Sorry for the discussion, but I thought I should comment on this...
On Mon, 18 Jan 1999, Arrigo Triulzi wrote:
> There is a new wave of site scanning going around, this time it starts
> nice and unobtrusive using telnet connections. The idea is to grab the
> banners, quick Perl on them to determine the host type and then use a
> suitable attack for the target.
You should be aware that newer scanning programs do not use banners to
figure out what system you are using. The latest programs (nmap, queso)
use TCP/IP stack fingerprinting to figure out what kind of system you are
running, which Digital Unix administrators without kernel source code are
going to be powerless to attempt to thwart. nmap is available at
http://www.insecure.org/nmap -- it has not yet been ported to Digital
Unix, since I get kernel panics everytime I attempt to write a RAW packet
under Digital Unix (if anyone knows how to do this under Digital Unix and
would like to help, drop me some e-mail and I'll port nmap).
> Fortunately Digital UNIX is not very popular as a target,
> prob. because there aren't as many out there as there are Suns,
> etc. Still, this is a bit of a disadvantage because people on BUGTRAQ
> (http://geek-girl.com/bugtraq) don't really examine it as much.
Another difficulty with hacking Digital Unix is that there is no
publically available shellcode for buffer overflow attempts. Expect this
to change.
> What I suggest to thwart this site-scanning is quite simple:
>
> o /etc/issue[.net] modify so that it doesn't give any user
> id. If you want to be smart write a different operating system
> name in the banner[1].
> o Use TCP/Wrappers and secure your machine in the first place
> against more than just telnet. Then use the "banners facility"
> as above.
Modifying your banners is pretty useless. Instead spend the time to
secure your system properly. I would suggest in addition to TCP wrappers:
1. turn off all the TCP services that you don't use:
A. delete everything from inetd.conf that you don't use
B. remove startup files from /sbin/rc{0,2,3}.d that you don't use
C. look at 'ps xa' and kill daemons that shouldn't be running.
(and try to find which startup file they come from)
2. use rpcinfo -p localhost to figure out which RPC services that you
are running (you may need to reboot first if you've done step 1 in
order to get a current list) and then go track down and kill
anything which you don't use.
3. use showmount -e localhost to check what you are NFS exporting
4. wrap your portmapper against libwrap (check Weitse Venema's site for
the sources for portmap_4 and tcp_wrappers).
5. scan your system with nmap or strobe or some other suitable scanner and
again look for running services that you missed.
(does anyone know if there is a publically available packet filter like
ipf, ipfilt or ipfwadm for Digital Unix?)
6. install ssh
7. develop a site security policy concering which machines can connect
using which protocols (telnet, rlogin, ftp, ssh). use tcp_wrappers
to limit access to telnet/rlogin/ftp and use /etc/sshd_config to limit
access to ssh.
8. patch your system so that if someone does get in then gaining root
access is more difficult
9. audit your suid files -- use something like:
'find / -xdev \( -perm -4000 -o -perm -2000 \)'
look for files like "sendmail.old" which should be deleted.
turn off suid bits for programs that you don't use.
10. strongly consider turning off CDE and removing the suid bits off of
all the files under /usr/dt/bin -- CDE currently is a security hole
11. consider wrapping your suid programs to protect them against
buffer overflows.
12. run programs like COPS or Tiger over your system to help track down
all the detailed problems like wildcards in /etc/hosts.equiv and
permission problems on important directories and files.
13. install tripwire or something similar to both notify you if you've
been hacked and to help on post mortems on systems that have been
hacked into.
Changing your banners is pretty useless if I can just do a "rpcinfo -p
<your host>" and look for service 1342177279 and skillfully deduce that
you are probably running Digital Unix 4.0. And if I've got nmap or queso
on hand there is basically no way that you can hide your OS version from
me.
> Note that unpatched older versions of DU are vulnerable to attacks to
> bind, for example.
And probably to ttdbserverd and to statd. Also note that if you've
installed yourself one of the exploitable versions of bind, you will not
be protected by installing the DU security patches -- you'll need to get
the newer bind sources and install them.
--
Lamont Granquist lamontg_at_raven.genome.washington.edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg_at_raven.genome.washington.edu | pgp -fka
Received on Tue Jan 19 1999 - 19:04:14 NZDT