
fcntl64(2, F_SETFD, FD_CLOEXEC) = 0
fstat64(2, {st_mode=S_IFREG|0640, st_size=134036, ...}) = 0
write(2, "2002-10-15 15:39:24 SMTP command"..., 82) = 82
write(1, "421 pooh.kjernsmo.net: SMTP comm"..., 66) = 66
munmap(0x40014000, 4096) = 0
_exit(1) = ?
It didn't tell me a lot, I guess...
(launched from /var/run just because I was looking if there was a
pid-file there)
> Regarding the other vulnerability, you should see if the system is
> running out of file descriptors. See if, during the attack, 'netstat
> -an' returns a huge number of open connections to port 25. All
> systems are vulnerable to file descriptor exhaustion unless you
> configure limits.
Sure.
> You might want to take a look at Bastille-linux (there is a Debian
> package for it) on how to configure some of this stuff automatically.
OK, I'll install it.
> You should also read the "Debian Securing Manual" for more in-depth
> information.
Yeah, I've read it, and done much of it, but understood all is of course
another matter. :-)
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/
Reply to: