clpease
asked on
LDAP and Apache security issues detected by network scan on Netware 6 servers
My network has been scanned and my Netware 6.0 servers were found to have numerous issues regarding LDAP and Apache. I have search and have not been able to find anything that works. Security alerts are as follows:
HttpTraceEnabled
ApacheServerTokenNotSet
LDAP Nullbind
LDAP NullSubtree
LDAP Schema
Any help will be appreciated.
HttpTraceEnabled
ApacheServerTokenNotSet
LDAP Nullbind
LDAP NullSubtree
LDAP Schema
Any help will be appreciated.
Note that if you rem out ADMSRVUP (or NVXADMUP on NW6) then you won't have iManager access.
If they explain the "TokenNotSet" alert, perhaps you can address that, without crippling your administration capabilities.
If they explain the "TokenNotSet" alert, perhaps you can address that, without crippling your administration capabilities.
Also note that Tomcat uses secure LDAP to authenticate, and tomcat is what is used for iManager, so it may be unwise to simply unload/rem out NLDAP too. Maybe set up your LDAP group to only allow secure LDAP?
Also, it'd be nice to know what SP level your NW6 servers are at, because there may be security vulnerabilities in the SP you're running under. There actually were a handful of security issues that have been addressed over the years, that applying the SP/patch may have closed one or more of the things found by the scan.
ASKER
I was able to find a fix for the LDAP issues by going into Console1 under the LDAP Server object properties and then restrictions. Under the bind restrictions you can set to diable anonymous etc.
Still have the others as they relate to apache and http. And I have NetStorage, NDPS, FTP server, and iManager so I can't stop the web server etc.
I am running Netware 6 SP5 and edirectory 8.7.3.3
Still have the others as they relate to apache and http. And I have NetStorage, NDPS, FTP server, and iManager so I can't stop the web server etc.
I am running Netware 6 SP5 and edirectory 8.7.3.3
So what's left is the "HTTP TraceEnabled" and "ApacheServer TokenNotSet" ?
The TraceEnabled thing can be disabled using a Mod_rewrite method as per this CERT note: http://www.kb.cert.org/vuls/id/867593
I'd think you'd add it to sys:/apache/http.conf
The TokenNotSet thing is another directive, also set in the http.conf file, if I'm not mistaken. Here's a link with info on that. http://www.bsi.bund.de/english/gshb/manual/s/s04194.html
The TraceEnabled thing can be disabled using a Mod_rewrite method as per this CERT note: http://www.kb.cert.org/vuls/id/867593
I'd think you'd add it to sys:/apache/http.conf
The TokenNotSet thing is another directive, also set in the http.conf file, if I'm not mistaken. Here's a link with info on that. http://www.bsi.bund.de/english/gshb/manual/s/s04194.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
NetWare v6.0 loads an LDAP server by default. Kinda stupid, but everyone got into the habit of emulating Micro$oft and turning on most services in default installs.
You certainly don't need more than one or two LDAP servers in any network, and if you don't use LDAP-enabled services, then you don't need the LDAP server component at all. You can disable it on each NetWare server by unloading NLDAP.NLM. You can make the change permanent by commenting out (or deleting) the "LOAD NLDAP.NLM" statement in AUTOEXEC.NCF.
Similarly, the Apache webserver was a default component of NetWare v6.0. There may be two instances of Apache - a "user" instance for typical web pages, and an "admin" instance for iManager, Novell's web-based management interface for the eDirectory/NetWare environment. Look for lines like "ADMSRVUP" and "APWEBUP" in AUTOEXEC.NCF.