**********************************************************************
DDN MGT Bulletin 66 DCA DDN Defense Communications System
16 Aug 89 Published by: DDN Network Info Center
(NIC@NIC.DDN.MIL) (800) 235-3155
DEFENSE DATA NETWORK
MANAGEMENT BULLETIN
The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network
Information Center under DCA contract as a means of communicating
official policy, procedures and other information of concern to
management personnel at DDN facilities. Back issues may be read
through the TACNEWS server ("@n" command at the TAC) or may be
obtained by FTP (or Kermit) from the NIC.DDN.MIL host [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest". The pathname
for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the
bulletin number).
**********************************************************************
CONFIGURATION MANAGEMENT GUIDELINES
This bulletin contains guidelines formulated by the Computer Emergency
Response Team (CERT) regarding how to detect whether a UNIX host has
been compromised in a particular manner and how to improve the
security posture of UNIX hosts. These guidelines were written in
response to specific breakin attempts recently experienced on the
Internet. A description of the general method used is given below.
There were a few MILNET hosts targetted for breakin attempts. The
MILNET Host Administrators at these two locations were notified and
have taken corrective action.
We ask Host Administrators of gateways between MILNET and local area
networks to promulgate this information to the system administrators
of hosts connected to these local area networks.
If you have questions regarding these procedures, please contact your
vendor or the CERT:
Computer Emergency Response Team
CERT@SEI.CMU.EDU
1-412-268-7090 (24 hour hotline)
GUIDELINES:
Many computers connected to the Internet have recently experienced
unauthorized system activity. Investigation shows that the activity
has occurred for several months and is spreading. Several UNIX
computers have had their "telnet" programs illicitly replaced with
versions of "telnet" which log outgoing login sessions (including
usernames and passwords to remote systems). It appears that access
has been gained to many of the machines which have appeared in some of
these session logs. (As a first step, frequent telnet users should
change their passwords immediately.) While there is no cause for
panic, there are a number of things that system administrators can do
to detect whether the security on their machines has been compromised
using this approach and to tighten security on their systems where
necessary. At a minimum, all UNIX site administrators should do the
following:
o Test telnet for unauthorized changes by using the UNIX "strings"
command to search for path/filenames of possible log files. Affected
sites have noticed that their telnet programs were logging information
in user accounts under directory names such as "..." and ".mail".
In general, we suggest that site administrators be attentive to
configuration management issues. These include the following:
o Test authenticity of critical programs - Any program with access to
the network (e.g., the TCP/IP suite) or with access to usernames and
passwords should be periodically tested for unauthorized changes.
Such a test can be done by comparing checksums of on-line copies of
these programs to checksums of original copies. (Checksums can be
calculated with the UNIX "sum" command.) Alternatively, these
programs can be periodically reloaded from original tapes.
o Privileged programs - Programs that grant privileges to users (e.g.,
setuid root programs/shells in UNIX) can be exploited to gain
unrestricted access to systems. System administrators should watch
for such programs being placed in places such as /tmp and /usr/tmp (on
UNIX systems). A common malicious practice is to place a setuid shell
(sh or csh) in the /tmp directory, thus creating a "back door" whereby
any user can gain privileged system access.
o Monitor system logs - System access logs should be periodically
scanned (e.g., via UNIX "last" command) for suspicious or unlikely
system activity.
o Terminal servers - Terminal servers with unrestricted network access
(that is, terminal servers which allow users to connect to and from
any system on the Internet) are frequently used to camouflage network
connections, making it difficult to track unauthorized activity.
Most popular terminal servers can be configured to restrict network
access to and from local hosts.
o Passwords - Guest accounts and accounts with trivial passwords
(e.g., username=password, password=none) are common targets. System
administrators should make sure that all accounts are password
protected and encourage users to use acceptable passwords as well as
to change their passwords periodically, as a general practice. For
more information on passwords, see Federal Information Processing
Standard Publication (FIPS PUB) 112, available from the National
Technical Information Service, U.S. Department of Commerce,
Springfield, VA 22161.
o Anonymous file transfer - Unrestricted file transfer access to a
system can be exploited to obtain sensitive files such as the UNIX
/etc/passwd file. If used, TFTP (Trivial File Transfer Protocol -
which requires no username/password authentication) should always be
configured to run as a non-privileged user and "chroot" to a file
structure where the remote user cannot transfer the system /etc/passwd
file. Anonymous FTP, too, should not allow the remote user to access
this file, or any other critical system file. Configuring these
facilities to "chroot" limits file access to a localized directory
structure.
o Apply fixes - Many of the old "holes" in UNIX have been closed.
Check with your vendor and install all of the latest fixes.
If MILNET system administrators do discover any unauthorized system
activity, they are urged to contact the DDN Network Security Officer
or the Computer Emergency Response Team (CERT). The DDN Network
Security Officer can be contacted by phone through the MILNET Trouble
Desk at 1-800-451-7413 (24 hour hotline) or through e-mail at
DCAB615@DDN1.DCA.MIL. The CERT can be reached at CERT@SEI.CMU.EDU or by
phone at 1-412-268-7090 (24 hour Hotline).
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
