Hi,

Running knoppmyth R5A16

mysql is listening on tcp

so is samba and ssh

mysql, samba, ssh, apache/mythweb, & mythbackend are all ignored by firewall (guarddog) but all other ports are filtered

Ran Nessus daemon (http://www.nessus.org) scan on the mythtv box to check for vulnerabilities. Results are here (plz click the link at the bottom of the index page):

http://www.ph.utexas.edu/~daneel/mythtv ... 1126_2331/
http://www.ph.utexas.edu/~daneel/mythtv ... index.html


Among them is the warning that the version of mysql is too old and has buffer overflow vulnerabilities & other weakneses and I shuld upgrade, but I din't suppose that is doable w/out breaking mythtv.

I noticed that certain anonymous samba logins are enabled. I tried to disable the guest account in smb.conf (deleted that line) but nessus continued to show the ability to access null/guest accounts.


Nessus says apache server has some debugging options enabled that are potentially dangerous. I tried to set debugging features to "Off" in apache.conf but no change.

Nessus says ~/public_html access is enabled. I managed to fix that in apache.conf


I'm not too worried about the server information broadcasts it keeps nagging about.

After I did all of the above, my nessus scan results are :
http://www.ph.utexas.edu/~daneel/mythtv ... 1127_0020/
http://www.ph.utexas.edu/~daneel/mythtv ... index.html


So if a kind soul could advise me on how to disable that pesky TRACK/TRACE thingie in apache I'd be mighty grateful. Also, any other advice regarding these security holes is greatly invited.

_________________
My knoppmyth system:
P-III 850 MHz
256 Mb RAM
Hauppauge PVR-350 connected to tv via tv-out
Hauppauge PVR-150 in another PCI slot
using ivtv version 0.8.2 in Knoppmyth R5E50
PVR is both frontend and backend

Your best approach is to put it behind a super secure firewall. Never connect a Myth box to the open internet. Personally, I like m0n0wall -- it's an excellent open-source firewall built on top of FreeBSD and tailored for single-board computers. You can either open an arbitrary port and forward it to port 80 of you Myth box, or you can use SSH and port forwarding. Here's the URL for m0n0wall: http://m0n0.ch/wall/index.php

_________________
Do you code to live, or live to code?
Search LinHES forum through Google

I always find these kinds of things to be interesting discussions. Putting an insecure machine behind a firewall doesn't make it more secure, it just makes it a little harder to get to. Philisophically I believe machines should be secured in a way that they can be put on an open network and not get owned in 5 minutes. It would be nice if, moving forward, MythTV (note I mean MythTV here generally, not KnoppMyth specifically, as it's kind of stuck with whatever MythTV is using) used more up to date software to avoid common problems and had a default configuration that was secure to begin with. As MythTV moves from geekdom to mainstream those kind of steps will help folks who are novices a great deal.

I always find these kinds of things to be interesting discussions. Putting an insecure machine behind a firewall doesn't make it more secure, it just makes it a little harder to get to. Philisophically I believe machines should be secured in a way that they can be put on an open network and not get owned in 5 minutes. It would be nice if, moving forward, MythTV (note I mean MythTV here generally, not KnoppMyth specifically, as it's kind of stuck with whatever MythTV is using) used more up to date software to avoid common problems and had a default configuration that was secure to begin with. As MythTV moves from geekdom to mainstream those kind of steps will help folks who are novices a great deal.

Well the box is already behind a canned NATted router. I might try loading openWRT into it to make it more secure. My point is that it still doesn't make the mythtv box secure enough to even partilly expose to WAN, and I may want to do that in the future someday. Also, if a LAN machine is compromised, like my roommate's windows PC, then it could expose the mythtv box to script attacks from his zombied windows box.

How can I turn off the debugging thingie in apache? Is it possible to harden samba further and disallow the null sessions?

_________________
My knoppmyth system:
P-III 850 MHz
256 Mb RAM
Hauppauge PVR-350 connected to tv via tv-out
Hauppauge PVR-150 in another PCI slot
using ivtv version 0.8.2 in Knoppmyth R5E50
PVR is both frontend and backend

It's a Linux box. It will NEVER move from "geekdom to mainstream." KnoppMyth makes it more of a settop box environment, but the changes needed to "harden" it for security on a WAN make it MORE difficult to use for novices. Cecil has enough problems with folks who can't deal with the standard insecure mythtv logon.

And I *do* feel that putting the machine behind a firewall makes it more secure -- if you define secure as the likelyhood of an attack from the WAN against your Myth box being successful. If you want Samba to be "secure" then TURN IT OFF. That's about the only way to make it truly secure. Don't want to turn it off? Then you're making compromises for functionality at the expense of security. Welcome to the real world.

_________________
Do you code to live, or live to code?
Search LinHES forum through Google

actually unless things have changed in the last few releases samba is turned off by default, as a matter of fact the only thing open by default is mythweb and ssh, Granted apache may need some updating and possibly some security tweaking, but at least in the latest realeases we added a password which it never had before. Some of the packages probably do need upgrading. I would like to see sometime in the not too distant future to move back to debian unstable now that the big problems seem to be worked out, which would get us updated mysql, possibly apache, and IMO the biggest reason it would get us xorg.

_________________
Have a question search the forum and have a look at the KnoppMythWiki.

Xsecrets