LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2004, 03:56 PM   #1
hari_seldon99
Member
 
Registered: Jun 2003
Location: Front of PC
Distribution: Linux Mandrake
Posts: 212

Rep: Reputation: 30
weak ssl ciphers in webmin


Hi,


I have been using webmin in my Linux mdk 10.0 ( kernel 2.6.3-7) box for configuration. I ran an audit on all my servers using the nessus daemon and got this result for webmin:

=================================================================

Warning: snet-sensor-mgmt (<port # removed>/tcp). The SSLv2 server offers 6 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack

Solution: disable those ciphers and upgrade your client
software if necessary


Informational: snet-sensor-mgmt (<port # removed>/tcp) . Here is the list of available SSLv2 ciphers:
<followed by a list of 9 ciphers>

==================================================================


I do not use webmin for remote administration. The webmin port, in fact, is firewalled. I only use it thru loopback in my PC for convenience.


Is this vulnerability serious? How do I disable cipher keys. Where are they so that I may delete them?

Do let me know.


Thanks,
AR
 
Old 11-27-2004, 07:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757Reputation: 2757
All I know would be to make sure server certs don't force "zero bit Cipher RSA/SHA" authentication (SSL 3/TLS 1), make sure client browser doesn't accept zero bit auth either and you're set. Nessusd's advice to "disable" weak ciphers would have you recompile SSL. Something I'm not willing to do (compatability reasons).
 
Old 12-04-2004, 06:33 AM   #3
hari_seldon99
Member
 
Registered: Jun 2003
Location: Front of PC
Distribution: Linux Mandrake
Posts: 212

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by unSpawn
All I know would be to make sure server certs don't force "zero bit Cipher RSA/SHA" authentication (SSL 3/TLS 1), make sure client browser doesn't accept zero bit auth either and you're set. Nessusd's advice to "disable" weak ciphers would have you recompile SSL. Something I'm not willing to do (compatability reasons).
In which config file of webmin would I find this option?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Webmin boot and SSL dkpw Slackware 2 04-11-2005 12:25 PM
Webmin and SSL Kanon Linux - Networking 0 02-27-2005 11:55 AM
Dissable SSL in Webmin Sevoma Linux - Software 3 01-27-2005 06:47 PM
SSL and Webmin question chimp999 Linux - General 1 10-06-2004 07:59 AM
SSL With Webmin craigvanham Linux - Software 3 08-04-2004 09:00 PM


All times are GMT -5. The time now is 12:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration