PDA

View Full Version : Server security flaw with root email



perholmes
02-09-2008, 02:27 PM
Hello,

I just had the most unproductive chat with your support, but there is a significant design flaw in your VDS's, which will ultimately lead to a server breach somewhere.

Basically, you have created an email account called 'servername', which has the password 'serverpassword', and this email account receives all error messages, email delivery failures, crontab problems, whatever. This is an important email account for an admin, as it is the only way to be notified about failures on the server, including attack attempts.

HOWEVER, this is not a *real* email account in the Site Manager, this is a system generated account, and you can not change the password, which is fixed to be a copy of the Site Manager password.

So in other words, if you ever attempt to download this email via POP3, you will be blasting your server credentials out over unencrypted link for everyone to see. This will give anyone with a packet sniffer immediate access to your Site Manager, root login via SSH, you name it.

There's no way to circumvent this, other than always, ALWAYS have Putty running, and use it as some sort of SSH proxy to tunnel the POP3 request through there. Or to use webmail under SSL. You can not use POP3 under SSL, it doesn't work.

So in other words, an administrator CAN NOT, EVER, download the email in the administrator inbox without blasting the server credentials out through cyberspace.

I think this is very frustrating, because these errors have the most value if you get them when they happen, right into your Outlook, not 14 days later when you remember to check your webmail.

I think that this design is absolutely idiotic. It is currently not possible to access the system email box with admin errors unless you want to give away your credentials. At the very least, let the admin decide which account errors are delivered to, not force it to be an account that is doomed to have the same credentials as the server.

We process credit cards, a very large amount every year. It would be ILLEGAL for us to give out our server credentials by transmitting them via unsecure link, we would immediately and severely fail PCI compliance, and be 100% liable for any subsequent identity theft. It's that serious, it could shut us down at the snap of a finger.

We therefore can not, EVER, download this admin email. Great!

Per

wildjokerdesign
02-10-2008, 08:15 AM
I do believe you are wrong Per. While there is a default email account that is created for that does not show up in your Site Manager you can deactivate it. Also I have never seen any messages that are sent to that email account that divulge any server information that is that critical or sensitive to the security of your account. The password can be easily changed via your password by changing your main account password.

perholmes
02-10-2008, 11:25 AM
Sir,

In a POP3 login, the username and password are sent in CLEAR TEXT. Inside the datastream, the following text appears on a port 110 connection: user: <servername>\r\npass:<serverpassword>. In ASCII.

It doesn't take a genious with a packet sniffer to figure out that this is a login, and while all pop3 mailbox logins are unencrypted and can be hijacked with a packetsniffer this way, a determined hacker would go the extra step of finding out if any of these logins are also server logins. Try SSH... yep, you're in. Try Server Manager, yep, you're in. It's that simple, and your server is effectively not yours anymore.

The contents of the emails themselves are irrelevant. The LOGIN is being sent unencrypted, and your server login credentials should NEVER, EVER, EVER be floating over an unencrypted link, even out of context. Changing the password makes no difference, because then you're just sending the NEW password unencrypted on port 110. This, along with unencrypted FTP with root access, is a routine way of hijacking servers.

Westhost must obviously never have intended for anyone to empty this account. At least not through a mail client. It can only safely be accessed through HTTPS webmail, or through an SSH tunnel with Putty running in the background. Under no circumstance should anybody log into this email account with their email client, because it will reveal the server credentials. Period.

For anyone who processes credit cards, this is a security breach, and since I'm aware of it, I am now complicit in identity theft if our server is compromised this way. Since WestHost knows about it, WestHost is now also exposed to liability if users follow the intended use of logging into their email accounts.

But it sucks, because several of our subdomains insist on dropping their logs there, including a very interesting email that shows a routine automated dictionary attack via SSH, which I'd like to keep tabs on. I'll just have to log in through webmail all the time.

WestHost should be sending a warning to their customers, as downloading email from this account with the only password that WestHost allows you to download with, entails a security risk. A very significant one, possibly resulting in a completely compromised server.

There are no two ways about it.

Best,

Per

hpham
02-10-2008, 09:38 PM
I access my VDS main account email with pine via SSH. This provides all the security SSH provides, along with a somewhat nice way of accessing what should be a small email box.

If you are getting lots of bounced/rejected emails, then you may want to setup a postmaster address to filter those out. If it doesn't, setup a .forward manually to forward all such emails to a separate account on your VDS.

perholmes
02-10-2008, 09:58 PM
Well, having an SSH always running in the background is not an option, because it's just too clumsy to be always, always, always have an extra application in the taskbar, it will be closed, then Outlook will give errors etc. I also don't like to have a persistent connection.

I thought about a .forward, but due to an earlier issue where WestHest tech support made some changes to SendMail, the entire VDS was nearly trashed when they ran their package update, MD5s were wrong etc. We therefore decided that we had to leave these things alone, because they conflict with WestHost's own management of the server. This was a very hard-earned experience. We had days where we couldn't email our customers as WestHost figured out what had happened to the packages. I think this is a strong feature of WestHost that the packages are standardized, but they collapsed after tweaking -- and we weren't even the ones doing the tweaking. So a .forward is a no-go.

Would it be possible to just edit the <serveraccount> pop3 password without changing all server-wide logins? Where does QPopper look for passwords?

And why, why, why make it so complicated. Sure WestHost must have realized when they created this structure that it would be impossible for users to download admin email without extraordinary measures.

Another secure issue I've complained about a lot is that all VDS usernames are forced to be the domain name, which means that a hacker who knows even the littlest bit about WestHost only has to guess a password. I think WestHost has faulty thinking when it comes to basic security, because it's NOT a good policy to tell the world that the username is guaranteed to be the domain name. One down, one to go, from a hacker's perspective.

I think that this is security 101, and I find it mysterious that WestHost, which is otherwise a highly competent host, has not thought this through. The public can readily know WAY too much about these servers. In our industry, a lot of people know our website. If they also know that our Site Manager log is GUARANTEED to be our domain name, then all they have to do is try passwords until they find something. For that reason, our passwords are very, very, very long. I don't think this is clear thinking on the part of WestHost, I'm sorry.

Thank you,

Per

allyn
02-10-2008, 10:29 PM
i've been worried about this issue for a long time and have mentioned it several times on this forum.

i don't understand why it wouldn't be possible to forward the default email address to a different address (in the aliases file) but i have not tried it myself.

wildjokerdesign
02-11-2008, 07:36 AM
You do not have to use the default email address set up by West Host at all if you do not want to. I choose this option on many accounts simply because they do tend to pick up some spam after the account has been around for some time.

First make sure that your Postmaster destination points to an email account that you have created that you check. Then add a command alias for the default account that sends anything to /bin/echo. At one time you could do this via your Site Manager but not sure with 3.0 if you still can. If you edit the file /etc/mail/aliases manually you well need to run newaliases manually via SSH.

trailex
03-20-2008, 08:23 AM
I am having a very difficult time with PCI Compliance, two nagging issues that fit this thread well, Plain text Authorization issue and low encryption values if you use the IMAP server provided, the sendmail version while it should have ssl compatibility (found most versions above 8.12 have it included through research) it does not. I to find the solution for ssh cumbersome with multiple e-mails and employees accessing their e-mail from home offices. Even if I did chose this method I am still not compliant with PCI scans required weekly with the scan company my merchant host is using.

I have been working with this since mid January and have made headway except for the last two issues with sendmail and pop, I changed to imap to hopefully at least remove the low encryption and plain text issue of port 110, but the version is lacking a good encryption. while have been receiving timely assistance.

Solutions have not worked, it was suggested I uninstall the IMAp server and build my own dovecot server, ok so say I can do that, what about the sendmail issue of plain text on port 25, it seems sendmail has been stripped down for the server.

Correct me if I am wrong isn't this a major issue am I the only one that has a pci issue?

Corrado Fiore
03-25-2008, 07:56 AM
There are also other services (PhpMyAdmin, AWstats, file manager, ftp, SpamAssassin config, ...) that share the same login credentials with the root account and use no encryption. I agree that passwords for those services and for VDS account administration should be separate.

Cheers,
Corrado Fiore

dattas
05-07-2008, 09:08 PM
If you don't want to be "blasting" your login credentials just install IMAP, you can use TLS (which is a very nice form of ssl, much better than ssl in my opinion). I personally like having everything sent there, it makes it easy... If you want to change where you get that type of e-mail from just change your postmaster alias. (you can change it in the "alias section")

WestHost - MCox
05-08-2008, 12:33 PM
All,

One way of avoiding the problem stated here, besides using TLS, would be to set up an alias that forwards messages from yourdomain@yourdomain.com to someotheruser@yourdomain.com. This is allowed in the Site Manager and can avoid the problem of "blasting" your main account password in order to access email.

WestHost - MCox
10-14-2008, 03:54 PM
chinchillables,

www.domain.com is just a DNS alias for domain.com. So, there shouldn't be any problem sending mail to admin@www.domain.com.