Security Scan Vulnerabilities
Looking for some suggestions to address some security scan results of the dynaTrace server. The "vulnerabilities" that I am looking for help with are listed below. The dynaTrace server and Collector are both running on Windows.
- Port 8020 and 8023.
Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability- A Web server was detected that supports the HTTP TRACE method. This method allows debugging and connection trace analysis for connections from the client to the Web server. Per the HTTP specification, when this method is used, the Web server echoes back the information sent to it by the client unmodified and unfiltered. Microsoft IIS web server uses an alias TRACK for this method, and is functionally the same.
- Port 2021 and 6699
SSL Server Supports Weak Encryption Vulnerability.
SSL Certificate - Self-Signed Certificate.
SSL Certificate - Signature Verification Failed Vulnerability
I am submitting this to the forum on behalf of a new customer.
Thank you.
Hi Ryan
Let me forward this to our engineers and I will let you know the feedback.
As for Port 8020 - thats the WebServers Unsecure Connection which can be turned off in the Server-Settings. All ports you mentioned here are configurable through the Server-Settings Dialog - and - most of these services behind these ports can also be enabled/disabled through the Server-Settings Dialog
Keep you posted
Hi Andreas,
This in an interesting case.
Just this week I received a question from a prospect who wanted to know how secure the server, the collector and the data warehouse are.
If the customer choose the “harden” the systems where the above mentioned components run on, what is the bare minimum that needs to be running for dynaTrace to still work? Do you have a list of this?
Hi
I am not sure whether I completely understand your question - but - in order for dynaTrace to work you need
a) a dynaTrace Server that listens for incoming dynaTrace Collector Connections - default SSL Port 6699. Also listening on default port 2021 for incoming dynaTrace Clients
b) a dynaTrace Collector that connects to the dynaTrace Server on port 6699 and that is listening for incoming Agent connections - default port 9998
c) a dynaTrace Client that either connects to the dynaTrace server on port 2021 or through an HTTP Tunnel on default port 8023
For further questions on this I recommend talking to the technical support team. Open a question in the support system. They can help you figure out exactly what the requirements for your prospect are.
Andi
Hi Winston,
even i have a prospect who wants to perform OS hardening on the dynaTrace servers. one of his concerns is that the dynaTrace
servers will be in a service providers datacenter and hence he wants all data within dynaTrace systems to be fully protected.
did you get any reply to this request. if yes, pls forward it to me as well.
rgs
ashok
Thanks Andreas.
Yesterday, in hindsight, I realized that it would have been more appropriate to have opened a support ticket for this topic, versus the discussion forum. So I opened a ticket yesterday afternoon and Markus is helping me.
Thanks.
Just a quick note for anybody interested, for detailed configuration options please contact support:
Port 8020 and 8023.
- Web Server HTTP Trace is disabled starting with dynaTrace 4.1
Port 2021 and 6699
- We disabled a number of weak encryption ciphers in 4.1, some more are addressed as part of the March Monthly Update for dynaTrace 4.1
- The self-signed certificate is just the default certificate that we deliver for communication of dynaTrace Server, Collector and Client. It is possible to replace this with an officially signed one if necessary, please contact support if you need to do that in an installation
Thanks... Dominik.
