UNIX System Administration Handbook - Evi Nemeth [405]
2. This command requires Perl 5 or higher.
3. Evi Nemeth broke the Diffie-Hellman key exchange often used with DES in 1984, using a HEP supercomputer. Although DES is thought to be mathematically secure, the short key lengths in common use offer relatively little security.
4. Don’t confuse the crypt library routine with the crypt command, which uses a different and less secure encryption scheme.
5. This command requires Perl 5 or higher.
6. The file /etc/default/su is also relevant.
7. These files are also used by the printing software on some systems to authorize remote printer access. See Chapter 23, Printing, for details.
8. It’s also worth noting that a number of security-related bugs have been discovered in fingerd over the years, which is unusual for such a simple program.
9. As described in Chapter 13, a port is a numbered communication channel. An IP address identifies an entire machine, and an IP address + port number identifies a specific server or network conversation on that machine.
10. Actually, only the privileged ports (those with port numbers under 1,024) and the well-known ports are checked by default. Use the -p option to explicitly specify the range of ports to scan.
11. Two excellent resources for those interested in cryptography are “RSA Labs’ Frequently Asked Questions about Today’s Cryptography” at www.rsasecurity.com/rsalabs/faq and the sci.crypt FAQ available by FTP from rtfm.mit.edu.
12. In particular, users should not try to obtain a list of more OTP passwords after having logged in with OTP; the passwords will all be transmitted without protection.
13. We assume you already know not to consider something like Windows as a firewall platform. Does the name “Windows” evoke images of security? Silly rabbit, Windows is for desktops.
14. In many cases, inetd does the actual waiting on their behalf. See page 823 for more information.
15. Port 25 is the SMTP port as defined in /etc/services.
16. If system backups are not a “normal” activity at your site, you have much bigger problems than the security intrusion.
20.12 RECOMMENDED READING
BRYANT, WILLIAM. “Designing an Authentication System: a Dialogue in Four Scenes.” web.mit.edu/kerberos/www/dialogue.html
CERT COORDINATION CENTER. “Intruder Detection Checklist.” www.cert.org/tech_tips/intruder_detection_checklist.html
CERT COORDINATION CENTER. “UNIX Configuration Guidelines.” www.cert.org/tech_tips/unix_configuration_guidelines.html
CHESWICK, WILLIAM R., AND STEVEN M. BELLOVIN. Firewalls and Internet Security, Second Edition. Reading, MA; Addison-Wesley. 2000.
CURTIN, MATT, AND MARCUS RANUM. “Internet Firewalls: Frequently Asked Questions.” www.interhack.net/pubs/fwfaq
FARMER, DAN, AND WIETSE VENEMA. “Improving the Security of Your Site by Breaking Into it.” 1993. www.fish.com/security
FRASER, B., EDITOR. RFC2196: Site Security Handbook. www.rfc-editor.org.
GARFINKEL, SIMSON, and GENE SPAFFORD. Practical UNIX and Internet Security. Sebastopol: O’Reilly & Associates. 1996.
KERBY, FRED, ET AL. “SANS Intrusion Detection and Response FAQ.” SANS. www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
MANN, SCOTT, AND ELLEN L. MITCHELL. Linux System Security: The Administrator’s Guide to Open Source Security Tools. Upper Saddle River, NJ: Prentice Hall PTR. 2000.
MORRIS, ROBERT, AND KEN THOMPSON. “Password Security: A Case History.” Communications of the ACM, 22 (11): 594-597, November 1979. Reprinted in UNIX System Manager’s Manual, 4.3 Berkeley Software Distribution. University of California, Berkeley. April 1986.
PICHNARCZYK, KARYN, STEVE WEEBER, AND RICHARD FEINGOLD. “UNIX Incident Guide: How to Detect an Intrusion.” Computer Incident Advisory Capability, U.S. Department of Energy. 1994. http://ciac.llnl.gov/ciac/documents
RITCHIE, DENNIS M. “On the Security of UNIX.” May 1975. Reprinted in UNIX System Manager’s Manual, 4.3 Berkeley Software Distribution. University of California,