Page 1 of 3 123 LastLast
Results 1 to 10 of 29
  1. #1
    Newbie
    Join Date
    Dec 2008
    Posts
    12

    Default Security Scan against Untangle

    I performed a security scan against my Untangle box. It looks like the web server AUTOINDEX is enabled. How do I disable it?

    It appears the LDAP is not secure as well. How do I secure it?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    What security scan are you using? And it's whining about AUTOINDEX and not TRACE?

    Untangle doesn't have an LDAP service, it's just an LDAP client. So there is nothing there to be "insecure".
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Dec 2008
    Posts
    12

    Default

    It's a PCI compliance scan by the bank for credit cards.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Which is to say... a joke but we're stuck dealing with it. I'm not sure where this information is coming from, because we get users that regularly have to deal with the PCI scans, and the two common issues are:

    1.) A litany of Apache related bugs that don't apply. (this has been fixed for ages since Untangle modified the Apache configuration to stop responding with the Apache version string).

    2.) TRACE is enabled.

    Regarding 2, I'm looking at my 9.0.2 installation and it appears the UT devs may have fixed it. You can verify yourself by looking at /etc/apache2/conf.d/security and all the way at the bottom of the file TraceEnable is the directive you want to see. Make sure it's set to Off.

    As for autoindex...

    This is a HACK, I have no idea what this will do to your Untangle in terms of functionality. Indeed I cannot see where in Apache this module is actually being enabled, it's simply installed. However, to disable the autoindex module run the following commands:

    a2dismod autoindex
    /etc/init.d/apache2 restart

    To reenable autoindex:

    a2enmod autoindex
    /etc/init.d/apache2 restart

    I don't even know where to start with the supposed LDAP vulnerability. Untangle doesn't have an LDAP service operating as far as I know.

    Do you have TCP 80 or 443 forwarded to another server? If you do, that web server is what you need to kick, not Untangle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    i think TRACE is disabled in 9.1
    (but not 9.0.2)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler scimanal's Avatar
    Join Date
    Oct 2009
    Location
    Portland, OR
    Posts
    62

    Default

    for PCI - just an idea, why not simply lock down the system via iptables? disable the ghost LDAP service via network and the scan will then pass. Do the same as needed for other services.

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by scimanal View Post
    for PCI - just an idea, why not simply lock down the system via iptables? disable the ghost LDAP service via network and the scan will then pass. Do the same as needed for other services.
    That is the default setting. There are no local services (aside from HTTP and HTTPS) externally available.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Yeah that's the part that has me confused as well. The only ports that are open on Untangle even after it's configured with a public address are TCP 443, TCP 22, and UDP 1194.

    ALL OTHER PORTS ARE CLOSED!

    Simply moving the remote admin port off TCP 443 is often enough to "pass" the PCI scans, because they are that stupid. But I have no idea why the LDAP is exposed. Heck, as far as I know, Untangle has an LDAP service acting as a client, not a server, so?!?

    To further compound my confusion, Untangle does ship with mod_autoindex enabled in Apache. That said, I don't see any command directives from http.conf down with "Option +Indexes". So, the module is there, but it isn't enabled. So how is it even tripping the scan?

    I'm thinking he's got TCP 443 pointed at an Exchange server with the RTP proxy in place. At least that could connect a web service to an LDAP service, and make some sense.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Newbie
    Join Date
    Dec 2008
    Posts
    12

    Default

    I am using all default settings. I am only forwarding RDP to a terminal server and allowing DNS.

    I was considering just blocking the ports they are saying are open:
    1) TCP 64156 - web server autoindex - enabled
    2) TCP:389 - Is Your LDAP Secure?
    3) TCP:80 - Is there a way to force https ONLY either from external or internet NIC
    4) It says the HTTP trace/track methods are allowed - I suppose I need to disable this
    5) TCP:64156 Apache ETag Heder Discloses Inode Numbers
    6) TCP/IP Sequence Prediction Blind Reset Spoofing DoS

    Before performed all of this, I wanted to make sure the Untangle gurus had a look.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    TCP 64156 is there, and there is a management interface listening on it.
    TCP 389 is there, because that's samba
    TCP 80 is there because that is local management.

    Here's the killer, IPTables by default prevents access to all of those ports unless you configure Untangle to do otherwise. So either you've got a UT bridge plugged in on the outside of your NAT device backwards, or your installation has something very wrong with it.

    We've seen TCP 80 open on the outside before due to bad installations from time to time. I suggest paving it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2