Jamf Nation Community

jarednichols · ‎05-08-2012

Hi-

In having a Foundstone scan done on the NetSUS appliance so that it could be used centrally for internal SUS duty, a few things stuck out. They were mainly around vulnerabilities with SMB. As the instance I was having scanned was only going to be used for SUS, I didn't need SMB turned on, so I turned it off.

Unfortunately smbd is controlled by Upstart, which can be a little hard to understand. Upstart is event driven, rather than run level driven. Here's the beginning of the /etc/init/smbd.conf file:

start on local-filesystem
stop on runlevel [!2345]

Basically, it's going to startup smbd whenever the local filesystem is mounted and stop when the runlevel is not (!) 2,3,4 or 5. Totally not what we want. We want it off, all the time, with the ability to still do a

service smbd start

So instead, we can do this:

start on [!0123456]

We're basically telling Upstart to begin smbd when the runlevel is NOT 0,1,2,3,4,5 or 6. Which is... NEVER!

Just thought this may help someone as I was scratching my head for about a day trying to configure service runlevels and smbd not paying attention to that config.

jarednichols · ‎05-08-2012

Ug, and we need that ability to edit JAMF Nation titles... I stink.

nkalister · ‎05-08-2012

great tip jared! I don't need netboot from my appliance, so I'll be turning smb off as well once it's deployed.

jarednichols · ‎05-08-2012

You'll want to kill NFS as well. That can be done in the usual manner with

update-rc.d nfsd remove

nkalister · ‎05-08-2012

ok, thanks!

myronjoffe · ‎06-08-2012

Any idea how you enable SSH on the appliance?

ClassyLee · ‎06-08-2012

You need to install the ssh client. Run this from the command line:

sudo apt-get install ssh

ClassyLee · ‎06-08-2012

You need to install the ssh client. Run this from the command line:

sudo apt-get install ssh

dag2012 · ‎06-12-2012

I also had our security team run a scan on the appliance and they weren't too happy. :-)

One of the big things is that they want PHP to be updated to 5.4.0 and Apache HTTPD to be updated to 2.2.22.

I ran apt-get update and upgrade and thought that might solve the problem but it looks like I still need to do some updates. Has anyone had any luck upgrading the distro to 12? Does it break anything? Was thinking this would solve my issues with out of date software. Thanks.

Dan

myronjoffe · ‎06-22-2012

I was not able to install the appliance on the latest version of Ubuntu using the preseed command. Quite a few things failed during the install...

jarednichols · ‎06-22-2012

I did all the available updates before our security scan.

Cem · ‎12-23-2012

Security scan points out samba and openssh updates. I am thinking of upgrading Lucid to Precise. Anyone tried this with NetSUS Appliance?

jarednichols · ‎12-26-2012

Point your installer at the seed file JAMF has.

https://github.com/jamf/NetSUS/blob/master/seed/NetSUS.seed

Cem · ‎12-26-2012

Point your installer at the seed file JAMF has. https://github.com/jamf/NetSUS/blob/master/seed/NetSUS.seed

Appreciate the info. But what does .seed file do? Does it install the Appliance to any Ubuntu Server version? So if I upgrade the Ubuntu v10 (came with the Appliance) to v12 first then do I need to point to NetSUS.seed to reinstall the Appliance?
Also how do I do that, what command to use?
No read me file to explain or I am missing something!

EDIT: I have just seen this;
http://jamfnation.jamfsoftware.com/discussion.html?id=4363

Jamf Nation Community

Hardening the NetSUS appliane