Announcement

Collapse
No announcement yet.

Looking for exploits on my server.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Looking for exploits on my server.

    Hello,

    Not sure if I should post here or in the General Computer section. I figured because this question is about my server, the Network Design & Troubleshooting would fit my questions a bit more than General Computer questions.

    I have a domain and I have software running that tries to help keep it secure. I'd like to test it though. I tried Beyond Security, but I could never get past the verification phase (proving that I own the domain). Whenever I tried verifying, I saw one of my security programs detecting a security scanner and blocking it. I've contacted the company asking if they could give me a list of IPs that I could white list so they could properly scan but haven't gotten a response.

    Does anyone know of any other reputable free security scanners that I could use? I'd also like to see if I'm protected against DDoS / DoS type attacks. I've googled this but some of the sites seem a bit phishy. For example, I see there's a site called orcahub.com that allows you to send DOS type attacks (something like 300x per second, if you need more, you pay) but in the comment section, I see someone saying:
    Code:
    Their service are actually 500% POWERFULL, No one can beat them, Instant take down website / ip / home connection with 1 click.
    And that user being thanked for the vouching. But that comment makes me think maybe I could use that site for domains that I don't own. And if they're allowing you to attack sites that you don't own, I'd rather not use them for fear that they might be doing some shady stuff.
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

    #2
    Re: Looking for exploits on my server.

    Is the server running at home or in a datacentre ?
    Why are you worries about DDoS ? If it's important pay for DDoS protection.

    Comment


      #3
      Re: Looking for exploits on my server.

      DDoS is not security, it's just that, preventing legitimate use from going through. There really is no way to prevent DDoS other than getting geographically redundant, fatter pipe, and possibly faster computers. Keep in mind the plurality. If you only have one machine and one pipe, you will go down in a high DDoS storm no matter what service you have.

      Comment


        #4
        Re: Looking for exploits on my server.

        Originally posted by diif View Post
        Is the server running at home or in a datacentre ?
        Why are you worries about DDoS ? If it's important pay for DDoS protection.
        The server is not running from my home. I'm renting a virtual private server. I'm worried about more than just DDoS type attacks. I'd like to fully secure my site to the best of my abilities and try to identify any weaknesses it might have before I start writing a lot of code for it. I know a lot of websites can fall victim to DDoS type attacks and I do have software installed that should help mitigate (don't know if that's the right word, my vocabulary is small ) against such type attacks. I want to see how well it works, if at all, but also scan for other types of attacks.

        I see people from different countries are trying to get into my server on a regular basis. Since I installed ConfigServer Firewall, they've died down a lot! I have it setup to permanently block people and I also have it download a list of IPs associated with bad people and block them as well.

        I just want to see how secure my site is and if there's any weaknesses, try to secure them before someone gets in rather than deal it with after they get in (or in the DDoS case, from bringing down my server).
        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

        Comment


          #5
          Re: Looking for exploits on my server.

          Originally posted by eccerr0r View Post
          DDoS is not security, it's just that, preventing legitimate use from going through. There really is no way to prevent DDoS other than getting geographically redundant, fatter pipe, and possibly faster computers. Keep in mind the plurality. If you only have one machine and one pipe, you will go down in a high DDoS storm no matter what service you have.
          Thank you. I know DDos isn't an exploit or anything like that and I do appreciate the insight about not being able to protect against a high DDoS storm no matter what service I have.

          There's still things I can do to help protect against certain DDoS type attacks though, like syn-flooding for example.

          What do you mean by pipe? Even if I had another server in a geographically different location, if someone wanted to, they could just start one attack on one server and then start another attack on another, right? Or would the geographically redundant, fatter pipe and possibly faster computer prevent that from happening some how?
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment


            #6
            Re: Looking for exploits on my server.

            Also, I'm okay with download software for the non-DDoS security scan stuff. My IP is whitelisted so I can't get blocked and I think that is good. Normally, if a bad guy tries getting in and fails three times, they're blocked. But if there's an exploitable service or something running, if they can exploit it within the first three tries, they'll get in. So, with security scanning software and being whitelisted, I won't get blocked for failed attempts and can try and figure out if I'm vulnerable to anything.

            The DDoS type attack though I would think would have to be from the internet. If I'm whitelisted and can't be blocked, I can't really test to see if I'm protected against it. If I remove my IP from the whitelist and get blocked trying a DoS, I won't be allowed into my site to whitelist me.


            Also, I found the IP addresses that I needed to whitelist for https://scanmyserver.com and they're conducting a security scan. That's good news. They said the test can safely be used on "live" servers and shouldn't cause any down time so I don't think they test to see if I'm protected against DDoS type attacks. I still need to find some way to test for that and see how vulnerable my server is for those types of attacks.

            Thanks.
            Last edited by Spork Schivago; 02-16-2016, 08:28 PM. Reason: added content.
            -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

            Comment


              #7
              Re: Looking for exploits on my server.

              https://www.grc.com/default.htm

              NMAP

              NESSUS

              SATAN

              http://www.yolinux.com/TUTORIALS/Lin...rityTools.html

              Comment


                #8
                Re: Looking for exploits on my server.

                Thanks Stj. Nessus I cannot use because I only have the free version and last I checked, I can only use the free version on my local area network. I'll definitely be running nmap though. I was thinking of that earlier. Can you suggest some command line options that I might be interested in using with nmap? I'm not familiar with Satan. I'll have to give that a shot.

                Now for the news. The good news is the security scan from scanmyserver finished. The bad news it found 6 problems. Here's the results:
                Code:
                Security Testing
                Type	Tests	Failed	Passed
                Infrastructure Tests	12907	6	12901
                Blind SQL Injection	0	0	0
                SQL Injection	0	0	0
                Cross Site Scripting	0	0	0
                Source Disclosure	0	0	0
                PHP Code Injection	0	0	0
                Windows Command Execution	0	0	0
                UNIX Command Execution	0	0	0
                UNIX File Disclosure	0	0	0
                Windows File Disclosure	0	0	0
                Directory Disclosure	0	0	0
                Remote File Inclusion	0	0	0
                HTTP Header Injection	0	0	0
                
                
                Low risk vulnerabilities results for: jetbbs.com
                
                1. FTP Service AUTH TLS Command Support (Low)back
                Port:	ftp (21/tcp)
                Summary:
                The remote FTP service supports the use of the 'AUTH TLS' command to switch from a plaintext to an encrypted communications channel.
                More information:	http://en.wikipedia.org/wiki/STARTTLS and http://tools.ietf.org/html/rfc4217
                Test ID:	11982
                
                2. IMAP Service STARTTLS Command Support (Low)back
                Port:	imap (143/tcp)
                Summary:
                The remote IMAP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encrypted communications channel.
                More information:	http://en.wikipedia.org/wiki/STARTTLS and http://tools.ietf.org/html/rfc2595
                Test ID:	11965
                
                3. FTP Clear Text Authentication (Low)back
                Port:	ftp (21/tcp)
                Summary:
                The remote FTP does not encrypt its data and control connections. The user name and password are transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.
                Recommended Solution:
                Switch to FTPS (FTP over SSL/TLS) or SFTP (part of the SSH suite).
                Test ID:	11278
                
                4. HTTP Packet Inspection (Low)back
                Port:	http (80/tcp)
                Summary:
                This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc.
                
                Protocol version: HTTP/1.1 
                SSL: no 
                Pipelining: no 
                Keep-Alive: no 
                Options allowed: (Not implemented) 
                Headers: 
                Date: Wed, 17 Feb 2016 02:41:22 GMT 
                Server: Apache 
                Location: https://jetbbs.com/ 
                Content-Length: 203 
                Connection: close 
                Content-Type: text/html, charset=iso-8859-1 
                
                Test ID:	10209
                
                5. Mailman Detection (Low)back
                Port:	http (80/tcp)
                Summary:
                Mailman is a Python-based mailing list management package from the GNU Project. This test detects whether the remote host is running Mailman and extracts version numbers and locations of any instances found.
                
