precisa ter culhao mesmo. soh dei uma olhada no report.. nem vou perder meu tempo olhando brechas entre outras coisas... tenho mais o que fazer.. to loco de coisa aqui hasuHUHASUhAHS mas em todo caso, nao eh nada agradavel/indicado fazer uma macarronada de serviços assim o ideal eh separar os serviços... 1 lugar soh com servidor de email outro com http e pode ser BD tb essas coisas assim.. senao a brecha de um atrapalha o outro mas isso jah eh assunto pra segurança (e viabilidade) =D
veja a possibilidade de usar um firewall sim. o que com certeza teria reduzido a quantidade de pessoas usando as diversas ferramentas que vc falou ai. afinal.. com um firewall bem estruturados, ele olha primeiro o header, se ai já for proibido, ele descarta sem abrir. e depois tem as questoes de camadas, e vc ve quais precisam ser monitoradas. Alguns proxys e firewalls que eu deixo no ar, possuem verificação até a camada de aplicação, pra verificar se ela nao eh um serviço indevido. come mais processamento que o normal, mas gera uma segurança maior.. (apesar de nada ser 100% seguro) mesmo assim.. eh bom prestar atenção nesse ponto.. e se esse servidor tambem tem asterisk.. eh pior ainda =p pq o asterisk tb precisa de processamento, disco, entre outras. mas de asterisk nao entendo muito hUASHuAHs entao nao dou pitaco.. to aqui pra aprender =D On Thu, Oct 8, 2009 at 3:34 PM, Rodrigo Graeff <delphus...@gmail.com> wrote: > Obrigado pelo relatório Eliel. > > A macarronada de serviços salvam a minha pele, pois são os serviços, > versões e softwares que confio, justamente para deixar sem firewall. > > Este servidor é meu em particular e abriga alem de tudo, meu asterisk > pessoal. > > O servico na porta 6669 é um Unreal IRCd porém quer conexções SSL, quem > quiser entrar e bater um papo estou no canal #asterisk > > Tem que ter culhão pra deixar o IP hein ? E como o itamar falou, > iptables é pra boiola. > > > > On Thu, 2009-10-08 at 15:00 -0300, Eliel Oliveira wrote: > > Report de 72.55.148.11 > > > > Porta 6669 > > Reported by NVT "Trojan horses" (1.3.6.1.4.1.25623.1.0.11157): > > > > An unknown service runs on this port. > > It is sometimes opened by this/these Trojan horse(s): > > Host Control > > Vampire > > > > Unless you know for sure what is behind it, you'd better > > check your system > > > > *** Anyway, don't panic, Nessus only found an open port. It may > > *** have been dynamically allocated to some service (RPC...) > > > > Solution: if a trojan horse is running, run a good antivirus scanner > > Risk factor : Low > > > > Porta 111 > > The RPC portmapper is running on this port. > > > > An attacker may use it to enumerate your list > > of RPC services. We recommend you filter traffic > > going to this port. > > > > Risk factor : Low > > CVE : CAN-1999-0632, CVE-1999-0189 > > BID : 205 > > > > Porta 22 > > Reported by NVT "SSH Server type and > > version" (1.3.6.1.4.1.25623.1.0.10267): > > > > Remote SSH version : SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 > > > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > An ssh server is running on this port > > > > porta 25 > > smtpscan was not able to reliably identify this server. It might be: > > Qmail 1.0.3 > > The fingerprint differs from these known signatures on 1 point(s) > > > > If you known precisely what it is, please send this fingerprint > > to smtp-signatu...@nessus.org : > > :250:250:250:250:250:553:553:214:252:502:502:502:502:250:250 > > > > ==================================================================== > > Reported by NVT "SMTP Server type and > > version" (1.3.6.1.4.1.25623.1.0.10263): > > > > Remote SMTP server banner : > > 220 mail.thewebsilo.com ESMTP SPF1 > > > > > > > > This is probably: Qmail > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > An SMTP server is running on this port > > Here is its banner : > > 220 mail.thewebsilo.com ESMTP SPF1 > > > > ==================================================================== > > Reported by NVT "Identifies services like FTP, SMTP, > > NNTP..." (1.3.6.1.4.1.25623.1.0.14773): > > > > A SMTP server is running on this port > > > > porta 995 > > A pop3 server is running on this port > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > A TLSv1 server answered on this port > > > > Porta 6667 > > An unknown service runs on this port. > > It is sometimes opened by this/these Trojan horse(s): > > Dark FTP > > EGO > > Maniac rootkit > > Moses > > ScheduleAgent > > SubSeven > > Subseven 2.1.4 DefCon 8 > > The Thing (modified) > > Trinity > > WinSatan > > > > Here is the service banner: > > :irc.thewebsilo.com NOTICE AUTH :*** Looking up your hostname... > > > > > > Unless you know for sure what is behind it, you'd better > > check your system > > > > *** Anyway, don't panic, Nessus only found an open port. It may > > *** have been dynamically allocated to some service (RPC...) > > > > Solution: if a trojan horse is running, run a good antivirus scanner > > Risk factor : Low > > > > ==================================================================== > > Reported by NVT "Unknown services > > banners" (1.3.6.1.4.1.25623.1.0.11154): > > > > An unknown server is running on this port. > > > > Porta 6668 > > An unknown server is running on this port. > > If you know what it is, please send this banner to the Nessus team: > > 0x00: 3A 69 72 63 2E 74 68 65 77 65 62 73 69 6C 6F > > 2E :irc.thewebsilo. > > 0x10: 63 6F 6D 20 4E 4F 54 49 43 45 20 41 55 54 48 20 com NOTICE > > AUTH > > 0x20: 3A 2A 2A 2A 20 4C 6F 6F 6B 69 6E 67 20 75 70 20 :*** Looking > > up > > 0x30: 79 6F 75 72 20 68 6F 73 74 6E 61 6D 65 2E 2E 2E your > > hostname... > > 0x40: 0D > > 0A .. > > > > Porta 9993 > > The remote imap server banner is : > > * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL > > ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, > > Inc. See COPYING for distribution information. > > Versions and types should be omitted where possible. > > Change the imap banner to something generic. > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > An IMAP server is running on this port through SSL > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > A TLSv1 server answered on this port > > > > Porta 143 > > The remote imap server banner is : > > * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE > > THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL > > ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision, > > Inc. See COPYING for distribution information. > > Versions and types should be omitted where possible. > > Change the imap banner to something generic. > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > An IMAP server is running on this port > > > > porta 113 > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > An identd server is running on this port > > > > > > General UDP > > Reported by NVT "Traceroute" (1.3.6.1.4.1.25623.1.0.10287): > > > > For your information, here is the traceroute to 72.55.148.11 : > > 192.168.1.128 > > 192.168.1.1 > > 201.21.160.1 > > 189.4.0.98 > > 201.64.76.1 > > 200.244.168.150 > > 200.230.251.70 > > 200.230.251.78 > > 4.71.230.5 > > 4.68.16.62 > > 4.69.134.113 > > 4.69.141.5 > > 4.59.176.10 > > > > porta 21 > > Remote FTP server banner : > > 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- > > > > ==================================================================== > > Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330): > > > > An FTP server is running on this port. > > Here is its banner : > > 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- > > > > ==================================================================== > > Reported by NVT "Identifies services like FTP, SMTP, > > NNTP..." (1.3.6.1.4.1.25623.1.0.14773): > > > > A SMTP server is running on this port > > > > porta 53 > > Reported by NVT "DNS Server Detection" (1.3.6.1.4.1.25623.1.0.11002): > > > > > > A DNS server is running on this port. If you do not use it, disable > > it. > > > > Risk factor : Low > > > > > > > > QUE MACARRONADA DE SERVIÇOS > > > > > > =p > > > > _______________________________________________ > > http://www.voipmania.com.br > > Telefone IP sem fio Gigaset A580IP por 6 x R$59,90. > > Promoção por tempo limitado! > > Acesse agora http://promo.voipmania.com.br > > > > _______________________________________________ > > Lista de discussões AsteriskBrasil.org > > AsteriskBrasil@listas.asteriskbrasil.org > > http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil > -- > -- > > Rodrigo Graeff > ICQ: 9636816 > http://www.delphus.org > > > _______________________________________________ > http://www.voipmania.com.br > Telefone IP sem fio Gigaset A580IP por 6 x R$59,90. > Promoção por tempo limitado! > Acesse agora http://promo.voipmania.com.br > > _______________________________________________ > Lista de discussões AsteriskBrasil.org > AsteriskBrasil@listas.asteriskbrasil.org > http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil >
_______________________________________________ http://www.voipmania.com.br Telefone IP sem fio Gigaset A580IP por 6 x R$59,90. Promoção por tempo limitado! Acesse agora http://promo.voipmania.com.br _______________________________________________ Lista de discussões AsteriskBrasil.org AsteriskBrasil@listas.asteriskbrasil.org http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil