LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-23-2006, 09:26 PM   #1
subjazz
Member
 
Registered: May 2004
Location: Rodeo by the Bay
Distribution: Ubuntu;dosbox;Debian;BSD 6.0
Posts: 65

Rep: Reputation: 15
Ubuntu tiger scan?


Is the following really something to get concerned about? Would it be necessary to disable ICMP?I get a similar reading on Sarge.

--WARN-- [sig004w] None of the following versions of /usr/bin/chfn
(-rwsr-xr-x) matched the /usr/bin/chfn on this machine.
>>>>>> Linux 2.4.17

The entire scan:

Ubuntu Breezy Badger tiger scan

Security scripts *** 3.2.1, 2003.10.10.18.00 ***
Wed Feb 22 16:18:38 PST 2006
16:18> Beginning security report for debian.rdsl.lmi.net (GNU/Linux Linux 2.6.12-9-686).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass016w] User cupsys has / as home directory
--WARN-- [pass014w] Login (fetchmail) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass012w] Home directory /nonexistent exists multiple times (2) in
/etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).

# Performing check of group files...

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc006w] Login ID gdm's home directory (/var/lib/gdm) has group
`gdm' write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.

# Performing check of /etc/hosts.equiv and .rhosts files...

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...
--WARN-- [root003w] Root user has message capability turned on.

# Performing check of PATH components...
# Only checking user 'root'

# Performing check of anonymous FTP...

# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.

# Performing check of `cron' entries...
--WARN-- [cron004w] Root crontab does not exist
--WARN-- [cron005w] Use of cron is not restricted

# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.

# Performing NFS exports check...

# Performing check of system file permissions...

# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/login (-rwxr-xr-x)
matched the /bin/login on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/mount (-rwsr-xr-x)
matched the /bin/mount on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x)
matched the /bin/netstat on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ping (-rwsr-xr-x)
matched the /bin/ping on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ps (-rwxr-xr-x)
matched the /bin/ps on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/su (-rwsr-xr-x)
matched the /bin/su on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/umount (-rwsr-xr-x)
matched the /bin/umount on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /sbin/cardctl
(-rwsr-xr-x) matched the /sbin/cardctl on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/at (-r-sr-sr-x)
matched the /usr/bin/at on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chage
(-rwxr-sr-x) matched the /usr/bin/chage on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chfn
(-rwsr-xr-x) matched the /usr/bin/chfn on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chsh
(-rwsr-xr-x) matched the /usr/bin/chsh on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/crontab
(-rwxr-sr-x) matched the /usr/bin/crontab on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/gpasswd
(-rwsr-xr-x) matched the /usr/bin/gpasswd on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lockfile
(-rwxr-sr-x) matched the /usr/bin/lockfile on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lpq (-rwxr-xr-x)
matched the /usr/bin/lpq on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lpr (-rwxr-xr-x)
matched the /usr/bin/lpr on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lprm
(-rwxr-xr-x) matched the /usr/bin/lprm on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/newgrp
(-rwsr-xr-x) matched the /usr/bin/newgrp on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/passwd
(-rwsr-xr-x) matched the /usr/bin/passwd on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/procmail
(-rwxr-sr-x) matched the /usr/bin/procmail on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/screen
(-rwxr-sr-x) matched the /usr/bin/screen on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/ssh (-rwxr-xr-x)
matched the /usr/bin/ssh on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/wall
(-rwxr-sr-x) matched the /usr/bin/wall on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/write
(lrwxrwxrwx) matched the /usr/bin/write on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/xscreensaver
(-rwxr-xr-x) matched the /usr/bin/xscreensaver on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/lpc
(-rwxr-xr-x) matched the /usr/sbin/lpc on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/tcpd
(-rwxr-xr-x) matched the /usr/sbin/tcpd on this machine.
>>>>>> Linux 2.4.17


# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /bin/ip
# Testing for backdoors in inetd.conf

# Performing check of files in system mail spool...

# Performing check for rookits...

# Performing system specific checks...
# Performing checks for Linux/2...

# Checking for single user-mode password...

# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.

# Checking for vulnerabilities in inittab configuration...
--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del in
runlevels 12345

# Checking for correct umask settings for init scripts...

# Checking Logins not used on the system ...

# Checking network configuration
--FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--FAIL-- [lin016f] The system permits source routing from incoming packets
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets
--FAIL-- [lin019f] The system does not have any local firewall rules
configured

# Verifying system specific password checks...
--WARN-- [pass19w] Login ID root does not have password aging enabled.
--WARN-- [pass19w] Login ID debian does not have password aging enabled.

# Checking OS release...
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `testing/unstable'

# Checking installed packages vs Debian Security Advisories...

# Checking md5sums of installed files

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/nvidia.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fxusb.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fglrx.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcusb.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcpcmcia_cs.ko'
does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcpcmcia.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcpci.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslusba.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslusb2.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslusb.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslslusb.ko'
does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslsl.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdsl2.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdsl.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/ath_hal.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/.mounted' does not
belong to any package.

# Performing check of root directory...

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/evms resides in a device directory.
--FAIL-- [dev002f] /dev/log has world permissions
--WARN-- [dev003w] The directory /dev/loop resides in a device directory.
--FAIL-- [dev002f] /dev/md0 has world permissions
--FAIL-- [dev002f] /dev/md1 has world permissions
--FAIL-- [dev002f] /dev/md10 has world permissions
--FAIL-- [dev002f] /dev/md11 has world permissions
--FAIL-- [dev002f] /dev/md12 has world permissions
--FAIL-- [dev002f] /dev/md13 has world permissions
--FAIL-- [dev002f] /dev/md14 has world permissions
--FAIL-- [dev002f] /dev/md15 has world permissions
--FAIL-- [dev002f] /dev/md16 has world permissions
--FAIL-- [dev002f] /dev/md17 has world permissions
--FAIL-- [dev002f] /dev/md18 has world permissions
--FAIL-- [dev002f] /dev/md19 has world permissions
--FAIL-- [dev002f] /dev/md2 has world permissions
--FAIL-- [dev002f] /dev/md20 has world permissions
--FAIL-- [dev002f] /dev/md21 has world permissions
--FAIL-- [dev002f] /dev/md22 has world permissions
--FAIL-- [dev002f] /dev/md23 has world permissions
--FAIL-- [dev002f] /dev/md24 has world permissions
--FAIL-- [dev002f] /dev/md3 has world permissions
--FAIL-- [dev002f] /dev/md4 has world permissions
--FAIL-- [dev002f] /dev/md5 has world permissions
--FAIL-- [dev002f] /dev/md6 has world permissions
--FAIL-- [dev002f] /dev/md7 has world permissions
--FAIL-- [dev002f] /dev/md8 has world permissions
--FAIL-- [dev002f] /dev/md9 has world permissions
--WARN-- [dev003w] The directory /dev/snd resides in a device directory.
--WARN-- [dev003w] File /dev/sndstat is a regular file in a device directory.

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660

# Checking for correct umask settings...

# Checking listening processes

# Checking sshd_config configuration files...
--FAIL-- [ssh005w] Cannot find a configuration file for SSH.

# Checking printer configuration files...
--ERROR-- [init006e] `/etc/printcap' does not exist (file src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file infile).

# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file.

# Checking ntpd configuration...

# Checking unusual file names...

# Looking for unusual device files...

# Checking symbolic links...

# Performing check of embedded pathnames...
16:21> Security report completed for debian.rdsl.lmi.net.
 
Old 02-24-2006, 05:47 AM   #2
satinet
Senior Member
 
Registered: Feb 2004
Location: England
Distribution: Slackware 11, Sabayon 3.1
Posts: 1,464

Rep: Reputation: 46
is this machine behind a firewall??
 
Old 02-24-2006, 09:59 PM   #3
subjazz
Member
 
Registered: May 2004
Location: Rodeo by the Bay
Distribution: Ubuntu;dosbox;Debian;BSD 6.0
Posts: 65

Original Poster
Rep: Reputation: 15
You did not answer my first question , despite a good point made.
I can set up a firewall, the following from Ubuntu site:
"Since Ubuntu doesn't run any daemons that listen to the outside world by default (the postfix install only listens on localhost) there's no need for a default firewall.

The rationale is that if a user's got a need for installing a world-facing daemon, they'll be aware that they should configure a firewall/ACL for it too. "

My conclusion is that one must be conscious of the potential security risks and be able to administer desired
configurations as needed in regards to Ubuntu.
 
Old 02-25-2006, 05:52 AM   #4
satinet
Senior Member
 
Registered: Feb 2004
Location: England
Distribution: Slackware 11, Sabayon 3.1
Posts: 1,464

Rep: Reputation: 46
yes,i think you're right - dont worry
 
Old 02-25-2006, 11:39 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,564
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
@Satinet: yes,i think you're right - dont worry
He's show you a complete Tiger report and you counter with "don't worry". Now please keep in mind I'm not here to put your head on the chopping block, but could you possibly be a wee bit more verbose, explain what we're seeing and why?
That could be helpful not only to him possibly but also to other ppl who find this thread in time.
TIA


@Subjazz My conclusion is that one must be conscious of the potential security risks and be able to administer desired
configurations as needed in regards to Ubuntu.

Ten points for drawing the right conclusion. I wish more people would think of potential security risks before installing any (public) network facing stuff.
 
Old 02-25-2006, 02:56 PM   #6
satinet
Senior Member
 
Registered: Feb 2004
Location: England
Distribution: Slackware 11, Sabayon 3.1
Posts: 1,464

Rep: Reputation: 46
ok, it wouldnt worry me because most hosts without a firewall will respond to icmp. i can ping my other pc for example. personally i dont use firewalls on them because i run the internet connections through a hardware router/firewall. This is a NAT firewall, meaning the machines can't be address directly. if you have a similar set up there is not real need to set up firewalls on each machine, as it just makes life more difficult (if you trust your firewall).

the other stuff is just normal warnings.

e.g.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.

ok this is a system user. but if it was comprimised or a password was setit could actually log in as it has a shell. e.g i'm using a bash shell. will this is a reasonable warning. it's hardly a security nightmare. and there may be atime when you actually want to log in as that user (or simlar).

Quote:
-FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--FAIL-- [lin016f] The system permits source routing from incoming packets
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets
--FAIL-- [lin019f] The system does not have any local firewall rules
configured
all this sections is saying is that you don't have a firewall as disccussed above.

other than that its just warnings about file permissions etc, that i personally dont/wouldnt care about....


basically get a firewall - i would use a hardware one. and then nothing else is worth worrying about...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Triple boot Linux (Ubuntu 5.10), WinXP and MacOS (Tiger) Luke771 Linux - General 8 01-25-2006 07:49 AM
gnome on mac os x tiger pieter023 *BSD 1 08-19-2005 07:48 PM
Compiling on Mac Tiger Baryonic Being Other *NIX 1 07-02-2005 04:17 PM
To SCAN or not to SCAN? HP750xi Suse 9.2 Pro newtwolinux Linux - Hardware 4 06-22-2005 05:02 PM
Tiger Jet modem Sandrocchio_0.1 Linux - Hardware 0 12-29-2003 06:22 PM


All times are GMT -5. The time now is 05:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration