Customer has found exploits on port 80 (http)

book

Article ID: 156629

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

1. Logins Sent Over Unencrypted Connection the application uses HTTP not HTTPs (high)   

2. Password in Query or Cookie Data      

3. Password in URLs/cookies is only base64 encoded

Cause

It is highly unlikely that there are port 80 errors.  IP tables is by design blocking inbound port 80. That said, if there is a scanner that can reach that port, IP tables is very likely disabled. 

Resolution

Verify if IP Tables is running.  If you run the following command and the the below output, IP tables is open:

#iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 

 This allows all inbound connections.  

 

You should also run chkconfig to determine if it has been disabled at boot time: 

 

(a properly configured SSIM would look like the output below) 

 

#chkconfig --list |grep ipt

iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

 
If it is disabled - eg. off on 3,4,5  then enable it:
#chkconfig iptables on
 
now start ip tables:
# /etc/init.d/iptables start
 
 It should look like this:

 # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,U                                    RG/NONE

DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN

DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST

DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST

DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN

DROP       tcp  --  anywhere             anywhere            tcp flags:PSH,ACK/PSH

DROP       tcp  --  anywhere             anywhere            tcp flags:ACK,URG/URG

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ldaps

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ibmdiradm

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ldapdb2svcids

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:10010

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:simdbmu

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sesevents

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:db2c_db2admin

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:10099:49999

ACCEPT     udp  --  anywhere             anywhere            udp dpts:10099:49999

ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply state NEW,RELAT                                    ED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request state NEW,REL                                    ATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable st                                    ate NEW,RELATED,ESTABLISHED

ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded state NEW,RE                                    LATED,ESTABLISHED

ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:10514:10650

ACCEPT     udp  --  anywhere             anywhere            udp dpts:10514:10650

 

Chain FORWARD (policy DROP)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination