Hi I installed Defender and Snapshot (switched from iThemes security and Wordfence) and also used the service Beyond security to scan vulnerabilities. First, great, I got a A+ score :slight_smile:
But I wanted to point out few vulnerabilities that I believe are related to the server. That site is hosted with Bluehost so I can’t do much about it. If I understand Defender does not include a firewall? If it doesn’t it would be great to add it! Thank you for your help!
Here they are:
SMTP Service Cleartext Login Permitted
SMTP Authentication Methods
FTP Service AUTH TLS Command Support
IMAP Service STARTTLS Command Support
SSH Server Backported Security Patches
FTP Clear Text Authentication
TCP Timestamps Retrieval
ICMP Echo Request
IMAP Banner
SSH Detection
SSH Server Detection
SMTP Server Detection
Security Testing
Type Tests Failed Passed
Infrastructure Tests 13348 25 13323
Blind SQL Injection 2856 0 2856
SQL Injection 3468 0 3468
Cross Site Scripting 5916 0 5916
Source Disclosure 3468 0 3468
PHP Code Injection 1632 0 1632
Windows Command Execution 2448 0 2448
UNIX Command Execution 2652 0 2652
UNIX File Disclosure 1632 0 1632
Windows File Disclosure 5508 0 5508
Directory Disclosure 3468 0 3468
Remote File Inclusion 204 0 204
HTTP Header Injection 1836 0 1836
Low risk vulnerabilities results:
1. SMTP Service Cleartext Login Permitted (Low)back
Port: smtp (25/tcp)
Summary:
The remote host is running an SMTP server that advertises that it allows cleartext logins over unencrypted connections.
The SMTP server advertises the following SASL methods over an unencrypted channel:
All supported methods: LOGIN, PLAIN
Cleartext methods: LOGIN, PLAIN
Recommended Solution:
Configure the service to support less secure authentication mechanisms only over an encrypted channel.
Impact:
An attacker may be able to uncover user names and passwords by sniffing traffic to the server if a less secure authentication mechanism (i.e. LOGIN or PLAIN) is used.
More information: http://tools.ietf.org/html/rfc4422 and http://tools.ietf.org/html/rfc4954
Test ID: 14652
2. SMTP Authentication Methods (Low)back
Port: smtp (25/tcp)
Summary:
The remote SMTP server advertises that it supports authentication.
The following authentication methods are advertised by the SMTP server without encryption:
* LOGIN
* PLAIN
Recommended Solution:
Review the list of methods and whether they’re available over an encrypted channel.
More information: http://tools.ietf.org/html/rfc4422 and http://tools.ietf.org/html/rfc4954
Test ID: 13476
3. FTP Service AUTH TLS Command Support (Low)back
Port: ftp (21/tcp)
Summary:
The remote FTP service supports the use of the ‘AUTH TLS’ command to switch from a plaintext to an encrypted communications channel.
More information: http://en.wikipedia.org/wiki/STARTTLS and http://tools.ietf.org/html/rfc4217
Test ID: 11982
4. IMAP Service STARTTLS Command Support (Low)back
Port: imap (143/tcp)
Summary:
The remote IMAP service supports the use of the ‘STARTTLS’ command to switch from a plaintext to an encrypted communications channel.
More information: http://en.wikipedia.org/wiki/STARTTLS and http://tools.ietf.org/html/rfc2595
Test ID: 11965
5. SSH Server Backported Security Patches (Low)back
Port: ssh (22/tcp)
Summary:
Security patches may have been ‘back ported’ to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives.
Test ID: 11776
6. FTP Clear Text Authentication (Low)back
Port: ftp (21/tcp)
Summary:
The remote FTP does not encrypt its data and control connections. The user name and password are transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.
Recommended Solution:
Switch to FTPS (FTP over SSL/TLS) or SFTP (part of the SSH suite).
Test ID: 11278
7. TCP Timestamps Retrieval (Low)back
Port: general/tcp
Summary:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can be sometimes be computed.
The uptime was estimated to 6322245s, i.e. about 73 days.
(Note that the clock is running at about 100 Hz and will overflow in about 42949672s, that is 497 days)
More information: http://www.ietf.org/rfc/rfc1323.txt
Test ID: 10399
8. ICMP Echo Request (Low)back
Port: general/icmp
Summary:
The remote host answers an ICMP echo request (ping).
Recommended Solution:
Filter out the ICMP echo requests (8)
Impact:
The remote host answers ping, an attacker can use this to determine the host is running.
Test ID: 9507
9. IMAP Banner (Low)back
Port: imap (143/tcp)
Summary:
This test returns the IMAP banner:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Test ID: 2242
10. SSH Detection (Low)back
Port: ssh (22/tcp)
Summary:
The remote SSH daemon supports the following versions of the SSH protocol:
. 1.99
. 2.0
SSHv2 host key fingerprint : 0c:ab:47:ae:ab:93:ba:4b:6f:63:bf:bd:0d:17:ef:5f
Test ID: 1642
11. SSH Server Detection (Low)back
Port: ssh (22/tcp)
Summary:
An SSH daemon was detected and the following banner was received:
SSH version: SSH-2.0-OpenSSH_5.3
SSH supported authentication: publickey,password
Recommended Solution:
Make sure this doesn’t include information about the server’s type or version. Change it to something generic like ‘welcome’.
Test ID: 942
12. SMTP Server Detection (Low)back
Port: smtp (25/tcp)
Summary:
This is what your SMTP server told us about itself:
220-box1319.bluehost.com ESMTP Exim 4.86_1 #1 Mon, 02 Jan 2017 21:53:09 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
Recommended Solution:
For Exchange server, see: http://support.microsoft.com/support/kb/articles/Q281/2/24.ASP
For Sendmail, edit the configuration file (usually /etc/sendmail.cf) change the line that begins with:
O SmtpGreetingMessage
And delete the string ‘$v/$Z’ which is the sendmail version.
Impact:
Attackers can gain critical information about the host.
Test ID: 939
