sendmail supports a " wizard's password," set in the configuration file, that can be used to get a shell on a remote system without logging in. ● sendmail allows trusted users, who are permitted to forge mail that is delivered to the local machine.● sendmail can be compiled in "debug mode," a mode that in the past has been used to allow outsiders unrestricted access to the system sendmail is running on. ● sendmail used to accept mail with a program as the recipient, thus allowing remote users to invoke shells and other programs on the destination host. ● sendmail has done a poor job of validating its arguments, thus allowing users to overwrite arbitrary locations in memory, or provide input that results in very bad side effects. ● One of the main reasons for sendmail's problems is its all-in-one design. The program is extremely complicated, runs as superuser, freely accepts connections from any computer on the Internet, and has a rich command language. We are not surprised that the program has been plagued with problems, although it seems to have had more than its share. Fortunately, there are alternatives. Instead of having a large all-in-one program receive messages from the Internet and then deliver the mail, you could split this functionality into two different programs. The Firewall Toolkit from Trusted Information Systems contains a program called smap that does exactly this. Even if you do not have a firewall, you may wish to use smap for accepting SMTP connections from outside sites. For instructions on how to do this, see "Installing the TIS smap/smapd sendmail Wrapper" in Chapter 22. What's My sendmail Version? If you are using the version of sendmail that was supplied with your operating system, then you may have difficulty figuring out which version of sendmail you are actually running. Your sendmail program should print its version number when you telnet to it (port 25). Beware: if sendmail does not print a version number, there is no easy way to determine what version number you have. One way that you can determine your sendmail version is to download a new version and install it yourself. You can get the current version of sendmail from the following locations: ftp://ftp.cs.berkeley.edu/ucb/sendmail ftp://info.cert.org/pub/tools/sendmail/ ftp://auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail Some vendors make proprietary changes to the sendmail program, so you may not be able to use Berkeley's unmodified version on your system. (For example, Berkeley's unmodified sendmail will not read mail aliases from systems using Sun Microsystem's NIS+ network name service.) In these cases, your only solution is to speak with your vendor. 17.3.4.2 Using sendmail to receive email If you must run sendmail to receive electronic mail, you should take extra measures to protect your system's security. Make sure that your sendmail program does not support the debug, wiz, or kill commands. You can test your sendmail with the following command sequence: % telnet localhost smtp Connected to localhost. Escape character is "^]". 220 prose.cambridge.ma.us Sendmail 5.52 ready at Mon, 2 Jul 90 15:57:29 EDT wiz 500 Command unrecognized debug 500 Command unrecognized kill 500 Command unrecognized quit 1. [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (9 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 221 prose.cambridge.ma.us closing connection Connection closed by foreign host % The command telnet localhost smtp opens up a TCP connection between your terminal and the smtp part of your local computer (which always has the alias localhost). You are then able to type commands to your sendmail's command interpreter. If your sendmail responds to the debug or wiz command with any of the following messages - or any message other than "command unrecognized" - replace the version of sendmail that you are running (but see #4 below): 200 Debug set 200 Mother is dead 500 Can't kill Mom 200 Please pass, oh mighty wizard 500 You are no wizard! Delete the " decode" aliases from the alias file. The decode alias is a single line that looks like this: decode: "|/usr/bin/uudecode" The decode alias allows mail to be sent directly to the uudecode program. This ability has been shown to be a security hole. Examine carefully every alias that points to a file or program instead of a user account. Remember to run newaliases after changing the aliases file. 2. Make sure that your aliases file is protected so that it cannot be modified by people who are not system administrators. Otherwise, people might add new aliases that run programs, redirect email for system administrators, or play other games. If your version of sendmail creates aliases.dir and aliases.pag dbm files, those files should also be protected. 3. Make sure that the "wizard" password is disabled in the sendmail.cf file. If it is not, then a person who knows the wizard password can connect to your computer's sendmail daemon and start up a shell without logging in! If this feature is enabled in your version of sendmail, you will note that the wizard password is a line that begins with the letters OW (uppercase O, uppercase W). For example: # Let the wizard do what she wants OWsitrVlWxktZ67 If you find a line like this, change it to disallow the wizard password: # Disallow wizard password: OW* 4. Make sure that you have the most recent version of sendmail installed on your computer. Monitor the CERT mailing list for problems with sendmail and be prepared to upgrade as soon as vulnerabilities are posted. 5. Stamp Out Phantom Mail! The UNIX operating system uses accounts without corresponding real users to perform many system functions. Examples of these accounts include uucp, news, and root. Unfortunately, the mail system will happily receive email for these users. Email delivered to one of these accounts normally goes only to a mail file. There, it resides in your /var/spool/mail directory until it is finally read. On some systems, there is mail waiting for users with the names news or ingres that is more than five years old. Is this a problem? Absolutely: These mail files can grow to be megabytes long, consuming valuable system resources. ● Many programs that run autonomously will send mail to an address such as news or uucp when they encounter a problem. If this mail is not monitored by the system administrator, problems can go undiagnosed. ● You can avoid the problem of phantom mail by creating mail aliases for all of your system, nonuser accounts. To make things easy for future system administrators, you should put these aliases at the beginning of your aliases file. For example: # # System aliases # [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (10 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com root: simsong Postmaster: root usenet: root news: root agent: root sybase: root MAILER-DAEMON: postmaster NOTE: When security flaws are announced, potential intruders are often much quicker to attack than system administrators are to upgrade. We advise you to upgrade as quickly as possible. Sites have been attacked within six hours of the release of a CERT advisory. 17.3.4.3 Improving the security of Berkeley sendmail V8 If you are intent on using Berkeley sendmail for your mail server, you can still improve your security by using sendmail Version 8. If you are not running sendmail Version 8, then you are probably running Version 5; Versions 6 and 7 did not make it out the door. NOTE: Be sure that you track the current version of sendmail, and obtain new versions as necessary. New security-related bugs are (seemingly) constantly being discovered in sendmail. If you do not keep up, your site may be compromised! There are well-known vulnerabilities, with exploit scripts, in most older versions of sendmail, including versions provided by many vendors. Besides containing numerous bug fixes over previous versions of sendmail, Version 8 offers a variety of "security options" that can be enabled by inserting a statement in your sendmail.cf configuration file. Many of these options are designed to control the release of information about your internal organization on the Internet.[13] These options are summarized in Table 17.1: [13] We recommend that you read the security chapter in Sendmail by Bryan Costales et al. (O'Reilly & Associates, 1993) for additional information. Table 17.1: Security Options in Version 8 Sendmail Option Effect Purpose novrfy Disables VRFY command. VRFY can be used by outsiders to determine the names of valid users; use novrfy to disable this command. noexpn Disables EXPN command. EXPN reveals the actual delivery addresses of mail aliases and mailing lists; noexpn disables this command. needmailhelo Requires HELO before a MAIL command. Refuses mail unless the sending site has properly identified itself. needvrfyhelo Requires HELO before VRFY command. Allows the use of the VRFY command, but only after the network user has identified himself. needexpnhelo Requires HELO before EXPN command. Allows use of the EXPN command, but only after the network user has identified himself. restrictmailq Restricts use of mailq command. If set, allows only users who belong to the group that owns the mail queue directory to view the mail queue. This restriction can prevent others from monitoring mail that is exchanged between your computer and the outside world. You can increase the logging level of sendmail to level 9 by inserting the line "OL9" in your sendmail.cf file, and we recommend that you do so; higher levels are used for debugging and do not serve any obvious security purpose. This will log lots of interesting information to syslog. Be sure that your syslog.conf file is configured so that this information is written to a reasonable place, and be sure to check the logs. There have been a number of problems with addresses that send mail to programs. This should be disabled, if not needed, by setting the progmailer to a program such as /bin/false. If you do need progmailer functionality, use smrsh (bundled with 8.7.x). Here is an example of when you might use the security options. Suppose that you have a company-wide alias such as all or marketing, and that you wish to prevent outsiders (such as recruiters) from learning the email addresses of people on these mailing [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (11 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com lists. At the same time, you may wish to prevent outsiders from learning the names of valid accounts on your system, to avoid accepting email from sites that do not properly identify themselves, and to prevent employees from spying on another's email correspondence. In this case, you would insert the following line into your sendmail.cf file; note that the "O" is required at the beginning of the Option line. Onovrfy,noexpn,needmailhelo,restrictmailq We recommend that you use this setting unless you have a specific reason for divulging your internal account information to the Internet at large. Be aware, though, that sendmail's VERB (verbose) command will still be active, which may still be used by attackers to gain insight into your vulnerabilities. The VERB command cannot be easily disabled. Note that if you disable the finger command and also turn off the VRFY option in your mailer, you can make it difficult for someone outside your site to determine a valid email address for a user that may be at your site. You should probably set up some form of modified finger service in this case to respond with information about how to obtain a valid email address. 