[ale] Cracked many Linux systems

Bob's ALE Mail transam at cavu.com
Wed Mar 28 13:16:40 EST 2001


> Date: Wed, 28 Mar 2001 13:38:27 -0500
> From: Vernard Martin <vernard at cc.gatech.edu>

> > Please, please don't use NFS or portmap (and friends), install the latest
> > security patch for named and run it in under its own user and group and
> > chroot'ed, use IP chains to block Internet access to the named, lpd, portmap,
> > nfsd ports and most other ports, and do not run any kernel older than 2.2.16.

> The first line here really got my attention. You say not to use NFS, I was
> wondering if you can tell me why not and what alternatives there are. 

1. NFS relies on the source address specified in each packet for validation
   (security) and uses the UDP protocol.  It is trivial for a cracker to put
   a fake source address in the packet.  (If one's firewall blocks packets
   from the Internet with source addresses claiming to be from internal
   systems, the problem is reduced BUT NOT PREVENTED.  This is ecause a
   cracker need only break into a single system internally, say, a Windows
   system and then issue packets with fake source addresses from that system.

   Running NFS only using TCP (instead of UDP) will fix this if the sequence
   numbers are not predictable.

2. Many of the NFS utilities (including portmap) have a history of security
   bugs due to programming errors.

The alternative is ssh and its associated programs, scp and sftp.  Another
alternative is to put the network that needs NFS behind a VPN with only the
associated systems behind said VPN.

> Oh yeah, I decided that I'm going to go pick up a copy of your book this
> evening.

Great!  All of the above is discussed in great detail in the book.

> V
> -- 
> Vernard Martin (vernard at cc.gatech.edu) http://www.cc.gatech.edu/~vernard/     
>         "Anything worth fighting over is worth fighting dirty over"

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My new book: Real World Linux Security]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list