Your Distro is Insecure: Ubuntu

Ante Karamatić ivoks at grad.hr
Tue Apr 14 16:09:39 UTC 2009


U Uto, 14. 04. 2009., u 10:30 -0500, n2vip at verizon.net je napisao/la:

> The second page is reachable now.

'Ironically the first two entries: the Post Office Protocol version 3
(pop3) and the Internet Message Access Protocol version 2 (imap2) are
installed and running despite Ubuntu having installed the more secure
versions. Both of these older protocols were needed in years past for
interoperability with older mail programs, but all major mail programs
now support the more secure versions. (The biggest issues with these
older services are clear text passwords; however, POP2 servers have also
been vulnerable to root compromises.)'

Author doesn't understand 'netstat', but uses its output to put a claim.
So, let's start:

1) Ubuntu (dovecot actually) doesn't support POP2 - even the netstat
output doesn't show pop2
2) Ubuntu (dovecot actually) doesn't support IMAP2
3) What Ubuntu (dovecot actually) supports are - POP3 and IMAP4rev1

Author should know that IMAP4 is extension of IMAP2, so it uses the same
port as imap2. As you can't define multiple names to one port
in /etc/services, sane practice is to put imap2 there. netstat
reads /etc/services and then claims that protocol is imap2.

Next, bootpc UDP is port opened by dhclient. This guy is runing dhcp
server without being aware of that. netstat tip #2 'sudo netstat -aup |
grep boot'.

So, B- for authors knowledge of UNIX/Linux systems.

Next are users with /bin/bash. If those users would have /bin/false,
they won't be able to run jobs from cron.

Of course, there are some valid points, but also lots of nonsense.





More information about the ubuntu-server mailing list