17.3.5 TACACS (UDP Port 49) TACACS is the TAC Access Control Server protocol. It is a protocol that is used to authenticate logins to terminal servers. TACACS defines a set of packet types that can be sent from the terminal server to an authentication server. The LOGIN packet is a query indicating that a user wishes to log in to the terminal server. The TACACS server examines the username and the password that are present in the LOGIN packet and sends back an ANSWER packet that either accepts the login or rejects it. The TACACS and XTACACS (Extended TACACS) support a variety of additional packets, which allow the terminal server to notify the host when users connect, hang up, log in, log out, and switch into SLIP mode. Passwords are not encrypted with TACACS. Thus, they are susceptible to packet sniffing. 17.3.6 Domain Name System (DNS) (TCP and UDP Port 53) The Domain Name System (DNS) is a distributed database that is used so that computers may determine IP addresses from hostnames, determine where to deliver mail within an organization, and determine a hostname from an IP address. The process of using this distributed system is called resolving. When DNS looks up a hostname (or other information), the computer performing the lookup contacts one or more nameservers, seeking records that match the hostname that is currently being resolved.[14] One or more nameserver records can be returned in response to a name lookup. Table 17.2 lists some of the kinds of records that are supported: [14] Most UNIX DNS implementations use a file called /etc/resolv.conf to specify the IP addresses of the nameservers that should be queried. Further, a default domain can be specified. Table 17.2: DNS-supported Record Types Record Type Purpose A Authoritative address. For the IN domain, this is an IP address. AAAA IP version 6 authoritative address. CNAME Canonical name of an alias for a host. PTR Pointer record; maps IP addresses to a hostname (for IP host). MX Mail exchange; specifies a different computer that should actually receive mail destined for this host. For example, using DNS, a computer on the Internet might look up the name www.cs.purdue.edu and receive an A record indicating that the computer's IP address is 128.10.19.20. An MX query about the address cs.purdue.edu might return a record indicating that mail for that address should actually be delivered to the machine arthur.cs.purdue.edu. You can have multiple MX records for robustness; if the first host is unavailable, the program attempting to deliver your electronic mail will try the second, and then the third. Of course, a program trying to deliver email would then have to resolve each of the MX hostnames to determine that computer's IP address. DNS also makes provision for mapping IP addresses back to hostnames. This reverse translation is accomplished with a special domain called IN-ADDR.ARPA, which is populated exclusively by PTR records. In this example, attempting to resolve the address 20.19.10.128. IN-ADDR.ARPA would return a PTR record pointing to the hostname, which is lucan.cs.purdue.edu (the [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (12 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com CNAME of www.cs.purdue.edu). Besides individual hostname resolutions, DNS also provides a system for downloading a copy of the entire database from a nameserver. This process is called a zone transfer, and it is the process that secondary servers use to obtain a copy of the primary server's database. DNS communicates over both UDP and TCP, using the different protocols for different purposes. Because UDP is a quick, packet-based protocol that allows for limited data transfer, it is used for the actual process of hostname resolution. TCP, meanwhile, is used for transactions that require large, reliable, and sustained data transfer - that is, zone transfers. 