[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 565
  • Last Modified:

LDAP and Apache security issues detected by network scan on Netware 6 servers

My network has been scanned and my Netware 6.0 servers were found to have numerous issues regarding LDAP and Apache.  I have search and have not been able to find anything that works.  Security alerts are as follows:

HttpTraceEnabled
ApacheServerTokenNotSet
LDAP Nullbind
LDAP NullSubtree
LDAP Schema

Any help will be appreciated.
0
clpease
Asked:
clpease
  • 5
1 Solution
 
PsiCopCommented:
Ah, network scans. Great way to make money for the consultants. Never mind you pay them for what you could easily do yourself.

NetWare v6.0 loads an LDAP server by default. Kinda stupid, but everyone got into the habit of emulating Micro$oft and turning on most services in default installs.

You certainly don't need more than one or two LDAP servers in any network, and if you don't use LDAP-enabled services, then you don't need the LDAP server component at all. You can disable it on each NetWare server by unloading NLDAP.NLM. You can make the change permanent by commenting out (or deleting) the "LOAD NLDAP.NLM" statement in AUTOEXEC.NCF.

Similarly, the Apache webserver was a default component of NetWare v6.0. There may be two instances of Apache - a "user" instance for typical web pages, and an "admin" instance for iManager, Novell's web-based management interface for the eDirectory/NetWare environment. Look for lines like "ADMSRVUP" and "APWEBUP" in AUTOEXEC.NCF.
0
 
ShineOnCommented:
Note that if you rem out ADMSRVUP (or NVXADMUP on NW6) then you won't have iManager access.

If they explain the "TokenNotSet" alert, perhaps you can address that, without crippling your administration capabilities.
0
 
ShineOnCommented:
Also note that Tomcat uses secure LDAP to authenticate, and tomcat is what is used for iManager, so it may be unwise to simply unload/rem out NLDAP too.  Maybe set up your LDAP group to only allow secure LDAP?
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
ShineOnCommented:
Also, it'd be nice to know what SP level your NW6 servers are at, because there may be security vulnerabilities in the SP you're running under.  There actually were a handful of security issues that have been addressed over the years, that applying the SP/patch may have closed one or more of the things found by the scan.
0
 
clpeaseAuthor Commented:
I was able to find a fix for the LDAP issues by going into Console1 under the LDAP Server object properties and then restrictions.  Under the bind restrictions you can set to diable anonymous etc.

Still have the others as they relate to apache and http.  And I have NetStorage, NDPS, FTP server, and iManager so I can't stop the web server etc.

I am running Netware 6 SP5 and edirectory 8.7.3.3
0
 
ShineOnCommented:
So what's left is the "HTTP TraceEnabled" and "ApacheServer TokenNotSet" ?

The TraceEnabled thing can be disabled using a Mod_rewrite method as per this CERT note: http://www.kb.cert.org/vuls/id/867593

I'd think you'd add it to sys:/apache/http.conf

The TokenNotSet thing is another directive, also set in the http.conf file, if I'm not mistaken.  Here's a link with info on that. http://www.bsi.bund.de/english/gshb/manual/s/s04194.html
0
 
ShineOnCommented:
Oops, miskey - that'd be httpd.conf, not http.conf... :P
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now