UNIX System Administration Handbook - Evi Nemeth [391]
Some of the replacements for rlogin (including SSH!) pay attention to .rhosts and /etc/hosts.equiv if they are not configured properly. For added safety, you can create the /etc/hosts.equiv file and a ~/.rhosts file for each user (including root) as an unwritable, zero-length file. It’s easier to assess what the state of a file was at 3:00 a.m. if it exists and is untouched than to assess the state of a nonexistent file. This distinction can be crucial when you are tracking intruders and their attempts to compromise your system.
rexd, rexecd, and tftpd
Sun’s rexd (which is also found on other systems, including HP-UX) is a poorly secured remote command execution server. It is generally shipped disabled (in the /etc/inetd.conf file) and should be left that way. rexd is not used by any standard system software.
rexecd is yet another remote command execution daemon. It is the server for the rexec library routine. Requests sent to rexecd include a plaintext password, so anyone listening on the network can learn passwords and gain access to the target system. This daemon should be disabled.
tftpd is a server for the Trivial File Transfer Protocol, an easy-to-implement protocol that’s sometimes used to download firmware or boot code into network devices. Because it allows machines on the network to request files from your hard disk, it’s a potential security hole. It’s best left disabled if you are not using it.
fingerd
finger is a UNIX command that prints a short report about a particular user:
% finger evi
Login name: evi In real life: Evi Nemeth
Directory: /beast/users3/evi Shell: /bin/tcsh
On since Jan 22 07:07:55 on ttyp3 from xor-train4.xor.com
50 minutes Idle Time
Mail last read Sat Jan 22 07:08:57 2000
No Plan.
Without an argument, finger prints a summary of all logged-in users.
When supported by the fingerd daemon on a remote host, finger can also be run in the form finger user@host or just finger @host. Unfortunately, the information returned is potentially useful to hackers, so we recommend that fingerd be disabled in /etc/inetd.conf.8
Security and NIS
Other than the title of this section, these words should never be used together. The Network Information Service (NIS, formerly the Yellow Pages) is a Sun database distribution tool that many sites use to maintain and distribute files such as /etc/group, /etc/passwd, and /etc/hosts. Unfortunately, its very nature of “easy information access” makes it tasty hacker bait. A later replacement for NIS called NIS+ makes a feeble attempt to address the security problems of NIS. You’d be safer not to run either form of NIS at your site.
See Chapter 18 for more information about NIS.
A more secure and reliable way to distribute these files is to create a login such as “netadmin” and to place the most recent copies of these files in ~netadmin. You can then run a script out of cron on each client machine to scp, sanity check, and install the files. See page 672 for more information about SSH, of which scp is a part.
expect is available from expect.nist.gov.
Security and NFS
See page 492 for more information about NFS security. You can use showmount -e to see which filesystems are being exported and to whom. Every exported filesystem should have an access list, and all hostnames should be fully qualified.
Security and sendmail
sendmail is a massive network system, a large part of which runs as root. As a result, it has often been subject to the attacks of hackers, and numerous vulnerabilities have been exposed over time. Make sure that you’re running the most up-to-date version of sendmail on all your systems. Since security problems are one of the most likely issues to spark new software releases, it’s probable that all versions of sendmail but the most current have them. You can find out what’s known about the security of your current release at www.sendmail.org.
See Chapter 19 for more information about sendmail.
Security and backups