17.3.6.1 DNS zone transfers Zone transfers can be a security risk, as they potentially give outsiders a complete list of all of an organization's computers connected to the internal network. Many sites choose to allow UDP DNS packets through their firewalls and routers, but explicitly block DNS zone transfers originating at external sites. This design is a compromise between safety and usability: it allows outsiders to determine the IP addresses of each internal computer, but only if the computer's name is already known. You can block zone transfers with a router that can screen packets, by blocking incoming TCP connections on port 53. Some versions of the Berkeley-named nameserver allow you to place an xfrnets directive in the /etc/named.boot file. If this option is specified, zone transfers will only be permitted from the hosts listed on the xfernets line. This option is useful if you wish to allow zone transfers to a secondary nameserver that is not within your organization, but you don't want to allow zone transfers to anyone else. For example, if your site operates a single domain, bigcorp.com, and you have a secondary nameserver at IP address 204.17.199.40, you might have the following /etc/named.boot file: ; BigCorp's /etc/named.boot ; directory /var/named ; primary bigcorp.com named.bigcorp primary 199.17.204.in-addr.arpa named.204.17.199 cache . root.ca xfrnets 204.17.199.40 17.3.6.2 DNS nameserver attacks Because many UNIX applications use hostnames as the basis of access control lists, an attacker who can gain control of your DNS nameserver or corrupt its contents can use that to break into your systems. There are two fundamental ways that an attacker can cause a nameserver to serve incorrect information: Incorrect information can be fraudulently loaded into your nameserver's cache over the network, as a false reply to a query.1. An attacker can change the nameserver's configuration files on the computer where your nameserver resides.2. If your nameserver has contact with the outside network, there is a possibility that attackers can exploit a programming bug or a configuration error to load your nameserver with erroneous information. The best way to protect your nameserver from these kinds of attacks is to isolate it from the outside network, so that no contact is made. If you have a firewall, you can achieve this isolation by running two nameservers: one in front of the firewall, and one behind it. The nameserver in front of the firewall contains only the names and IP addresses of your gate computer; the nameserver behind the firewall contains the names and IP addresses of all of your internal hosts. If you couple these nameservers with static routing tables, damaging information will not likely find its way into your nameservers. To change your configuration files, an attacker must have access to the filesystem of the computer on which the nameserver is running and be able to modify the files. After the files are modified, the nameserver must be restarted (by sending it a kill -HUP signal). As the nameserver must run as superuser, an attacker would need to have superuser access on the server machine to carry out this attack. Unfortunately, by having control of your nameserver, a skillful attacker could use control over the nameserver to parlay control of a single machine into control of your entire network. Furthermore, if the attacker does not have root but can modify the nameserver files, then he can simply wait until the nameserver is restarted by somebody else, or until the system crashes and every program is restarted. [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (13 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com You can minimize the possibility of an attacker modifying your nameserver by following these recommendations: Run your nameserver on a special computer that does not have user accounts. ● If you must run the nameserver on a computer that is used by ordinary users, make sure that the nameserver's files are all owned by root and have their protection mode set to 444 or 400 (depending on your site's policy). Any directories that are used to store nameserver files should be owned by root and have their protection mode set to 755 or 700 (again, depending on your site's policy). And all parent directories of those directories should be owned by root, mode 755 or 700. ● Remember, there are many files that are used by the nameserver. For example, the Berkeley named nameserver (by far the most common on UNIX systems) first looks at the file /etc/named.bootwhen it starts up. This file specifies other files and other directories that may be located anywhere on your computer. Be sure that all of these files are properly protected. ● If you know of a specific site that is attempting to attack your nameserver, you can use BIND's bogusns directive to prevent the program from sending nameserver queries to that host. ● You can further protect yourself from nameserver attacks by using IP addresses in your access control lists, rather than by using hostnames. Unfortunately, several significant programs do not allow the use of IP addresses. For example, the Solaris rlogind/rshd does not allow you to specify an IP address in the /etc/hosts.equiv file or the .rhosts file. We believe that vendors should modify their software to permit an IP address to be specified wherever hostnames are currently allowed. 