LDAP and Apache security issues detected by network scan on Netware 6 servers

My network has been scanned and my Netware 6.0 servers were found to have numerous issues regarding LDAP and Apache.  I have search and have not been able to find anything that works.  Security alerts are as follows:

HttpTraceEnabled
ApacheServerTokenNotSet
LDAP Nullbind
LDAP NullSubtree
LDAP Schema

Any help will be appreciated.
clpeaseAsked:
Who is Participating?
 
ShineOnCommented:
Oops, miskey - that'd be httpd.conf, not http.conf... :P
0
 
PsiCopCommented:
Ah, network scans. Great way to make money for the consultants. Never mind you pay them for what you could easily do yourself.

NetWare v6.0 loads an LDAP server by default. Kinda stupid, but everyone got into the habit of emulating Micro$oft and turning on most services in default installs.

You certainly don't need more than one or two LDAP servers in any network, and if you don't use LDAP-enabled services, then you don't need the LDAP server component at all. You can disable it on each NetWare server by unloading NLDAP.NLM. You can make the change permanent by commenting out (or deleting) the "LOAD NLDAP.NLM" statement in AUTOEXEC.NCF.

Similarly, the Apache webserver was a default component of NetWare v6.0. There may be two instances of Apache - a "user" instance for typical web pages, and an "admin" instance for iManager, Novell's web-based management interface for the eDirectory/NetWare environment. Look for lines like "ADMSRVUP" and "APWEBUP" in AUTOEXEC.NCF.
0
 
ShineOnCommented:
Note that if you rem out ADMSRVUP (or NVXADMUP on NW6) then you won't have iManager access.

If they explain the "TokenNotSet" alert, perhaps you can address that, without crippling your administration capabilities.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
ShineOnCommented:
Also note that Tomcat uses secure LDAP to authenticate, and tomcat is what is used for iManager, so it may be unwise to simply unload/rem out NLDAP too.  Maybe set up your LDAP group to only allow secure LDAP?
0
 
ShineOnCommented:
Also, it'd be nice to know what SP level your NW6 servers are at, because there may be security vulnerabilities in the SP you're running under.  There actually were a handful of security issues that have been addressed over the years, that applying the SP/patch may have closed one or more of the things found by the scan.
0
 
clpeaseAuthor Commented:
I was able to find a fix for the LDAP issues by going into Console1 under the LDAP Server object properties and then restrictions.  Under the bind restrictions you can set to diable anonymous etc.

Still have the others as they relate to apache and http.  And I have NetStorage, NDPS, FTP server, and iManager so I can't stop the web server etc.

I am running Netware 6 SP5 and edirectory 8.7.3.3
0
 
ShineOnCommented:
So what's left is the "HTTP TraceEnabled" and "ApacheServer TokenNotSet" ?

The TraceEnabled thing can be disabled using a Mod_rewrite method as per this CERT note: http://www.kb.cert.org/vuls/id/867593

I'd think you'd add it to sys:/apache/http.conf

The TokenNotSet thing is another directive, also set in the http.conf file, if I'm not mistaken.  Here's a link with info on that. http://www.bsi.bund.de/english/gshb/manual/s/s04194.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.