store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Aug 02, 2014 12:29 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 4:25 am 
Offline
Forum Regular
Forum Regular

Joined: Thu May 07, 2009 12:46 pm
Posts: 285
Hello,

yesterday something happend with ou horde webmail.
Users that try to login gets a error they can't login any more!

it prints this error:

Code:
Error connecting to IMAP server: [].


Someone knows how to fix that?
Or what's going on?


Thnx in advanced


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 6:30 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 851
Location: Germany
yes, I encounter that too.
you can fix it by allow fsockopen via ASL Configuration in php.ini.
Somehow the upgrade to ASL3.0 changed the config and/or the way it gets handled.


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 6:46 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 851
Location: Germany
Ok, found out that in ASL 2.2 was no fsockopen En-Disabling feature.
That explains it.
Could this be integrated in the horde-webmail-php-check-feature that was introduced in ASL 2.2?!


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 9:02 am 
Offline
Forum Regular
Forum Regular

Joined: Thu May 07, 2009 12:46 pm
Posts: 285
But then we have a High Risk: PHP Function fsockopen() allows an attacker to open sockets, useful for spamming, remote inclusion, etc

so how to fix that?


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 10:11 am 
Offline
Forum Regular
Forum Regular

Joined: Fri May 06, 2011 8:16 pm
Posts: 104
Location: UK
I have the same problem as well

I am liking the new system but this upgrade did not go as smoothly as i would have like for about 4 hours I thought I lost all my clients domains and emails through the asl 3.0 not going right.

After reinstall I now have a problem getting into the system ;0(

Is it me or have i developed a load more critical notifications about vulnerability problems and when I try to click them it launches a page with no info on the wiki sheet.

Not sure what to make of this but I will surely give it a couple of revisons to see if any fixes etc get rolled out - which I presume is standard procedure as per normal.

But I dont want to be negative - the update looks bad and i am sure once i figure it out it will assume the role of the 2 IT gurus i have always wanted working for me ;0)


Last edited by inquis on Wed Jul 20, 2011 3:44 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 1:41 pm 
Offline
Forum Regular
Forum Regular

Joined: Wed Mar 19, 2008 10:22 pm
Posts: 109
This doesn't appear to only be a problem with Plesk 10.2. I was also seeing the same problem with the latest Plesk 9.5.4 and ASL 3.0.

Enabling fsockopen did solve the problem for me as well.


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 3:14 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3609
Location: Chantilly, VA
Quote:
But then we have a High Risk: PHP Function fsockopen() allows an attacker to open sockets, useful for spamming, remote inclusion, etc

so how to fix that?


So heres a few options:

1) disable the function
2) enable the function only for specific domains, heres an example from Faris:

viewtopic.php?f=3&t=4062&p=23038&hilit=suhosin+domain#p23038

3) Setup output firewall rules to control what outbound services you allow. For example, you could block all port 25 and 465 outbound, except from qmail. Block port 80 access, except from specific processes or users, etc.

4) Put users in the SOCKET_SERVER group. This restricts them to only acting as servers (so they cant connect out to other servers), they can only listen and serve up content, like web content, FTP, etc. But not to connect out.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 3:43 pm 
Offline
Forum Regular
Forum Regular

Joined: Thu May 07, 2009 12:46 pm
Posts: 285
step 1) can't do that because horde doesn't work anymore

step 2) if i have to enable the function only for specific domains that will be alot off work for a hosting company with every day new accounts and alot off users like to use webmail.

step 3) Do you have a example off that i use apf firewall....?

step 4) i don't understand this part...


On asl 2.2 this allready was a securty issue?
So it doesn't matter if it's disabled because it was always been open on asl 2.2?


Thanx in advanced


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 4:03 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri May 06, 2011 8:16 pm
Posts: 104
Location: UK
i would be interested in step 3 and step 4 as well - both sound like quite tightly scoped methods if i understand what you wrote correctly.

Anyway I got into the control panel by disabling SSO and after logging in, all is well.

OT: Does anybody know the command code for resetting a plesk power panel password ?

@ The atomic dev - when this tightly tunes I can see it being awesome. So many more angles to protect the system.

I know it seems silly but would there be any chance of creating presets like maximum stealth, loose, medium and stuff like that ?

Sorry im rambling - Ill keep subscribed to this thread for sure.


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 4:27 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7879
Location: earth
Yeah actually that was where we were heading with the SERVER_TYPE classification, using that to come up with different default policies. At the moment its being used to track the operating environment (normal, cpanel, directadmin, custom, etc).


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 4:29 pm 
Offline
Forum Regular
Forum Regular

Joined: Fri May 06, 2011 8:16 pm
Posts: 104
Location: UK
yes def heading in the right direction


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 4:46 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3609
Location: Chantilly, VA
Quote:
On asl 2.2 this allready was a securty issue?


Its a security issue for everyone, if you are running ASL or not. 2.2 just didnt report it or fix it.

Quote:
So it doesn't matter if it's disabled because it was always been open on asl 2.2?


The vulnerability scanners job is to give you the truth. If its reporting a vulnerability, its real. ASL has some methods to try to help you with this, but its up to you ultimately to decide if the risk is acceptable.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Wed Jul 20, 2011 4:56 pm 
Offline
Forum Regular
Forum Regular

Joined: Thu May 07, 2009 12:46 pm
Posts: 285
So the best way for me is step 3)

Do you have a example for that?

Thanx in advanced


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Mon Jul 25, 2011 8:20 am 
Offline
Forum Regular
Forum Regular

Joined: Thu May 07, 2009 12:46 pm
Posts: 285
So no one knows the best way how to secure this high risk because it's need to be open for horde.
BTW i use apf firewall..



Thanx in advanced


Top
 Profile  
 
 Post subject: Re: Horde webmail plesk 10.2
Unread postPosted: Mon Jul 25, 2011 1:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3609
Location: Chantilly, VA
I cant speak for APF, and not sure if it could do, but you would want to create iptables rules that limit the output to just those userids that would normally do this. For example, to limit outbound SMTP to just qmail and postfix, you would add rules like there:

iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner qmail -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner postfix -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -m owner --uid-owner root -j ACCEPT
iptables -I OUTPUT -p tcp --dport 25 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j LOG_SMTP_OUT
iptables -A LOG_SMTP_OUT -m limit --limit 1/second -j LOG --log-level info --log-prefix "Unauth-SMTP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A LOG_SMTP_OUT -j REJECT

The format of a rule that is limited to a user is:

iptables -I OUTPUT -p PROTOCOL --dport PORT -m owner --uid-owner USERNAME -j ACCEPT

Where PROTOCOL would probably almost always be "tcp", except maybe in the case of DNS when it would be "udp".

PORT is the outbound port, 25 for SMTP, 80 for HTTP, etc.

and USERNAME is the trusted non-malicious username, such as "qmail".

For other services, you would need to identify the user that would normally, and non-maliciously connect outbound and limit that port to that user.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 22 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group