Since I would like to hit the ground running I want a LAMP stack that is pre-configured to start off with. It just so happens that Turnkey Linux makes a pre-made LAMP appliance and ISO. This image is based on Ubuntu 8.04LTS and is updated to include security patches and additional features (see the changelog for complete details). You can run the ISO as a Live CD to test out the product, which is what I'm going to do instead of installing it into the could. By default the following connections are available when the system boots up (all IP addresses are based on a DHCP address my system received during boot).
Web http://192.168.1.6 https://192.168.1.6 Web Shell https://192.168.1.1:12320 Webmin https://192.168.1.1:12321 PHPMyAdmin https://192.168.1.1:12322 SSH/SFTP root@192.168.1.6 (port 22)
This is a large number of connections available for a preconfigured appliance and helpful for those that want many different ways to connect in and work on their system.
Problem #1
Each connection is configured with a login that uses the username 'root' and NO PASSWORD!
Right away we can see that there is an issue with the way logins are configured here. First of all the root user should never be able to connect remotely, let alone have a blank password. Secondly, had the system been configured with a normal user they still should not use a blank password. Many new system administrators that don't always check the connections to their system (sometimes because they may not have even learned how), may forget to shutdown a particular connection or change the password. With a blank password configured on the root account (or any account for that matter), it is only a matter of hours or minutes before you get picked up by malicious users scanning the internet.
Mitigation
Setup default LAMP installs with a specific user that can be used for testing if you are building an appliance, or only create accounts for users that need them. All access to the root account should be cut off and a random strong password should be set. All users accounts on the system should have a password even if just for demo purposes. The following list should also be avoided when choosing a password even if for demo purposes:
- admin
- password
- root
- toor
Now that our system is up and running we can start to look around at the default settings and software that comes with it. The most obvious choice is to check out the homepage that the web server displays. Navigating to http://192.168.1.6 brings us to a custom made index.html that presents us with the different ways that we can log into the system. First let us take a look at the PHP info page, which will show us all the information about PHP for this appliance.
Now for those of you that have viewed this page before you already know the wealth of knowledge you can learn about your PHP installation from this page. For those that haven't seen it before you should look through carefully and see what this page exposes about your setup (pretty much everything). We will notice that the version of PHP being used here is 5.2.4, which sadly is out of date.
Problem #2
The current version of PHP is 5.3.3 and if you do a quick check the Ubuntu repositories have version 5.3.2 available. Understandibly no appliance can keep up with the latest versions of everything, but the changelog and Turnkey's site indicate that the last date the appliance was compiled was April 2010 (fairly recently). There was a patch that went into PHP as of version 5.2.6 to prevent SQL Injection as well. Magic quotes are also disabled in this version of PHP however they are in the most recent version of PHP (5.3.3) as well to encourage better programming habits. They depreceated the option in hopes that developers will start escaping their input.
Mitigation
The ISO could have updated their version of PHP to a more recent one. They also could warn users that magic quotes are no longer used for PHP web applications.
Problem #3
A few options within the Apache configuration could have provided better security and not caused an information leak of your LAMP software.
Change the ServerToken option in the apache config for the appliance.
To finish up I'm just going to point out a few more details I found when analyzing the Turnkey LAMP stack.
phpMyAdmin is outdate and vulnerable to a number of remote attacks there is no firewall rules at all to protect the system root user login is allowed through SSH the root user for MySQL has no password
0 comments:
Post a Comment