                
                The following instance of Mailman was detected on the remote host: 
                Installed version: 2.1.20 
                URL: http://jetbbs.com/mailman/listinfo/ 
                Test ID:	7098
                
                6. Directory Scanner (Low)back
                Port:	http (80/tcp)
                Summary:
                We found some common directories on the web server:
                The following directories were discovered: 
                /mailman
                Recommended Solution:
                Check if those directories contain any sensitive information, if they do, prevent unauthorized access to them.
                Impact:
                This is usually not a security vulnerability, only an information gathering. Nevertheless, you should manually inspect these directories to ensure that they are in compliance with accepted security standards.
                Test ID:	1822
                I'd like to remove the ftp server and replace it with sftp. cPanel / WHM is installed and I'm running CentOS 6 in a virtual environment. Yum seems to show a lot of cpanel packages. I see the FTP server, Pure-FTP, in cPanel. I want to make sure removing it doesn't break cPanel. Same with mailman. Pretty sure mailman is for me setting up mailing lists. I don't use them yet and might not ever. So I'd like to remove that as well. The IMAP and HTTP Packet Inspection ones though...not sure how to fix those.
                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                Comment


                  #9
                  Re: Looking for exploits on my server.

                  The grc.com website doesn't seem to load. I get an ERR_CONNECTION_TIMED_OUT message.
                  -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                  Comment


                    #10
                    Re: Looking for exploits on my server.

                    DDoS/DoS and SECURITY are not the same thing.

                    if you end up "attacking" your VPS to overwhelm it, your provider will probably nullroute your IP for 24 hours. keep in mind that a denial of service affects the providers network and other customers on the same VPS node, not just your server Now, if you want penetration testing, that is a different thing, because it just affects your server.

                    Comment


                      #11
                      Re: Looking for exploits on my server.

                      Originally posted by shovenose View Post
                      DDoS/DoS and SECURITY are not the same thing.
                      Yes, I know this. I care about both though. Trying to protect the best I can against DDoS/DoS and checking my server for exploitable services / weaknesses.

                      Originally posted by shovenose View Post
                      if you end up "attacking" your VPS to overwhelm it, your provider will probably nullroute your IP for 24 hours. keep in mind that a denial of service affects the providers network and other customers on the same VPS node, not just your server Now, if you want penetration testing, that is a different thing, because it just affects your server.
                      Wow. I did not realize this. I just thought because I had my own IP address, it wouldn't affect anyone else on the server. Could you explain this in more detail please?

                      I am under the impression that there are three types of DOS / DDoS type attacks. If I cannot test my server, maybe you guys could suggestion some techniques I could use to "harden" my system to help prevent against most (or some?) of them? The three types are:
                      Volume Based Attacks
                      Protocol Attacks
                      Application Layer Attacks

                      For the protocol attacks, I feel fairly confident that I'm protected against syn floods. Fragmented packet attacks, Ping of Death, Smurf DDoS, not so sure about there.

                      Would Volume Based Attacks be the hardest to protect against? I would think maybe iptables wouldn't help much here, if the IP address is spoofed or something. I could block each user, but if the address keeps changing, is there really any software out there that can help?

                      The application layer attacks, from what I understand, are attacks targeted at my webserver or the OS. I run Apache and have mod_security and mod_ruid2 installed. The mod_security seems to catch a lot of bad stuff. I wonder if that catches the DoS type attacks? I also have ConfigServer Firewall and lfd installed.

                      I am so glad I didn't find a reputable free service to try attacking my site. If that would have affected other users on the virtual machine, I would of felt sooooo horrible. I am so glad I came here and asked for help instead of just picking one service and trying it. Thank you so much for telling me this!!!
                      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                      Comment


                        #12
                        Re: Looking for exploits on my server.

                        Maybe I should have created two threads. One for the DDoS / DoS (from now on, I'll just refer to both as DoS) type attacks and a separate thread for the security issues, like preventing against SQL Inject, packet inspection, etc.
                        -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                        Comment


                          #13
                          Re: Looking for exploits on my server.

                          If the BBC can be floored by a DDoS, then your VPS has no chance.
                          http://www.csoonline.com/article/302...n-history.html

                          To avoid SQL injection ensure you code your site properly. The main one being constrain the inputs.
                          Last edited by diif; 02-17-2016, 12:45 PM. Reason: typo

                          Comment


                            #14
                            Re: Looking for exploits on my server.

                            https://www.howtoforge.com/tutorial/...-and-rootkits/

                            Comment


                              #15
                              Re: Looking for exploits on my server.

                              Originally posted by diif View Post
                              If the BBC can be floored by a DDoS, then your VPS has no chance.
                              http://www.csoonline.com/article/302...n-history.html

                              To avoid SQL injection ensure you code your site properly. The main one being constrain the inputs.
                              Thank you. I figured there's not much I can do without paying for special (expensive) DDoS protection to be impervious from heavy DDoS attacks. What I was mainly interested in protecting from people that might not have a giant botnet or something. I'm pretty sure I was already hit by a DoS / DDoS when I had a shared virtual server. I logged into this chat room to ask for help with some jquery stuff. The main guy asked who I was going through for hosting and I said GoDaddy. Once I made the changes, he wanted a link to my domain so he could check it out. He was talking about how GoDaddy's security isn't that good and I said I thought it was pretty decent. I told him how if someone tries to do something bad, they automatically get blocked (I had no control over this. This was something that GoDaddy had setup). And then all of a sudden, he says he cannot connect to my domain. I tried connecting, nothing. After about 2 minutes or so, I could get back on and I told him I was going to check the logs to see what happened and he said there wouldn't be anything in my logs. It'd be in the logs on the main node or whatever it's called. I had wondered how he knew there wasn't going to be anything in my log and I felt like maybe he initiated some sort of DDoS but couldn't prove it or anything.

                              For the IMAP STARTLS stuff, I might of fixed it. I changed Allow Plaintext Authentication to no. This is what it says about the setting:
                              Code:
                              This setting will allow remote email clients to authenticate using unencrypted connections. When set to “no”, only connections originating on the local server will be allowed to authenticate without encryption. Selecting “no” is preferable to disabling IMAP in the Protocols Enabled section since it will force remote users to use encryption while still allowing webmail to function correctly.
                              I'm a bit confused about, "Selecting "no" is preferable to disabling IMAP in the Protocols Enabled section..." Does that mean users who have e-mail accounts won't be able to use IMAP?
                              -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                              Comment


                                #16
                                Re: Looking for exploits on my server.

                                Originally posted by diif View Post
                                To avoid SQL injection ensure you code your site properly. The main one being constrain the inputs.
                                Okay. I noticed there's databases that cPanel uses. There's also stuff installed that I don't use but might be required for cPanel to function properly. Like phpAdmin I think it's called. It appears to be some web based interface for managing SQL databases. I prefer to do stuff from the command line. When I found it was installed and running, I went there, and found a bunch of databases that various services were using. To me, if I'm not using it, I don't think it should be installed. Just another potential way for someone to get in. What do you guys think?
                                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                Comment


                                  #17
                                  Re: Looking for exploits on my server.

                                  You're wasting your time trying to remove phpmyadmin, etc.

                                  Comment


                                    #18
                                    Re: Looking for exploits on my server.

                                    Originally posted by shovenose View Post
                                    You're wasting your time trying to remove phpmyadmin, etc.
                                    Okay. You think it's secure? I noticed it's outdated and probably won't be upgraded for a while. It seems cPanel used to provide a newer version but then discovered it required MySQL 5 or higher. So instead of providing an upgrade to MySQL, they just downgraded PHPMyAdmin. It seems a lot of the software with cPanel is a bit old. I'm almost thinking of just doing away with the managed part of my server and fully managing it myself, with no cPanel / WHM.
                                    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                                    Comment


                                      #19
                                      Re: Looking for exploits on my server.

                                      MySQL is obsolete.
                                      the guy who wrote it fell out with the company and branched off on his own.
                                      the latest is now called MariaDB
                                      https://mariadb.org/

                                      of course idiots will still buy sql licenses from m$ and other bandits!

                                      Comment


                                        #20
                                        Re: Looking for exploits on my server.

                                        You can use a panel like ajenti-v that has many less features. Its probably more secure. But you're not going to get hacked due to phpmyadmin...

                                        As for mariadb, its a drop in replacement for mysql that has much better performance, and its a few clicks to upgrade, so definitely use it.

                                        If you have one site just do it all manually any control panel is a waste. If you have multiple sites cpanel, etc. Are very handy.
                                        Last edited by shovenose; 02-17-2016, 10:19 PM.

                                        Comment

                                        Working...
                                        X