[105] in Intrusion Detection Systems
CIAC Bulletin F-24: Protecting SGI IRIX Systems Against SATAN
daemon@ATHENA.MIT.EDU (Frank Swift (510-422-1463))
Fri May 12 23:13:22 1995
Date: Fri, 12 May 1995 15:57:04 -0700
To: ids@uow.edu.au, academic-firewalls@net.tamu.edu, firewalls-uk@gbnet.net
From: uncl@llnl.gov (Frank Swift (510-422-1463))
Reply-To: ids@uow.edu.au
Date: Fri, 12 May 1995 10:12:21 -0700
Reply-To: dwsmith@cheetah.llnl.gov
Originator: ciac-bulletin@cheetah.llnl.gov
Sender: ciac-bulletin@cheetah.llnl.gov
Precedence: bulk
From: David Smith <dwsmith@cheetah.llnl.gov>
To: uncl@llnl.gov
Subject: CIAC Bulletin F-24: Protecting SGI IRIX Systems Against SATAN
is an issue for a given site or system, some issues may be be addressed with
the following steps and configuration, which are documented in the manual
pages, xhost(1), xmd(1), Xsgi(1), and xauth(1). Additionally, it is highly
recommended to read the "X Window System System Administrator's Guide",
O'Reilly Vol. 8. from O'Reilly & Associates, ISBN 0-937175-83-8.
1) Become root.
% /bin/su -
Password:
#
2) Edit the file /usr/lib/X11/xdm/Xservers and add the
line below. Normally there is only 1 line, but for TKO,
be sure this is added for each Xserver.
add option '-shmnumclients 0'
3) Save file.
4) Edit the /usr/lib/X11/xdm/xdm-config and make the following
change.
DisplayManager*authorize: off
to
DisplayManager*authorize: on
5) Save the file.
6) Edit the file /usr/lib/X11/xdm/Xsession.dt (or Xsession if
not using the IndigoMagic desktop) and make the following change.
# Gives anyone on any host access to this display
/usr/bin/X11/xhost +
to
# restrict access to this host
/usr/bin/X11/xhost -
7) Save the file.
8) Remove any 'xhost +' from the files /usr/lib/X11/xdm/Xsession*
9) Remove any 'xhost +' from users private .xsession files
10) Remove any /etc/X0.hosts or /etc/X<n>.hosts files.
11) Ensure the proper permissions and ownership on the
following important X configuration files. Use the chown
and chmod commands to adjust accordingly.
Permissions owner group file
-r--r--r-- root sys /usr/lib/X11/xdm/Xservers
-rwxr-xr-x root sys /usr/lib/X11/xdm/Xlogin
-rwxr-xr-x root sys /usr/lib/X11/xdm/Xreset
-rwxr-xr-x root sys /usr/lib/X11/xdm/Xstartup
-rwxr-xr-x root sys /usr/lib/X11/xdm/Xstartup-remote
-r--r--r-- root sys /usr/lib/X11/xdm/xdm-config
-rwxr-xr-x root sys /usr/bin/X11/X
lrwxr-xr-x root sys /X11/Xsgi
-rwxr-xr-x root sys /usr/bin/X11/xdm
-rwxr-xr-x root sys /usr/bin/X11/xauth
-rwxr-xr-x root sys /usr/bin/X11/xhost
12) Restart the graphics system.
# /usr/gfx/stopgfx; /usr/gfx/startgfx &
K. NTP vulnerabilities
Silicon Graphics Incorporated does not provide or support NTP.
- - ---------------------------
- - -- SGI Patch Information --
- - ---------------------------
When an IRIX security vulnerability is found, SGI will investigate the
vulnerability and may generate a patch. Patches generated specially for
security-related issues are freely available to all requesting customers.
IRIX 4.x patches come as tar-bundled binaries and documentation that must
be manually installed. Installation instructions are provided with the
tar-bundle.
For IRIX 5.1 and 5.1.x there are no security patches available. Upgrading
to 5.2 or 5.3 is suggested.
Patches provided for IRIX 5.2, 5.3 and 6.x are inst images and require a patch
aware /usr/sbin/inst program. The stock IRIX 5.2 /usr/sbin/inst program
is not patch-aware and must be updated. Patch 84 provides a patch aware
inst program for IRIX 5.2.
Security patches can be found on SGI anonymous ftp servers:
ftp.sgi.com:~ftp/patches
or
sgigate.sgi.com:~ftp/patches
*NOTE*: If a particular file is not found on
one, please check the other site.
For each security patch a file containing chksum and PGP information
for that patch has been generated by the SGI Customer Security Coordinator.
The SGI Security Coordinator Public key can be found at:
ftp.sgi.com:~ftp/security/agent99.pgp.key.asc
or
sgigate.sgi.com:~ftp/security/agent99.pgp.key.asc
For key fingerprint verification of the above, call +1-415-390-2965.
- - -----------------------------
- - -- SGI Security Advisories --
- - -----------------------------
SGI reports security vulnerabilities to the SGI community via Silicon
Graphics Incorporated Security Advisories. This document is one such
document.
An archive of these documents can be found on SGI anonymous ftp servers:
ftp.sgi.com:~ftp/security
or
sgigate.sgi.com:~ftp/security
*NOTE*: If a particular file is not found on
one, please check the other site.
All Security Advisories are PGP digitally signed by the SGI Customer
Security Coordinator.
The SGI Security Coordinator Public key can be found at:
ftp.sgi.com:~ftp/security/agent99.pgp.key.asc
or
sgigate.sgi.com:~ftp/security/agent99.pgp.key.asc
For key fingerprint verification of the above, call +1-415-390-2965.
- - --------------------------
- - -- Other security tools --
- - --------------------------
The following tools are publicly available via ftp and could potentially
improve a site's security. They are documented here for information only
and are not provided, endorsed or supported by SGI.
COPS and ISS are programs that check for vulnerabilities and configuration
weaknesses. CERT advisory CA-93:14 and CA-93:14.README contain information
about ISS.
COPS is available from:
ftp://info.cert.org:/pub/tools/cops/*
ISS is available from:
ftp://ftp.uu.net:/usenet/comp.sources.misc/volume39/iss
The TCP wrappers system can provide access control and flexible logging for
most network services. With proper configuration and use, potential network
attacks can be prevent and/or detected.
TCP wrappers is available from:
ftp://info.cert.org:/pub/tools/tcp_wrappers/*
The Swatch log file monitor identifies patterns in log file entries and
attempts to associate entries with specific actions.
Swatch software is available from:
ftp://ee.stanford.edu:/pub/sources/swatch.tar.Z
The Rscan program by Nate Sammons <nate@vis.colostate.edu> checks for
many common IRIX-specific security bugs and problems.
Rscan is available from:
ftp://ftp.vis.colostate.edu/pub/rscan
The Courtney package monitors the network and identifies the source machines
of potential SATAN probes/attacks. Using a second package, tcpdump, Courtney
counts the number of new services requests a machine originates within a
certain time period. To Courtney, excessive service requests from a particular
machine could indicate it as a potential SATAN probe/attacking host.
Courtney software is available from:
ftp://ciac.llnl.gov/pub/ciac/sectools/unix/courtney.tar.Z
tcpdump software is available from:
ftp://ftp.ee.lbl.gov/tcpdump-3.0.tar.Z
*Note: the Courtney program requires a correction in order
to run on IRIX. The file print-arp.c uses ETHERTYPE_ID which
is undefined in IRIX. In places where it is referenced, it
needs to be changed to look like:
if ((pro != ETHERTYPE_IP
#ifdef ETHERTYPE_TRAIL
&& pro != ETHERTYPE_TRAIL
#endif
- - -----------------------------------
- - -- Reporting SGI Vulnerabilities --
- - -- Further Information/Contacts --
- - -----------------------------------
For obtaining security information, patches or assistance, please
contact your SGI support provider.
If there are questions about this document, email can be sent to:
cse-security-alert@csd.sgi.com
For reporting *NEW* SGI security issues, email can be sent to:
security-alert@sgi.com
Please use these aliases wisely. Excessive unnecessary traffic can hinder
problem assistance. Do not include the aliases in CC: lists without prudent
consideration.
- -----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBL4QdobQ4cFApAP75AQFXJgP/Yyv0UhzvAGesgc8tT2aZY3kjyLwlFT8t
6aYjviEDOsm/aMzUKffkqxzcM+yE7kXslk+0Qvw4jCGZjiMzE0h6mYONacRo5xjU
QqLILtbi0j96UIxqT6L0T/FCVoPsHxV/kLW/iVId8HZ9NuZX50MbRaQ2uPwH9Rwd
xJG+KHbrTVI=
=lAHY
- -----END PGP SIGNATURE-----
[END OF SGI IRIX BULLETIN]
CIAC recently released CIAC NOTES 07 article (April 5, 1995) that is devoted
to SATAN. The article was based on beta-releases of SATAN and is applicable
to the current version 1.0 release of SATAN. There were no major operational
changes between the latest beta release and the current version 1.0 public
release. By configuring a system correctly, installing all the latest
patches, and monitoring system usage, most of SATAN's techniques can be
countered, or at a minimum detected. Unfortunately, complete protection from
SATAN is difficult. Most of the vulnerabilities it looks for are easily
addressable, but some do not yet have satisfactory solutions.
CIAC has recently written a program to defend against SATAN and other
similar tools. The program, called Courtney, monitors the connections to
the ports probed by SATAN. When an attack by SATAN takes place, the
offending host will be reported.
CIAC has also make available the current release of SATAN
SATAN is made up of HyperText Markup Language (HTML) documents, C code, and
Perl scripts which generate HTML code dynamically. It requires an HTML
viewer (Mosaic, Netscape, or Lynx), a C compiler, and PERL version 5. The
user simply interacts with a WWW client, entering necessary data into
forms. The control panel for SATAN provides four hypertext options: Target
Selection, Reporting & Data Analysis, Documentation, and Configuration &
Administration.
Refer to CIAC Notes 7 for an indepth look at SATAN.
________________________________________________________________________________
________________________________________________________________________________
CIAC is the computer security incident response team for the U.S. Department
of Energy. Services are available free of charge to DOE and DOE contractors.
For emergencies and off-hour assistance, DOE and DOE contractor sites can
contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE
number. To use this service, dial 1-510-422-8193 or 1-800-759-7243
(SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty
person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX
number is 510-423-8002, and the STU-III number is 510- 423-2604. Send E-mail
to ciac@llnl.gov.
Previous CIAC notices, anti-virus software, and other information are
available on the CIAC Bulletin Board and the CIAC Anonymous FTP server. The
CIAC Bulletin Board is accessed at 1200 or 2400 baud at 510-423-4753 and
9600 baud at 510-423-3331. The CIAC Anonymous FTP server is available on the
Internet at ciac.llnl.gov (IP address 128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
CIAC- BULLETIN, CIAC-NOTES , SPI-ANNOUNCE, and SPI-NOTES.To subscribe (add
yourself) to one of our mailing lists, send requests of the following form
to ciac- listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
ATTENTION!! CIAC now has a web server at http://ciac.llnl.gov.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not infringe
privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the University
of California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government or the
University of California, and shall not be used for advertising or product
endorsement purposes.
CIAC BULLETINS ISSUED IN FY95 (Previous bulletins available from CIAC)
(F-01) SGI IRIX serial_ports Vulnerability
(F-02) Summary of HP Security Bulletins
(F-03) Restricted Distribution
(F-04) Security Vulnerabilities in DECnet/OSI for OpenVMS
(F-05) SCO Unix at, login, prwarn, sadc, and pt_chmod
Patches Available
(F-06) Novell UnixWare sadc, urestore, and suid_exec Vulnerabilities
(F-07) New and Revised HP Bulletins
(F-08) Internet Address Spoofing and Hijacked Session Attacks
(F-09) Unix /bin/mail Vulnerabilities
(F-10) HP-UX Remote Watch
(F-11) Unix NCSA httpd Vulnerability
(F-12) Kerberos Telnet Encryption Vulnerability
(F-13) Unix sendmail vulnerabilities
(F-14) HP-UX Malicious Code Sequences
(F-15) HP-UX "at" and "cron" vulnerabilities
(F-16) SGI IRIX Desktop Permissions Tool Vulnerability
(F-17) Limited Distribution
(F-18) MPE/iX Vulnerabilities
(F-19) Protecting HP-UX Systems Against SATAN
(F-20) Security Administrator Tool for Analyzing Networks (SATAN)
(F-21) Protecting SUN OS Systems Against SATAN
(F-22) SATAN Password Disclosure
(F-23) Protecting IBM AIX Systems Against SATAN
CIAC NOTES ISSUED IN FY1995 (Previous Notes available from CIAC)
04c December 8, 1994
05d January 11, 1995
06 March 22, 1995
07 March 29, 1995
08 April 4, 1995
09 April 24, 1995
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBL7J3HbnzJzdsy3QZAQHxRgQApv74yRgnZ7Jv4rPlW6aF8yypn2BGIdDR
ImJ8F2DmUmu8H1ujTFI4JYnv3lYgxAot9hFzg77U5LNnrcrAEWfs6/dAFHUdIZDk
TXeX/QDuVkbfz/RAs6xkupPGGBIRSiK69Lv4rsvEu5aEbNDNC/27qUKEGiWjyytD
mkAc3bYpb3w=
=PIpB
-----END PGP SIGNATURE-----
THE WORLD IS NOT INTERESTED IN THE STORMS YOU ENCOUNTERED,
BUT WHETHER YOU BROUGHT IN THE SHIP .
\ | /
| 0 0 | Frank Swift L-321 (510)-422-1463
~^~ LLNL 7000 East Avenue ( fax) 423-0913
\O/ Livermore CA 94550-9516_____________uncl@llnl.gov________+
Unclassified Computer Security Lawrence Livermore National Lab
Observing and Reacting to "the Net of a Million Lies"
