 |
|
Customer Support
 |
|
A security company says my server is vulnerable, what
can I do?
Network, server, and application security is gaining importance and visibility for several reasons, including the wider adoption of industry security standards, and the continuing growth of electronic commerce. We are aware of this importance and take numerous measures to enhance security of our infrastructure.
While remote security scans can identify problems, our experience is that they also produce numerous false reports, which has led to the publication of our policy on vulnerability scanning.
Our Scan-Related Support:
- Managed Servers: If a security company tells you that there are vulnerabilities on your Modwest managed server, please forward the complete report and we will assist you however we can.
- Self-managed VPS: Please consult the documentation for your selected Linux distribution (Debian, Fedora, CentOS, or Ubuntu), and Parallels support resources (Knowledge Base, Forums) for information on making any changes needed.
- Shared System (and Resellers): If a security scan produces an alert associated with server software (such as PHP), and you have been a customer since before May 2009, you should consider requesting upgrade to our new hosting environment. Updates are no longer available for the old environment.
If you are already hosted in the new environment, please read below for information on interpreting scan results.
Notice to Security Vendors:
If you have produced a comprehensive report for a customer we share, and there are items which you require to be resolved for the customer to "pass" your scan, then please send a concise email to support@modwest.com (with our mutual customer CC'd), containing the following:
If you have produced a comprehensive report for a customer we share, and there are items which you require to be resolved for the customer to "pass" your scan, then please send a concise email to support@modwest.com (with our mutual customer CC'd), containing the following:
- The company or organization name that has hired you to scan their site
- The domain name of the website scanned
- Your company and contact information
- A concise list of the items that must be resolved for compliance. Including the IP address of the host being scanned, and individual issues identified by CVE ID.
Interpreting Scan Results:
Our experience is that security scans always produce "false positives"; that is, they report vulnerabilities which do not in fact exist. Some of the more common errors we've seen:
Web Application Installations: Some scans will conclude that a certain software package is installed in your website, such as Joomla, or Kayako eSupport, or PHproxy. If the report is correct and you or your webmaster have installed the software mentioned, you should contact the vendor or follow the recommended upgrade procedures. On the other hand, if the software does not exist anywhere in your site, then you should notify the security company that their scan produced a false positive.
Specific Vulnerability Reports: Many scan reports will include a "CVE #" along with each claimed vulnerability. Common false positives we've seen include:
- CVE-2004-2320: This vulnerability exists in the BEA Weblogic server. We do not use that software at Modwest, and so a report that this vulnerability exists at Modwest is a false positive. The TRACE/TRACK HTTP methods are not vulnerabilities per se.
- CVE-2006-3747: This bug in Apache's mod_rewrite module is only exploitable if Apache's LDAP module is also enabled. The LDAP module is not available on the Modwest shared system, and so a report of this vulnerability is meaningless and may be considered a false positive.
If you have further questions about a security company's scan results after reviewing the above, please feel free to contact us.
User-Contributed Notes
There are no user-contributed notes for this topic. Related Questions:
Can I have a crontab?
How do I do a traceroute to diagnose network problems?
How do I get a command prompt on my own computer?
Why does your service seem slow?
Internet Explorer shows a blank page on an SSL website like the Control Panel or signup page.
My POST to a secure form results in a blank page, the same form, or a 500 Internal Server Error.
After I install Bugzilla, I get error 403 Forbidden.
Where can I find links to 'Standards-Compliant' Web browsers?
How do I install Gallery?
I am having trouble installing phpBB2
How do I use a robots.txt file?
Do you provide CVS?
Can I use streaming media on my site?
I installed Norton Internet Security, and now I can't see video and other multimedia.
How do I use MnogoSearch Indexer?
Do you support Flash, Shockwave, Java Applets?
Can I use a blog or other content management system?
Do you run Linux?
Do you have Postgres?
Why doesn't mivascript interpret GET variables?
How do I contact my registrar?
What does everything in a Wusage report mean?
How Do I Add A Google Sitemap To My Website?
Whenever I make changes with Movable Type I get SBOX errors.
Are there any resources for dealing with comment spam in a Movable Type blog?
Do you provide SVN?
What can I do to improve Drupal's loading speed?
Browse Categories:
Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales
Copyright
2000-2009 by Modwest,
Inc.