[AsteriskBrasil] Segurança, Iptable, ip valido no servidor, servidor na dmz...

Rodrigo Graeff delphusbsd em gmail.com
Quinta Outubro 8 15:34:10 BRT 2009 

Obrigado pelo relatório Eliel. 

A macarronada de serviços salvam a minha pele, pois são os serviços,
versões e softwares que confio, justamente para deixar sem firewall.

Este servidor é meu em particular e abriga alem de tudo, meu asterisk
pessoal.

O servico na porta 6669 é um Unreal IRCd porém quer conexções SSL, quem
quiser entrar e bater um papo estou no canal #asterisk

Tem que ter culhão pra deixar o IP hein ? E como o itamar falou,
iptables é pra boiola.



On Thu, 2009-10-08 at 15:00 -0300, Eliel Oliveira wrote:
> Report de 72.55.148.11
> 
> Porta 6669
> Reported by NVT "Trojan horses" (1.3.6.1.4.1.25623.1.0.11157):
> 
> An unknown service runs on this port.
> It is sometimes opened by this/these Trojan horse(s):
>  Host Control
>  Vampire
> 
> Unless you know for sure what is behind it, you'd better
> check your system
> 
> *** Anyway, don't panic, Nessus only found an open port. It may
> *** have been dynamically allocated to some service (RPC...)
> 
> Solution: if a trojan horse is running, run a good antivirus scanner
> Risk factor : Low
> 
> Porta 111
> The RPC portmapper is running on this port.
> 
> An attacker may use it to enumerate your list
> of RPC services. We recommend you filter traffic
> going to this port.
> 
> Risk factor : Low
> CVE : CAN-1999-0632, CVE-1999-0189
> BID : 205
> 
> Porta 22
> Reported by NVT "SSH Server type and
> version" (1.3.6.1.4.1.25623.1.0.10267):
> 
> Remote SSH version : SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
> 
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> An ssh server is running on this port
> 
> porta 25
> smtpscan was not able to reliably identify this server. It might be:
> Qmail 1.0.3
> The fingerprint differs from these known signatures on 1 point(s)
> 
> If you known precisely what it is, please send this fingerprint
> to smtp-signatures em nessus.org :
> :250:250:250:250:250:553:553:214:252:502:502:502:502:250:250
> 
> ====================================================================
> Reported by NVT "SMTP Server type and
> version" (1.3.6.1.4.1.25623.1.0.10263):
> 
> Remote SMTP server banner :
> 220 mail.thewebsilo.com ESMTP SPF1 
> 
> 
> 
> This is probably: Qmail
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> An SMTP server is running on this port
> Here is its banner : 
> 220 mail.thewebsilo.com ESMTP SPF1 
> 
> ====================================================================
> Reported by NVT "Identifies services like FTP, SMTP,
> NNTP..." (1.3.6.1.4.1.25623.1.0.14773):
> 
> A SMTP server is running on this port
> 
> porta 995
> A pop3 server is running on this port
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> A TLSv1 server answered on this port
> 
> Porta 6667
> An unknown service runs on this port.
> It is sometimes opened by this/these Trojan horse(s):
>  Dark FTP
>  EGO
>  Maniac rootkit
>  Moses
>  ScheduleAgent
>  SubSeven
>  Subseven 2.1.4 DefCon 8
>  The Thing (modified)
>  Trinity
>  WinSatan
> 
> Here is the service banner:
> :irc.thewebsilo.com NOTICE AUTH :*** Looking up your hostname... 
> 
> 
> Unless you know for sure what is behind it, you'd better
> check your system
> 
> *** Anyway, don't panic, Nessus only found an open port. It may
> *** have been dynamically allocated to some service (RPC...)
> 
> Solution: if a trojan horse is running, run a good antivirus scanner
> Risk factor : Low
> 
> ====================================================================
> Reported by NVT "Unknown services
> banners" (1.3.6.1.4.1.25623.1.0.11154):
> 
> An unknown server is running on this port.
> 
> Porta 6668
> An unknown server is running on this port.
> If you know what it is, please send this banner to the Nessus team:
> 0x00:  3A 69 72 63 2E 74 68 65 77 65 62 73 69 6C 6F
> 2E    :irc.thewebsilo.
> 0x10:  63 6F 6D 20 4E 4F 54 49 43 45 20 41 55 54 48 20    com NOTICE
> AUTH 
> 0x20:  3A 2A 2A 2A 20 4C 6F 6F 6B 69 6E 67 20 75 70 20    :*** Looking
> up 
> 0x30:  79 6F 75 72 20 68 6F 73 74 6E 61 6D 65 2E 2E 2E    your
> hostname...
> 0x40:  0D
> 0A                                              ..              
> 
> Porta 9993
> The remote imap server banner is :
> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL
> ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,
> Inc.  See COPYING for distribution information. 
> Versions and types should be omitted where possible.
> Change the imap banner to something generic.
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> An IMAP server is running on this port through SSL
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> A TLSv1 server answered on this port
> 
> Porta 143
> The remote imap server banner is :
> * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
> THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL
> ACL2=UNION] Courier-IMAP ready. Copyright 1998-2008 Double Precision,
> Inc.  See COPYING for distribution information. 
> Versions and types should be omitted where possible.
> Change the imap banner to something generic.
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> An IMAP server is running on this port
> 
> porta 113
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> An identd server is running on this port
> 
> 
> General UDP
> Reported by NVT "Traceroute" (1.3.6.1.4.1.25623.1.0.10287):
> 
> For your information, here is the traceroute to 72.55.148.11 : 
> 192.168.1.128
> 192.168.1.1
> 201.21.160.1
> 189.4.0.98
> 201.64.76.1
> 200.244.168.150
> 200.230.251.70
> 200.230.251.78
> 4.71.230.5
> 4.68.16.62
> 4.69.134.113
> 4.69.141.5
> 4.59.176.10
> 
> porta 21
> Remote FTP server banner :
> 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 
> 
> ====================================================================
> Reported by NVT "Services" (1.3.6.1.4.1.25623.1.0.10330):
> 
> An FTP server is running on this port.
> Here is its banner : 
> 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 
> 
> ====================================================================
> Reported by NVT "Identifies services like FTP, SMTP,
> NNTP..." (1.3.6.1.4.1.25623.1.0.14773):
> 
> A SMTP server is running on this port
> 
> porta 53
> Reported by NVT "DNS Server Detection" (1.3.6.1.4.1.25623.1.0.11002):
> 
> 
> A DNS server is running on this port. If you do not use it, disable
> it.
> 
> Risk factor : Low
> 
> 
> 
> QUE MACARRONADA DE SERVIÇOS
> 
> 
> =p
> 
> _______________________________________________
> http://www.voipmania.com.br
> Telefone IP sem fio Gigaset A580IP por 6 x R$59,90. 
> Promoção por tempo limitado!
> Acesse agora http://promo.voipmania.com.br
> 
> _______________________________________________
> Lista de discussões AsteriskBrasil.org
> AsteriskBrasil em listas.asteriskbrasil.org
> http://listas.asteriskbrasil.org/mailman/listinfo/asteriskbrasil
-- 
--

Rodrigo Graeff
ICQ: 9636816
http://www.delphus.org

Mais detalhes sobre a lista de discussão AsteriskBrasil