[1852] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Services not required?

daemon@ATHENA.MIT.EDU (Michael H. Warfield)
Wed Jun 10 17:56:56 1998

From: "Michael H. Warfield" <mhw@wittsend.com>
To: linux-security@redhat.com
Date: Tue, 9 Jun 1998 09:35:09 -0400 (EDT)
In-Reply-To: <Pine.SGI.3.96.980609082636.28830B-100000@umbc8.umbc.edu> from "John \"E.R.\" Jasen" at Jun 9, 98 08:29:31 am
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

John \"E.R.\" Jasen enscribed thusly:

> On Tue, 9 Jun 1998, A Dark Elf wrote:

> > On Mon, 8 Jun 1998, Stephen Costaras wrote:
> > > 21/FTP        (WU-ftpd v2.4.2 BETA 14)
> > > 22/SSH        (1.22)
> > > 23/TELNET     (Netkit 0.09)
> > > 25/SMTP       (Sendmail v8.8.7)
> > > 49/TACACS     (TACACS_Plus v4.0.2 BETA/Cisco)
> > > 53/DNS        (BIND v8.1.2)
> > > 80/HTTP       (Apache v1.2.6 - upgrading to v1.3.0)
> > > 110/POP3      (Katie Steven's v1.016)
> > > 111/RPC       (Netkit 0.09)
> > > 113/IDENTD    (????)
> > > 669/MOUNTD    (RPC/Linux Userspace NFS server v2.2beta29)
> > > 2049/NFS      (RPC/Linux Userspace NFS server v2.2beta29)
> > > 6669/APCUPSD  (UPS Monitoring, read-only from UPS server, already sent
> > >                  letter to author for security info).

> > The most non-secure services are the r services, and those aren't much at
> > risk if you're not running a version with security holes. But I don't see
> > why you would actualy need to run all of them. Ssh could replace telnet,

> Agreed, unless you happen to field a lot of Wintel boxes and no-one wants
> to spring for F-Secure.

	There are freeware ssh clients for Windows 95/NT and now freeware
ssh servers (including a shell) for Windows NT (I don't think the server
runs on 95 - fortunately...).

> > you don't need identd unless you go on IRC

> Ummm ... A lot of sites are set to interrogate your identd server when you
> access them for (mail|ftp|telnet|etc). It makes a good first defense
> against various 'badness'.

	Identd aka auth is spoofable / forgeable on a box you have control.
For that reason, nobody generally "relies" on it, even though there are
plenty of services which inquire upon it.  The biggest problem is making
sure you return SOMETHING for it.  If you don't want to run it, make sure
you return an ICMP port unreachable or some such.  Lot's of times firewalls
will just drop unwanted stuff on the floor to avoid revealing anything about
any of the systems behind them.  If you don't want to support identd and
don't want to return network host information to "error probes" then return
a uniform error on that port for any address in your address space.  Otherwise,
every time you send an E-Mail message, the smtp server at the other end
will try and contact your ident server and have to time out.  That introduces
rediculous delays in mail delivery.

> > Oh and firewalling ports is still the best
> > solution. Unless you need to NFS with someone across the country, you
> > should firewall it for outside users.

> Generally sound advise.

	Absolutely, with the ident proviso above...

> --
> "Frankly, Agent Mulder, alien abduction is the more believable option."
> 			Agent Skinner, X-Files, 3/09/98 [paraphrase] 
> -- John E. Jasen  // DNRC Ambassador to Earth \\  jjasen1@umbc.edu --
> -- My views are those of the DNRC only. Prepare to be domesticated --

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post