Introduction
Eighth Layer News
Not in The Fine(?) Manual
Off Network DNS Servers
Securing FTP
Subscription Details
==========================================
Introduction
Well we finally made the dawn of the new Millennium. Whilst I was a
little surprised how well computers survived the year 2000 roll over,
I
wasn't at all surprised to find that the 'millennium bug' was also
striking on the dawn of the 'real' millennium a year later.
Arthur C Clark may have been intending 2001 as Science Fiction, but
he
was right about us having problems with our computers.
`HAL, send this month's newsletter`
`I'm sorry I don't think I can do that Simon`
==========================================
Eighth Layer News
January saw another client arrive, and more HP Unix upgrades.
Eighth Layer will be supporting and helping to organise the Linux Day
on
Sunday the 29th April. See http://www.linuxday.org.uk for more details.
In particular we are expecting the Devon and Cornwall Linux User Group
to host a day at Exeter University. More nearer the time.
==========================================
Not in the Fine(?) Manual
Off Network DNS Servers
This week one Microsoft technician managed to stop 60,000,000 people
reading their e-mail, and broke vast chunks of the Microsoft web site.
In this case the network housing all the Microsoft DNS servers became
inaccessible due to an error with the routing tables.
One technique the author has espoused to large ISPs and anyone who would
listen, is 'Off Network' DNS servers, so that if a routing problem
occurs, the world gets sensible error messages rather than something
implying you don't even exist. More usefully if you have 'Off Network'
mail relays, your mail is queued rather than bounced back to the sender.
Microsoft do not have off network mail relays either - their CIO has
publicly admitted that they have not built a sensible network
architecture for their Internet connectivity.
I'm assured by the people who designed some of them, and my own
experiences with DNS design at large ISPs, that most big ISPs do not
install 'Off Network' DNS servers as part of their DNS design. So whilst
we can all have a good laugh at Microsoft's expense this time, don't
be
too surprised when it happens to you!
If you have your own Domain name, you can arrange your own 'Off Network
DNS' if, as is likely, your ISP doesn't do it for you.
Customers who have purchased the Eighth Layer "Hacker's Eye View"
product will already have been advised about this, and should be doing
'Better than Microsoft'.
==========================================
Securing File Transfer Protocol (FTP)
What is FTP?
Most Unix servers come 'out of the box' accepting incoming 'ftp' or
file
transfer requests.
FTP is a useful protocol for updating files on servers. It is quick
and
simple to use, with lots of nice graphical and other tools to make
life
easy. Indeed for downloading files from the Internet, many people use
FTP in their web browser without ever noticing the switch from HTTP.
FTP typically requires a username, and will usually ask for your e-mail
address as a password, although many servers will log you in if you
send
the username "ftp". This type of FTP access is called "anonymous FTP".
FTP - whilst easy to use - is quite complex technically, utilising a
number of possible modes, opening multiple TCP connections, and
supplying features to translate operating specific file formats and
security issues, as well as built-in proxy features for firewalling
(in
some cases).
Why secure FTP?
The FTP software has some sophisticated features. The implementation
of
these has either had bugs or weaknesses. Two are particularly important.
Firstly, the 'proxy' feature has been used to perform scans across the
Internet - indeed the excellent scanning tool nmap has a built-in
feature to utilise any such FTP servers.
Secondly, and more importantly to the owners of an FTP server, a number
of well known exploits exist in commonly deployed ftp servers, and
more
may exist.
The current Ramen worm exploits 3 weaknesses, one of which is in the
wu-ftpd with Redhat 6.2 and Redhat 7.
How to Secure FTP!
Many methods exist. They are discussed briefly here.....
Disable it completely:
Usually it is sufficent to comment out (hash out) the following line
in
the "/etc/inetd.conf" file (You need to get inetd to read the change
to
the config file - see the manual page for inetd if you are unsure on
this)
"ftp stream tcp nowait root
/usr/sbin/tcpd in.ftpd -l -a "
becomes
"#ftp stream tcp nowait root
/usr/sbin/tcpd in.ftpd -l -a "
Restrict Access to known users:
Some ftp daemons allow you to blacklist users in "/etc/ftpusers". Of
course you probably want to 'whitelist' the accounts that need ftp.
I whitelist with a file called "/etc/ftp.allow" (Not writable by others)
which has one username per line, with the following script, which merely
copies all the usernames not in /etc/ftp.allow into /etc/ftpusers.
I run this script at the end of the 'add user' utility and also nightly
(Just in case a user is added some other way).
(root should generally not be allowed ftp access)
#!/sbin/sh
#
# Simon Waters 2000-01-20
# Create a new ftpusers file from /etc/ftp.allow
#
umask 1
if [ -r /etc/ftp.allow ]
then
cat /etc/passwd | cut -f1
-d: | grep -v -f /etc/ftp.allow
>/etc/ftpusers
RETCODE=$?
if [ $RETCODE -ne 0 ]
then
echo "Error creating new ftpusers file"
exit 1
fi
else
echo "The file /etc/ftp.allow
does not exist or is not readable"
exit 1
fi
################End of Script##############
Restrict Access to Known IP Addresses or Networks:
Suitable for use when you know from which computers or networks requests
will come. Two methods exist - "tcp_wrappers" and "inetd.sec".
The
first is available to almost every Unix user but may need to be
installed. The second is available on HP-UX and some other servers.
A box serving only "ftp" to its local networks, but not supplying any
other services, would look like this under tcp_wrappers.
more /etc/hosts.deny
ALL:ALL
more /etc/hosts.allow
in.ftpd: LOCAL
You know the box is using TCP wrappers because the inetd.conf entry
has
"/usr/sbin/tcpd" in it.
Patch the FTP Daemon:
If you continue using ftp, even with named users and tcp_wrappers, it
is
a good idea to get the latest patches, and to switch on 'logging' so
you
can spot attempts to abuse the service.
For anonymous and Bastion type service, the ftp daemon can also be run
chrooted to a directory, but we've said enough about ftp security for
one newsletter!
==========================================
Subscription Details
Eighth Layer News subscription is still done the old fashion way by
hand.
The newsletter is free, and you are welcome to pass it on to colleagues,
but please do encourage them to subscribe, so I know who I'm writing
for.
To subscribe or unsubscribe e-mail Simon.Waters@eighth-layer.com
Copyright Eighth Layer Limited 2001.
Archive copies are kept on the website
http:www.eighth-layer.com