Need some help with security issues
Posted: Mon Dec 12, 2011 3:14 amHi all, I'm hoping you can give me some guidance on how to adjust, modify, or tweak Subsonic to be more secure.
Here's the scenario. My Subsonic server has recently been moved to work, both to get it off my home PC, and to let some folks at work use it, as radio reception inside metal buildings (read: Faraday cages) is extremely limited.
The problem comes with an external security scan that happened to fall on the same evening that I got the Subsonic server running. It identified several "failing" vulnerabilities that are related to Subsonic. Basically, the scan probes every port available on our public IP, and reports back when something answers. If it does answer, it also checks to see if any "weaknesses" are exposed.
Here is one of the results from the latest scan:
The same issue occurs with port :8443.
8442 is my Subsonic installation's "standard" http port, 8443 is https, I used these because 80 and 443 were already being used by other servers at work.
I personally couldn't care less that it's exposing an internal IP. Since that IP range is not routable, I don't see how it could be used to compromise the network, but the folks doing the scan have the last word. It's a failure to them, so it needs to be corrected. (To me, if they are able to use non-routable, private IPs in an attack, they're already inside, so it makes no difference.)
The other "failures" involve cipher strength, on :8443, the issue is it will accept ciphers <112 bit strength, again, this is considered a failure.
So, my question, at last, is, are the above "failures" correctable, and how would one go about correcting them?
Subsonic environmental info:
Version 4.6 (build 2583) – December 6, 2011
Server jetty-6.1.x, java 1.6.0_29, Windows 7 (53.9 MB / 175.4 MB)
Running on an old storage server now running Win7 Ultimate x64, Xeon, 4TB storage, 1GB memory.
edited to correct a mis-statement about which errors occurred on which port.
Here's the scenario. My Subsonic server has recently been moved to work, both to get it off my home PC, and to let some folks at work use it, as radio reception inside metal buildings (read: Faraday cages) is extremely limited.
The problem comes with an external security scan that happened to fall on the same evening that I got the Subsonic server running. It identified several "failing" vulnerabilities that are related to Subsonic. Basically, the scan probes every port available on our public IP, and reports back when something answers. If it does answer, it also checks to see if any "weaknesses" are exposed.
Here is one of the results from the latest scan:
- Code: Select all
Web Server HTTP Header Internal IP Disclosure Web Services :: Nessus ID 110759 Port TCP:8442 Risk 3
This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.
Information from Target: When processing the following request : GET / HTTP/1.0
this web server leaks the following private IP address :
10.0.0.184
as found in the following collection of HTTP headers :
HTTP/1.1 302 Found\r
Content-Length: 0\r
Location: https://10.0.0.184:8443/\r
Server: Jetty(6.1.x)\r
\r
The same issue occurs with port :8443.
8442 is my Subsonic installation's "standard" http port, 8443 is https, I used these because 80 and 443 were already being used by other servers at work.
I personally couldn't care less that it's exposing an internal IP. Since that IP range is not routable, I don't see how it could be used to compromise the network, but the folks doing the scan have the last word. It's a failure to them, so it needs to be corrected. (To me, if they are able to use non-routable, private IPs in an attack, they're already inside, so it makes no difference.)
The other "failures" involve cipher strength, on :8443, the issue is it will accept ciphers <112 bit strength, again, this is considered a failure.
So, my question, at last, is, are the above "failures" correctable, and how would one go about correcting them?
Subsonic environmental info:
Version 4.6 (build 2583) – December 6, 2011
Server jetty-6.1.x, java 1.6.0_29, Windows 7 (53.9 MB / 175.4 MB)
Running on an old storage server now running Win7 Ultimate x64, Xeon, 4TB storage, 1GB memory.
edited to correct a mis-statement about which errors occurred on which port.
