Hi Gurus,
Many thanks to the nice people bellow, some of them fellow physicists and/or
sys administrators who have passed by security problems in their boxes and
have given their solidarity:
Dave Wolinski <wolinski_at_umaxp1.physics.lsa.umich.edu>
Paul Scowen <scowen_at_asu.edu>
"Sean O'Connell" <sean_at_stat.Duke.EDU>
Greg Lindahl <lindahl_at_cs.virginia.edu>
"Tri H. Tran" <thtran_at_hydra.acs.uci.edu>
Jon Eidson <J.Eidson_at_TCU.EDU>
Donald Bovee <bovee_at_amath.washington.edu>
Jim Surlow <jsurlow_at_hydra.acs.uci.edu>
"Serguei Patchkovskii" <patchkov_at_ucalgary.ca>
Martin Mokrejs <mmokrejs_at_natur.cuni.cz>
Marko Milivojevic <M.Milivojevic_at_f.bg.ac.yu>
"Thomas M. Payerle" <payerle_at_physics.umd.edu>
Jim Belonis <belonis_at_dirac.phys.washington.edu>
Lamont Granquist <lamontg_at_raven.genome.washington.edu>
"Dixon, Travis" <Travis.Dixon_at_cda.com>
"Andy Almond" <andy_at_almonda.freeserve.co.uk>
Hannu Mallat <hmallat_at_peak3.cs.hut.fi>
Tony Nugent <Tony.Nugent_at_usq.edu.au>
alex_at_yuriev.com (Alexander O. Yuriev)
Michael Burns <burns_m_at_yahoo.com>
Alexei Znamensky <alexei_at_lsi.usp.br>
"Ryan McRonald" <ryanm_at_YorkU.CA>
Steve VanDevender <stevev_at_hexadecimal.uoregon.edu>
Andre Delafontaine <andre.delafontaine_at_echostar.com>
Some of them have presented their concern with how linux is becoming
more and more popular and unexperienced people are then turning to
unix administration without being aware of all security issues and
all responsibilities involved in that task. In Paul Scowen's words:
> "We have faced just such a series of attacks on our Linux machines and are
> still in the process of completely reinstalling the OS's on all our
> machines. All Linux users have been told that their systems will not be
> reconnected to the network until they have had ALL the available security
> patches applied. The problem is that a lot of Linux users/owners are not
> very good at administering computers - they install the OS from the CD and
> never apply any of the considerable number of patches now available for
> the various flavours of Linux."
However in Tony Nugent's opinion linux should not be blamed, all OS's have
their holes. But he is
> "...trying to convince distributions like RedHat to NOT have inetd daemons
> running by default (but let them be turned on deliberately by someone who
> knows what they are doing)".
I agree with him that this would be a good measure since I suppose most
hackers will prefer to attack a system they have in their own boxes, easily
at hand to make their security hole experiments. And we know the
consequences of the presence of a badly administered machine in a network.
The attack we have suffered in our linux boxes running RedHat 5.1
and Slackware was diagnosed as being effected through gaining root
power by exploring weakness in mountd (buffer overflow) and then
installation of a sniffer ('lins' should mean LINus Sniffer), which
was renamed as httpd just to run with a unsuspected name. Then the
sniffer started to registed in .fg all ascii passwords circulating in
our subnet from then on. The mountd vulnerability is a relatively recent
known bug (October 1998) and fortunately DU seems not to be affected.
See more details in
ftp://ftp.cert.org/pub/cert_advisories/CA-98.12.mountd
Emergency solutions were firstly to play with /etc/hosts.allow and hosts.deny
in order to limit access only to local machines blocking them from the known
hacker's address machine. A second suggestion was to disable nfs/mountd
by renaming the link /etc/rc.d/rc3.d/S60nfs to something else.
More permanent solutions include:
1) Patch all linux boxes. RedHat errata can be found in
http://www.redhat.com/errata
Do the same with all other boxes (DU, AIX, SunOS, etc.)
2) Disable dangerous services like finger, rlogin, rsh, tftp...
3) Install ssh (
http://www.ssh.fi) in order to encrypt terminal passwords
inside the subnet. This implies avoiding the usage of telnet, at least
internally. Looks like the version 2 also includes sftp which can
substitute plain ftp for the purpose of encrypting passwords. According
to Sean O'Connell a free Windoze ssh client can be obtained as an add-on
to teraterm client:
http://hp.vector.co.jp/authors/VA002416/teraterm.html (teraterm)
http://www.zip.com.au/~roca/ttssh.html (ttssh)
Steve VanDevender says that ssh can also encrypt pop passwords:
> ssh can be used to "tunnel" connections for other services; it
> listens on specified ports on the local host, then sends data
> over an existing encrypted session to a specified remote host and
> remote port number. This will work for pop, but not for ftp.
> You can replace most uses of ftp with the ssh utility 'scp' when
> communicating between two hosts running ssh.
Kerberos is another encryption option.
4) Install tcpwrappers (get it from
ftp://ftp.cert.org/pub/tools/tcp_wrappers
since there is a hacked version around with a trojan horse).
5) Masquerade your subnet.
6) Install a firewall.
7) Segment the subnet by substituting hubs by switches.
Thanking again to everybody,
Oyanarte Portilho
Institute of Physics
University of Brasilia, Brazil
Received on Mon Jan 25 1999 - 22:07:50 NZDT