-----BEGIN PGP SIGNED MESSAGE-----

            Protecting Yourself from Password File Attacks

We have seen incidents in which intruders obtain password files from sites and
then try to compromise accounts by cracking passwords. Once intruders gain
access to a user account, they attempt to gain root access through a cracked
root password or by exploiting another vulnerability.

These incidents point to the need for system administrators to adequately
defend their systems from this type of attack. We urge you to do the
following.

1. Protect your password file so that an intruder cannot obtain a copy of it.

2. Ensure that good passwords are selected so that they cannot easily be
  cracked, or use a technology in which passwords are not located in the
  password file.

3. Ensure that you are up-to-date with security patches and workarounds.

4. Watch for unusual activity.

More specifically, here are steps you can take to minimize the possibility
that your password file (with passwords in it) can fall into the hands of an
intruder.

1. Protect your password file.

  - Use a shadow password.  Under a shadow password system, the /etc/passwd
    file does not have encrypted passwords in the password field. Instead, the
    encrypted passwords are held in a shadow file that is not world-readable.
    Consult your system manuals to determine whether or not a shadow password
    capability is available on your system and to get information on how to
    set up and manage such a facility.

  - Use a technology, such as one-time passwords or Kerberos, that does not
    rely on having passwords in the password file.

    For more information on one-time passwords, see Appendix B in

ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks

  - Ensure that you are up-to-date with sendmail and are using smrsh. Some
    sendmail vulnerabilities can be exploited by intruders to obtain a
    copy of a password file.

    Information on known sendmail vulnerabilities can be obtained from:

ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement


ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities

ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability

ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul

ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul

ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers

    The smrsh program can be obtained from

ftp://info.cert.org/pub/tools/smrsh/

    smrsh is also included in the sendmail 8.7.5 distribution.

  - If you are using the NCSA httpd 1.5a-export and APACHE httpd
    1.0.3 (and previous versions), ensure that you have followed
    the advice in the advisory listed below.

ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

  - To help defend your site from NIS-based attacks, you may
    wish to install a portmapper/rpcbind replacement that has
    access control built in. Note that an attacker may still be
    able to find the portnumber of the NIS server by scanning
    all privileged ports of the target machine. While the
    portmapper replacement won't defend you from this attack,
    effective packet filtering can defend you and effective
    logging will alert you to any attack in progress.
    To deny access to the NIS server you have to block all
    privileged portnumbers (all portnumbers less than 1024) on
    your router except those "well known" services you need and
    that are on fixed portnumbers (like telnet and ftp). A
    replacement for portmapper/rcpbind that has access control
    and logging is available from

ftp://ftp.win.tue.nl/pub/security/portmap_3.BLURB
ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z
ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z.asc

ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.README
ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z
ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z.asc


  - Ensure that your anonymous ftp area is configured correctly.
    Intruders frequently exploit an ftp area that is not correctly
    configured to obtain the password file of the ftp server. For
    more information on configuring your ftp server, see the document
    "Anonymous FTP Configuration Guidelines" available at

ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config

2. Ensure that the passwords being used on accounts cannot easily be guessed
  or cracked by intruders.

    You may wish to verify that good passwords are being selected at your
    site (in accordance with your organization's policies and procedures).
    Crack is a tool you can use to do this. It is a freely available program
    designed to identify standard UNIX DES encrypted passwords that can be
    found in widely available dictionaries by standard guessing techniques
    outlined in the Crack documentation.

    Crack is available by anonymous FTP from

ftp://info.cert.org/pub/tools/crack


3. Ensure that you are up-to-date with patches and workarounds on your
  machines.

    Keeping up-to-date can help minimize the likelihood that you will be root
    compromised if user accounts are compromised. For information about the
    latest patches and workarounds, contact your vendor. You can also find
    information in

ftp://info.cert.org/pub/latest_sw_versions

4. Watch for unusual activity.

    Use all of the logging facilities available, including wtmp, syslog,
    and process accounting. Use tcp wrappers and log all connection
    attempts for all services made available via inetd. Examine these
    logs looking for suspicious activity.  One tool that is available to
    analyze syslog files is SWATCH. It is available at

ftp://ftp.stanford.edu/general/security-tools/swatch



- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to [email protected] with
"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNDjXHXVP+x0t4w7BAQG0rQQAgbY4++xQmhGsINARdk84YeUsPGR+57CQ
VngUTNijRGS433RQOvkBTgClM2qHsMkIcIr3nt/V2cIzq+8TRDrAtUAfFGfnTWJp
R32y6VfUob9rRqjZi8UPFymEOPtwFu3veFWbqKCN6b+iVrhdF9PKUbES1dzkQkCM
wxbJ8iLgEwk=
=c78h
-----END PGP SIGNATURE-----

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.