• Choose a category
• All
• Classic-Fiction

By Root 3078 0

it will ultimately catch on, we think it’s worth mentioning because of its modular design, which makes it easy for third parties to add new security checks. If the user community begins to write and collect script databases for Nessus, it could stay current for a long time without constant updates from the original developers.

crack: find insecure passwords

Since some vendors still distribute systems that leave encrypted passwords in plain view, naughty hackers can easily compare them with an encrypted dictionary. One way to head off this attack is to make the comparison yourself and force users to change passwords that you have broken. crack is a sophisticated tool by Alec D. E. Muffett that implements several common password-guessing techniques.

Even if you use a shadow password file to hide encrypted passwords from public view, it’s still wise to verify that your users’ passwords are crack-resistant. Knowledge of a user’s password can be useful because people tend to use the same password over and over again. A single password might provide access to another system, decrypt files stored in a user’s home directory, and allow access to financial accounts on the web. (Needless to say, it’s not very security-smart to reuse a password this way. But nobody wants to remember ten different passwords.)

As of this writing, the current version of crack is 5.0a. It’s available from ftp.cert.org. Since crack’s output contains the passwords it has broken, you should carefully protect it and delete it as soon as you are done with it.

tcpd: protect Internet services

tcpd, often referred to as the “TCP wrappers” package, allows you to log connections to TCP services such as telnetd, ftpd, and fingerd. In addition, it allows you to restrict which systems can connect to these services. Both of these features can be very handy when you are tracking or controlling unwanted guests. tcpd was written by Wietse Venema and is available from ftp.porcupine.org. It comes standard with Red Hat and FreeBSD (in /usr/ports/security/tcp_wrapper).

See page 823 for more information about inetd.

tcpd is easy to install and doesn’t require modifications to existing network programs. It piggybacks on top of inetd; you simply modify your /etc/inetd.conf file to execute tcpd instead of the actual network server program. tcpd then performs any necessary logging and security checks before executing the server. For example, if your /etc/inetd.conf originally contained the line

telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd

you could change this to

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

The resulting log file (configured in /etc/syslog.conf) would look something like:

Nov 12 08:52:43 chimchim in.telnetd[25880]: connect from tintin.Colorado.EDU

Nov 12 19:19:44 chimchim in.telnetd[15520]: connect from catbelly.com

Nov 12 23:48:45 chimchim in.telnetd[19332]: connect from atdt.xor.com

Nov 13 20:14:57 chimchim in.telnetd[2362]: connect from 130.13.13.11

Built-in TCP wrappers for HP-UX

HP-UX includes a version of inetd that has some similar security features built in. It’s configured in the file /var/adm/inetd.sec. Entries in this file have the form

service allow|deny hostname|address hostname|address ...

The service must be listed in either /etc/services or /etc/rpc. Any hostnames you use should be fully qualified (e.g., moomin.xor.com).

Wild cards and ranges are also understood. For example, “192.108.21.*” refers to all hosts on the listed class C network, and “192.108.21.1-50” refers to the first 50 hosts on that network.

Comments are designated by a pound sign (#), but they must occur on a line by themselves. Multiple lines for the same service are not permitted; only the last one survives. If a service is not listed, anyone may connect to it.

The following lines allow remote logins from only two networks and deny access to the spray daemon from two specific hosts:

login allow 192.108.21.* 192.225.33.*

sprayd deny 192.108.21.5 freddy.xor.com

HP-UX’s inetd does not