17.3.7 Trivial File Transfer Protocol (TFTP) (UDP Port 69) The Trivial File Transfer Protocol (TFTP) is a UDP-based file-transfer program that provides no security. There is a set of files that the TFTP program is allowed to transmit from your computer, and the program will transmit them to anybody on the Internet who asks for them. One of the main uses of TFTP is to allow workstations to boot over the network; the TFTP protocol is simple enough to be programmed into a small read-only memory chip. Because TFTP has no security, tftpd, the TFTP daemon, is normally restricted so that it can transfer files only to or from a certain directory. Unfortunately, many early versions of tftpd had no such restriction. For example, versions of the SunOS operating systems prior to Release 4.0 did not restrict file transfer from the TFTP program. You can test your version of tftpd for this restriction with the following sequence: % tftp localhost tftp> get /etc/passwd tmp Error code 1: File not found tftp> quit % If tftp does not respond with "Error code 1: File not found," or simply hangs with no message, then get a current version of the program. On AIX, tftp access can be restricted through the use of the /etc/tftpaccess.ctl file. 17.3.8 finger (TCP Port 79) The finger program has two uses: If you run finger with no arguments, the program prints the username, full name, location, login time, and office telephone number of every user currently logged into your system (assuming that this information is stored in the /etc/passwd file). ● If you run finger with a name argument, the program searches through the /etc/passwd file and prints detailed information for every user with a first name, last name, or username that matches the name you specified. ● Normally, finger runs on the local machine. However, you can find out who is logged onto a remote machine (in this case, a machine at MIT) by typing: % finger @media-lab.media.mit.edu To look up a specific user's finger entry on this machine, you might type: % finger gandalf@media-lab.media.mit.edu [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (14 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The /etc/fingerd program implements the network finger protocol, which makes finger service available to anybody on the network. finger provides a simple, easy-to-use system for making personal information (like telephone numbers) available to other people. Novice users are often surprised, however, that information that is available on their local machine is also available to anyone on any network to which their local machine is connected. Thus, users should be cautioned to think twice about the information they store using the chfn command, and in their files printed by finger. finger makes it easy for intruders to get a list of the users on your system, which dramatically increases the intruders' chances of breaking into your system. 17.3.8.1 The .plan and .project files Most versions of the UNIX finger program display the contents of the .plan and .project files in a person's home directory when that person is "fingered." On older versions of UNIX, the finger daemon ran as root. As a result, an intrepid user could read the contents of any file on the system by making her .plan a symbolic link to that file, and then running finger against her own account. One easy way that you can check for this is to create a .plan file and change its file mode to 000. Then run finger against your own account. If you see the contents of your .plan file, then your version of fingerd is unsecure. 17.3.8.2 Disabling finger The finger system reveals information that could be used as the basis for a social engineering attack. For example, an attacker could "finger" a user on the system, determine their name and office number, then call up the system operator and say "Hi, this is Jack Smith. I work in office E15, but I'm at home today. I've forgotten my password; could you please change my password to foo*bar so that I can log on?" Many system administrators choose to disable the finger system. There are two ways that you can do this: You can remove (or comment out) the finger server line in the file /etc/inetd.conf. This change will cause people trying to finger your site to receive a "Connection refused" error. Disabling finger in this way can cause problems for trying to determine mail addresses or phone numbers. Outsiders may be attempting to contact you to warn you that your site has been broken into by others. Therefore, completely disabling finger in this way might actually decrease your overall security, in addition to causing an overall inconvenience for everybody. ● You can replace the finger server with a shell script that prints a message instructing people how to contact your site. For example, you might use a script that looks like this: #!/bin/sh # /bin/cat << 'XX' Welcome to Big Whammix Inc. For information on contacting a specific employee, please call our company operator at 1-999-555-1212 or send electronic mail to the address postmaster@whammix.com Thank you. XX exit 0 Store this script in an executable file, such as /usr/local/etc/no_finger. Then in the file /etc/inetd.conf, replace the normal finger entry with this line: finger stream tcp nowait nobody /usr/local/etc/no_finger no_finger Remember to restart inetd. ● 17.3.8.3 Replacing finger As an alternative to finger, you can use the ph (phone book) server. This server allows you to place information into a database, [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (15 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com and specify which information should be returned for queries originating from inside and outside your network. You can download the ph server from ftp://vixen.cso.uiuc.edu/pub/ph.tar.gz. 17.3.9 HyperText Transfer Protocol (HTTP) (TCP Port 80) The Hypertext Transfer Protocol is the protocol that is used to request and receive documents from servers on the World Wide Web (WWW). Access to the World Wide Web is one of the driving forces behind the growth of the Internet, and many sites that have Internet connectivity will be pressured to provide both client applications and WWW servers for their users. One of the reasons for the success of HTTP is its simplicity. When a client contacts a WWW server, the client asks for a filename; the server responds with a MIME document formatted in either plain ASCII or HTML (HyperText Markup Language). The document is then displayed.[15] [15] HTML is a simple use of SGML (Standard Generalized Markup Language). WWW browsers can implement as much (or as little) of HTML as they wish; the documents displayed will still be viewable. HTML documents can have embedded tags for images (which are separately retrieved) and for hypertext links to other documents. The servers are configured so that a specified directory on the system (for example, /usr/local/etc/httpd/htdocs) corresponds with the root directory of the WWW client (for example, http://www.oreilly.com/). Because there are many security considerations when setting up a WWW server and using a WWW client, we have written a whole chapter about them. See Chapter 18, WWW Security, for the complete story. 17.3.10 Post Office Protocol (POP) (TCP Ports 109 and 110) The Post Office Protocol (POP) is a system that provides users on client machines a way to retrieve their electronic mail - without mounting a shared mail-spool directory using a remote file-access protocol such as NFS. POP allows users to access individual mail messages, to set limits on the maximum length of the message that the client wishes to retrieve, and to leave mail on the server until the message has been explicitly deleted. POP requires that users authenticate themselves before they can access their mail. There are at least three ways to do this: You can use simple passwords. This is by far the most common way for POP users to authenticate themselves to POP servers. Unfortunately, most POP clients use the same password for retrieving mail that they do for unrestricted system access. As a result, the user's password is a tempting target for an attacker armed with a packet sniffer. And it's an easy target, as it is always sent properly, it is always sent to the same port, and it is sent frequently - typically every few minutes. 1. You can use POP's APOP option. Instead of passwords, APOP uses a simple challenge/response system. It is described in RFC 1725, the same RFC that describes POP3. When a client program connects to a POP3 server, the server sends a banner that must include a unique timestamp string located within a pair of angle-brackets. For example, the UNIX POP server might return the following: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> When using simple passwords, the client program would next send through the username and the password, like this: +OK POP3 server ready <1896.697170952@dbc.mtview.ca.us> user mrose +OK Password required for mrose. pass fooby$# +OK maildrop has 1 message (369 octets) With APOP, the client program does not send the USER and PASS commands; instead, it sends an APOP command that contains the username and a 128-bit hexadecimal number that is the MD5 hash code of the timestamp (including the angle brackets) and a secret passphrase that is known to both the user and the POP server. For example, the user might have the password tanstaaf. To determine the appropriate MD5 code, the user's client program would compute the MD5 hash of: <1896.697170952@dbc.mtview.ca.us>tanstaaf which is: c4c9334bac560ecc979e58001b3e22fb 2. [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (16 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Thus, the APOP message sent to the server would be: APOP mrose c4c9334bac560ecc979e58001b3e22fb +OK maildrop has 1 message (369 octets) Note that because the POP3 server must know the shared secret, it should not be the same phrase as your password. You can use a version of POP that has been modified to work with Kerberos. (Kerberos is described in Chapter 19, RPC, NIS, NIS+, and Kerberos.) 3. Note that both your POP server and your POP client must support the authentication system that you wish to use. For example, early popular Eudora email clients only support traditional passwords, but later versions include support for both APOP and Kerberos.[16] [16] Actually, Eudora doesn't support Kerberos directly. Instead, it uses the Kclient application program that is available for both the Macintosh and Windows. 17.3.11 Sun RPC's portmapper (UDP and TCP Ports 111) The portmapper program is used as part of Sun Microsystem's Remote Procedure Call (RPC) system to dynamically assign the TCP and UDP ports used for remote procedure calls. portmapper is thus similar to the inetd daemon, in that it mediates communications between network clients and network servers that may have security problems. The standard UNIX portmapper assumes that security will be handled by the servers, and therefore allows any network client to communicate with any RPC server. You can improve security by using Wietse Venema's portmapper replacement program, which can be obtained via anonymous FTP from the site ftp.win.tue.nl /pub/security/portmap.shar. This portmapper allows for improved logging, as well as access control lists. Many sites further restrict access to their portmappers by setting their firewalls to block packets on port 111. 17.3.12 Identification Protocol (auth) (TCP Port 113) The TCP/IP protocol is a system for creating communication channels between computers, not users. However, it is sometimes useful to know the name of the user associated with a particular TCP/IP connection. For example, when somebody sends mail to your computer, you should be able to verify that the username in the mail message's "From:" field is actually the name of the user who is sending the message. The identification protocol gives you a way of addressing this problem with a simple callback scheme. When a server wants to know the "real name" of a person initiating a TCP/IP connection, it simply opens a connection to the client machine's identd daemon and sends a description of the TCP/IP connection in progress; the remote machine sends a human-readable representation of the user who is initiating the connection - usually the user's username and the full name from the /etc/passwd file. The identification protocol is usually not a very good approach to network security, because it depends on the honesty of the computer at the other end of the TCP/IP connection. Thus, if somebody is trying to break into your computer from another computer that they have already gained control of, ident will not tell you that person's name. On the other hand, it is useful for organizations such as universities who want to track down the perpetrators of simplistic, sophomoric email forgery attempts. If an intruder has a normal account (no root privileges) that he is using as a stepping stone to other hosts, running an ident server may be very useful in tracking down the intruder. Sites that have a reasonable number of users should run ident to help track down accounts that have been compromised during an incident. In general, the responses of ident queries are more useful to the administrators of the site that sends the response than the site that receives it. Thus, logging ident queries may not help you, but can be a courtesy to others. To make use of the identification protocol, you need to have a server program that understands the protocol and knows to place the callback. sendmail version 8 will do so, for instance, as will tcpwrapper. [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (17 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 17.3.13 Network News Transport Protocol (NNTP) (TCP Port 119) The Network News Transport Protocol (NNTP) is used by many large sites to transport Usenet articles between news servers. The protocol also allows users on distributed workstations to read news and post messages to the Usenet. NNTP can be configured with an access control list (ACL) to determine which computers are allowed to use which features. The access control list is based on hostname; thus NNTP's security can be bypassed through IP spoofing or through DNS attacks. Under normal circumstances, a compromised NNTP server does not represent a serious security threat - it simply means that an unauthorized individual may be able to read or post Usenet articles without permission. However, there are two potential circumstances in which unauthorized use of NNTP could cause problems: If you have special newsgroups for your own organization's internal discussions, there is a chance that a compromised NNTP server could reveal confidential information to outsiders. ● If an outsider can post from your NNTP server, that outsider could post a message that is libelous, scandalous, or offensive - potentially causing a liability for your organization. ● You can protect your NNTP server from these forms of abuse with a good firewall. INND is an alternative Usenet news transport program written by Rich Salz. If you are running INND, make sure that you have at least version 1.4 and have applied the relevant security patches, or have a version higher than 1.4. Versions of INND prior to and including version 1.4 had a serious problem.[17] [17] For any software like this that you install, you should check to be sure that you have the most current version. 17.3.14 Network Time Protocol (NTP) (UDP Port 123) The Network Time Protocol (NTP) is the latest in a long series of protocols designed to let computers on a local or wide area network figure out the current time. NTP is a sophisticated protocol that can take into account network delay and the existence of different servers with different clocks. Nevertheless, NTP was not designed to resist attack, and several versions of ntpd, the NTP daemon, can be fooled into making significant and erroneous changes to the system's clock. A variety of problems can arise if an attacker can change your system clock: The attacker can attempt a replay attack. For example, if your system uses Kerberos, old Kerberos tickets may work once again. If you use a time-based password system, old passwords may work. ● Your system log files will no longer accurately indicate the correct time at which events took place. If your attacker can move the system's clock far into the future, he or she might even be able to cause your system to erase all of its log files as the result of a weekly or monthly cleanup procedure. ● Batch jobs run from the cron daemon may not be executed if your system's clock jumps over the time specified in your crontab file or directory. This type of failure in your system's clock may have an impact on your security. ● 17.3.15 Simple Network Management Protocol (SNMP) (UDP Ports 161 and 162) The Simple Network Management Protocol (SNMP) is a protocol designed to allow the remote management of devices on your network. To be managed with SNMP, a device must be able to receive packets over a network. SNMP