- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We at High Speed Hosting consider the post by one Brian Mueller, to BUGTRAQ , at best to be irresponsible and at worst , downright dangerous to our network and the thousands of business clients connected to it . Since we use bugtraq regularly , and realize its charter and purpose is an informational exchange and not a “complaint box” , we will not go any further into the personal side of this post. Instead , here is a direct reply to any security value that might or might not have been derived from that post: First , in response to the statement that Our Security Policy allows open telnet access to our servers. This is a complete mis-statement obviously by one who has no idea what he is doing with the “administration” of his dedicated server. High Speed Hosting turns over all dedicated server leases with telnet and daemons denied using TCPWrappers . The specific line in hosts.deny is ALL:ALL . We then urge the customer connected to our network , who has full root access to his server , and thus , has full control , to ONLY allow specific ports that are needed and only by specific IP address . In fact we urge them to use ONLY a dedicated ip and not open even to a class c ie: xxx.xxx.xxx.* Upon investigating this post we logged on to the dedicated server in question and noticed the customer himself had removed the ALL:ALL in the hosts.deny file and thus had opened the server to anyone wanting to acess it. We consider this a severe risk and unacceptable and we can't be held responsible for that. In regards to the second portion of the post which complained of a problem with our Control Panel system’s email management features , High Speed Hosting Security Administrators , aware of the possibility that another customer hosted on the same server could if he wanted , divert email from another customer , immediately began a totally new Webcontrol [tm] System which uses a very different email system , including the use of qmail instead of sendmail. This new WebControl installation/upgrade began 17 days ago and is progressing nicely and will soon include all Virtual Hosting servers and Leased Dedicated NetROCK [tm] servers. One should look before he leaps. Mr P. Hugo Director of Security Genesis II Networks High Speed Hosting Division Security Administration Response Team - - -----Original Message----- From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Brian Mueller Sent: Quinta-feira, 20 de Janeiro de 2000 1:42 To: BUGTRAQat_private Subject: Security Issues with HIGHSPEEDWEB.NET leased servers Recently I started leased a dedicated server from HIGHSPEEDWEB.NET, it came preconfigured (somewhat) and I was told that it would be "secure" for telnet (only specifically stated IP address(s) could gain access), etc. However, I have found that this is not the case, it seems that they do not place limiting information in the host.deny file so anyone can still telnet into the server. Also, their mail configuration which allows users to add mail aliases either via a web interface or by editing a file called .mailalias in their home directories is faulty. Users may place _ANY_ valid local domain into this file and forward mail from that domain to their email address. The system works by running a cron script once per day and updating the sendmail virtual user database. The following is an example person A has a webhosting account on the HIGHSPEEDWEB.NET configured server, person B wishes to "steal" email from Person A, they are targeting the sales@person-a-domain.com as the attacked address and they are going to have that forwarded to fooat_private, they add the following line to their .mailalias file sales@person-a-domain.com fooat_private when the next update occurs any email sent to sales@person-a-domain.com will be forwarded to fooat_private, this also works with wildcards i..e. @person-a-domain.com fooat_private would work if your entry is read into the sendmail virtual user database before the one that exists in Person A's directory. I notified HIGHSPEEDWEB.NET of the security issue well over a month ago and have not had any response from them regarding a fix. I however did instate one of my own my forcing users to call myself to have aliases added for the time being. Brian Mueller ************************************************* Brian Mueller President/CEO CreoTech "We are the future" www.creotech.com bmuellerat_private 513.722.8645 ************************************************* - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBOIebj7Q4oqT8+RAqEQKAdwCg2yrLlmHjVMZNP+GenlTy3vZHj+0Amwdo P5HTatZ4DVhrRYwZIbvdIors =ICrR - -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:46 PDT