?
Solved

iptables / OS firewall rule to block scanning on Tcp/Udp 53, Tcp2381 for PHP & Openssh Tcp22

Posted on 2015-01-03
3
Medium Priority
?
288 Views
Last Modified: 2015-01-20
Will creating iptables / firewall rule to permit only selected sysadmin laptops (or app servers) to
access vulnerable servers (ISC Bind on Tcp/Udp 53 & PHP Tcp2381 & Openssh's too old versions)
help to block VA scanner's detection.

To help with mitigation till we have the resource to upgrade to higher versions
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 62

Assisted Solution

by:gheist
gheist earned 400 total points
ID: 40529369
Each of services has their IP-based access lists. And their ways of support to actually install updates (once a year before VA scan if no better idea)
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 1600 total points
ID: 40551426
Well. You're attacking a symptom and not the problem. You should NOT change ACL rules to prevent a vulnerability scanner from reaching a service on a host. If anything vulnerability scanners need to have blanket access to every port on every host.

Regardless of whether or not you adjust the ACL, the risk exists. If you change the ACL to prevent the scanner from hitting the port, you are hiding the risk, not acting on the risk. And thus you would not be able to report correctly on the risk.

Now, adjust the ACL to restrict access is certainly a remediation control you could use to act up on the present risk. So I agree with your approach only if you also add an ACL item which continues to allow the vulnerability scanner full access to the vulnerable servers.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40559565
Recomendation:
Update BIND (If out of redhat support you buy it or roll over to CentOS) - old 9-series configuration will work just fine, named-checkconf -z is your friend.
PHP TCP 2381 is HP management server - upgrade it (it is called SMH) at the same time restricting access or even binding it to localhost.
0

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
The intent of this article is not to tell you what solution to use (you know it better) or make a big bang change to your current regime (you are well aware of), but to share how the regime can be better and effective in streamlining the multiple pa…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question