Hello, je souhait avoir un peu d'aide par rapport à mon serveur dédié.

Je viens de faire en local, un scan de mon dédié avec Nessus 6.

Il me découvre 4 fails de type médium et 2 low.

Mais le truc, c'est que je ne sais vraiment pas comment les régler, voici le détail de chaque fails :

DNS Server Cache Snooping Remote Information Disclosure

Description

The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. 

This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. 

For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.

Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.

Solution

Contact the vendor of the DNS software for a fix.

DNS Server Zone Transfer Information Disclosure (AXFR)

Description

The remote name server allows DNS zone transfers to be performed. 

A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming convention that can give hints as to a servers primary application (for instance, proxy.example.com, payroll.example.com, b2b.example.com, etc.). 

As such, this information is of great use to an attacker, who may use it to gain information about the topology of the network and spot new targets.

Solution

Limit DNS zone transfers to only the servers that need the information.

SSL Certificate Cannot Be Trusted

Description

The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted. 

First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. 

Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. 

Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize. 

If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.

Solution

Purchase or generate a proper certificate for this service.

SSL Certificate with Wrong Hostname

Description

The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Solution

Purchase or generate a proper certificate for this service.

SSH Server CBC Mode Ciphers Enabled

Description

The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Solution

Purchase or generate a proper certificate for this service.

SSH Weak MAC Algorithms Enabled

Description

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. 

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

Solution

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

Voilà, donc je ne vous demande pas de me les corriger, mais simplement de m’éclaircir sur la chose, et savoir si ça peut porter préjudice à la sécurité de mon dédié.

Merci.