allows for two types of management messages: Messages that monitor the current status of the network (for example, the current load of a communications link) ● Messages that change the status of network devices (for example, take a communications link up or down)● SNMP can be of great value to attackers. With carefully constructed SNMP messages, an attacker can learn the internal structure of your network, change your network configuration, and even shut down your operations. Although some SNMP systems include provisions for password-based security, others don't. SNMP version 2.0 was intended to include better security features, but as this book goes to press, the standards committee is unable to agree on the necessary features, so the prospects look bleak. Each site must therefore judge the value of each particular SNMP service and weigh that value against the risk. [Chapter 17] 17.3 Primary UNIX Network Services file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_03.htm (18 of 28) [2002-04-12 10:44:12] Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... 9 9 9 9 9 13: 19 13: 14 13: 14 13: 20 13: 20 13: 26 instructions invoice letter more-stuff notes stats* If you are using an AT&T-derived version of ls,[9] using the -g option causes the ls command to only display the file's group: [9] On Solaris systems, this program is named /bin/ls % ls -lFg total 161 -rw-r r 1 user 505 Feb 9 13: 19 -rw-r r 1 user 31 59 Feb 9 13: 14 -rw-r r 1 user 631 8 Feb 9 13: 14 -rw ... using the ls -lF command: % ls -lF total 161 -rw-r r 1 sian user -rw-r r 1 sian user 31 59 Feb -rw-r r 1 sian user 631 8 Feb -rw - 1 sian user 15897 Feb -rw-r - 1 sian biochem 432 0 Feb -rwxr-xr-x 1 sian user 122880 Feb % 505 Feb 9 13: 19 instructions 9 13: 14 invoice 9 13: 14 letter 9 13: 20 more-stuff 9 13: 20 notes 9 13: 26 stats* The first line of output generated by the ls command ("total 161" in the... file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_ 03. htm (27 of 28) [2002-04-12 10:44: 13] [Chapter 17] 17 .3 Primary UNIX Network Services 17.2 Controlling Access to 17.4 - http://www.simpopdf.com Simpo PDF Merge and Split Unregistered Version Security Implications of Servers Network Services [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security. .. Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_ 03. htm (28 of 28) [2002-04-12 10:44: 13] [Chapter 15] UUCP Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 15 15 UUCP Contents: About UUCP Versions of UUCP UUCP and Security Security in Version 2 UUCP Security in BNU UUCP Additional Security Concerns Early Security Problems with UUCP... Additional Security for Modems 15.2 Versions of UUCP [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch15_01.htm (5 of 5) [2002-04-12 10:44: 13] [Chapter 5] The UNIX Filesystem Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 5 5 The UNIX Filesystem... nachos control device 0 17 .3. 21.2 X security The X Window System has a simple security model - all or nothing The X security mechanisms are used to determine whether or not a client can connect to the X Window Server After a client successfully connects, that client can exercise complete control file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_ 03. htm ( 23 of 28) [2002-04-12 10:44:12]... the Internet to print on your printer, you could use the following entry: % cat /etc/hosts.lpd + % file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_ 03. htm (22 of 28) [2002-04-12 10:44:12] [Chapter 17] 17 .3 Primary UNIX Network Services We do not recommend that you do this, however! Simpo PDF 17 .3. 19 RoutingMerge and Split Unregistered Version - http://www.simpopdf.com Internet. .. in 30 seconds You can determine whether your X server has this problem by executing the following command: prose% telnet localhost 6000 Here, 6000 is the TCP/IP port address of the first X server on the system (The second X display on the system has a TCP/IP file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_ 03. htm (26 of 28) [2002-04-12 10:44: 13] [Chapter 17] 17 .3 Primary UNIX. .. networks and over the Internet Unfortunately, it poses security problems in both environments rlogin and rsh are designed for communication only between Berkeley UNIX systems Users who want to communicate between UNIX and TOPS, VMS, or other kinds of systems should use the telnet protocol, not the rlogin protocol file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_ 03. htm (19 of 28)... UUCP Over Networks Summary UUCP is the UNIX- to -UNIX Copy system, a collection of programs that have provided rudimentary networking for UNIX computers since 1977 UUCP has three main uses: q Sending mail and news to users on remote systems q Transferring files between UNIX systems q Executing commands on remote systems Until recently, UUCP was very popular in the UNIX world for a number of reasons: q . the user's client program would compute the MD5 hash of: <1896.697170952@dbc.mtview.ca.us>tanstaaf which is: c4c 933 4bac560ecc979e58001b3e22fb 2. [Chapter 17] 17 .3 Primary UNIX Network. the Internet. [ 13] These options are summarized in Table 17.1: [ 13] We recommend that you read the security chapter in Sendmail by Bryan Costales et al. (O'Reilly & Associates, 19 93) for. user in $(cat-passwd | awk -F: 'length($6) > 0 {print $6}'| sort -u) do [[ -f $user/.rhosts ]] && print "There is a .rhosts file in $user" done where the cat-passwd