security

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



From: "Phillips, Glenn" <Glenn.Phillips@airnz.co.nz>
Subject: RE: Some security related questions
Date: Thu, 11 Mar 1999 10:31:29 +1300

If you're worried about security then fer chris' sake turn off the
"r-commands"! Well, at least to external use.

They are a nightmare security-wise. The believe the hostname and allowed
access based on that.

I personally allow rsh to my routing-linux box, but only on the inside
interface - you may want to do the same. If you're going ssh, you get better
(more secure) versions of the Berkeley r-stuff in that.

The talkd's are nothing important - switch 'em off.
( From man talkd: "Talkd is the server that notifies a user that someone
else wants to ini-tiate a conversation.  It acts a repository of
invitations, responding to requests by clients wishing to rendezvous to hold
a conversation." in.talkd and in.ntalkd are the same program. )

===

From: Stefan Miltchev <miltchev@panther.middlebury.edu>
Subject: Re: Some security related questions
Date: 

> # Shell, login, exec and talk are BSD protocols.
> #
> shell   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
> login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind

If you are running ssh you can safely uncomment shell and login, they are
used for rsh and rlogin connections.

> #exec   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
> talk    dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
> ntalk   dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
> #dtalk  stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd

You can get rid of the talk daemon too -- it is used to communicate with
another user on a unix system.

> Is it safe to comment these out also? What does each do?
> 
> Second, can someone tell me how I can shutoff daemons (i.e. keep them from
> running). I need to know what file to edit.

You could use ntsysv to control which daemons are started automatically. 


> Finally, the linux box does not share any resources over the network (i.e.
> no drives). Can I turn off NFS file sharing? Will this prevent me form
> accessing my cd-rom drive or other local resources? How do I turn it off?

Yes you can turn of nfsd and the portmapper. If you do not envision using
them on the machine you could even uninstall the rpms.

Also I would recommend installing sentry (blocks portscanning attempts)
and logcheck (looks for suspicious activity in the logs), rpms are
available at http://rufus.w3.org

===================

From: "Kevin Myer" <kevin_myer@elanco.k12.pa.us>
Subject: Re: Hack attempt, successful?
Date: 

On Wed, 10 Mar 1999, [ISO-8859-1] Andr=E9 Dahlqvist wrote:

First, its crack, not hack.  Crackers break into boxes.  Hackers modify
and write code.

> Mar 8 20:49:26 localhost telnetd[1152[: ttloop: peer died: Invalid or
> incomplete multibyte or wide character.

Dunno about this one.  I've noticed it on one box I administer - it must
be some sort of telnetd exploit attempt.  I'd really like to know what
this is if anyone on the list knows.

> Mar 8 20:49:19 localhost imapd[1151]: connect from 195.21.29.6
> Mar 8 20:49:19 localhost imapd[1151]: error: cannot execute=20
> /usr/sbin/imapd: No such file or directory
> Mar 8 20:49:23 localhost in.telnetd[1152]: connect from 195.21.29.6
> Mar 8 20:29:27 localhost ipop3d[1153]: error: cannot execute
> /usr/sbin/ipop3d: no such file or directory

Someone was trying to exploit your mail daemon services, which you wisely
uninstalled (or maybe never installed in the first place).  However, you
didn't comment them out of /etc/inetd.conf - comment out the lines for
pop3 and imap.  inetd was trying to spawn those processes but they didn't
exist.

It doesn't LOOK like anything was successful, just that someone was
knocking on your door.  However, double check that every thing you don't
need on that box is turned off or not installed (like NFS, ftp, etc.).
Run tcp wrappers.  Install something like sentry and tripwire for extra
security measures.  Don't take my word for it either - educate yourself as
to the actual methods that crackers use to attack systems and you will be
better prepared to defend against them.

================

From: John Summerfield <summer@OS2.ami.com.au>
Subject: Re: Hack attempt, successful?
Date: 

On Wed, 10 Mar 1999, Andr

the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu