[Courses] [Security] Akkana's netstat, and file copying

Raven, corporate courtesan raven at oneeyedcrow.net
Fri Mar 8 17:16:33 EST 2002 

Heya --

Quoth Akkana (Thu, Mar 07, 2002 at 09:37:49PM -0800):
> This is great.  I've already learned a lot, including that our
> server is running a bunch of stuff it doesn't need to be running.
> Thanks, Raven!

	No problem!  I'm glad that y'all are getting a lot out of it.
 
> I use rlogin and rcp, on my local net -- we have a router/firewall (a
> Linkys somethingorother) which doesn't pass most incoming ports, so I'm
> under the illusion that I can get away with things like that) because
> they're so darned convenient and I hate having to type passwords every
> time I want to move a file someplace.  (Yes, I even have a .rhosts with
> the names of our local hosts in it.)  Am I being foolish in trusting the
> router/firewall?

	Only somewhat.  [grin]  Like most things in security, it
depends on how paranoid you want to be.  You're probably okay for most
script kiddies and such with that, but if a skilled black hat decided to
have a go at you for some reason, that might be trouble.  A quick google
for "Linksys Bugtraq" yields these...

http://online.securityfocus.com/archive/1/201390
http://msgs.securepoint.com/cgi-bin/get/bugtraq0201/73.html

	Fortunately, one of the other cool things that ssh can do is act
as a drop-in replacement for rlogin and rcp.  So if you decide that
trusting your router isn't good enough, when we discuss ssh this is one
of the things that we can cover.  There's .shosts which replaces
.rhosts, and if you don't want to type in passwords you can use .shosts,
use public-key authentication where the key has no password, or a
multitude of other things.
 
> Re ftp: one reason one might want to use ftp is html editors, which
> typically know how to publish via ftp and http put, but no other
> protocols.  I'm on the mozilla editor team, and I tried to interest
> other team members and the networking folks into supporting publishing
> via more secure protocols since I know sysadmins who refuse to run ftpd,
> and I got blank stares and "I've never heard of that" and "All ISPs I
> know of allow either ftp or http and that's all most people want to
> use, and even Dreamweaver doesn't support any more than that."

	Yep, I ran into that myself about a year ago.  I am one of three
sysadmins for a website that had a lot of developers working on it.
They needed FTP access to the site.  We were security-conscious (with
good reason; there were repeated skilled hack attempts against the box).
Trying to support our users' needs without opening the box up to remote
compromise was a challenge.

	FTP, for better or for worse, is a really popular protocol, and
it's here for the foreseeable future.  It's a nightmare for firewalls
and it sends passwords around in cleartext, so it's very vulnerable to
sniffing.  But everyone uses it, and there's no replacement (that I'm
aware of) that users will be able to easily move to.  So what can you
do?

	Run an FTP server that doesn't have a history of bugs, and
doesn't have any bad bugs right now.  Make sure its feature set supports
your needs, though -- security's no good if nobody can use the box.
Chroot your users to their own home directories, so that they don't have
access to anything outside there.  Make the users' FTP passwords
different from their shell account passwords, so that sniffing cleartext
FTP passwords doesn't give them a login shell.  (Once the black hat gets
a login on your box, it's generally only a matter of time until they
have root.)  If you're brave, chroot the FTP server so that if it's
hacked, the hacker doesn't automatically get root on your box.  And log
a lot.

	Even so, this won't fix all your problems.  Some sysadmins still
refuse to run it.  But it will greatly improve your odds of foiling the
wily hacker.  [grin]
 
> If one has a need for ftp, what's a good server?  Redhat uses wu-ftp,
> which I've heard is about the worst as far as security holes?

	That is pretty much the worst.  I use Pure-FTPd
(http://www.pureftpd.org/), which has a really good security history.
It's not a terribly mature program, but I've had good luck with it for a
couple of years.  It also supports the ability to create its own
"virtual users", if you wanted to have FTP-only users with no shell.

	I know other sysadmins that hated the way Pure does virtual
users, though.  One such favors Pro-FTPd (http://www.proftpd.org/),
which had a showstopper bug a year or so back, but that's been fixed
now.  (It was the same file globbing bug that was in wu-ftpd -- a long
string of ls's gave the remote hacker root.)

	There's also a program called nc-FTPd that's an FTP server
coded with security in mind.  It's not free (in either sense), so I
haven't checked it out yet.  http://www.ncftpd.com/ if that's something
you're interested in.

> You know what packages you're getting, but don't assume that means
> you know what's turned on.  Run a "chkconfig --list | grep on"
> and you may be surprised (I was).  Redhat (even 7.2) turns on
> scads of services by default, sometimes even services you said
> no to during a custom installation, plus lots more that it never
> asked you about.

	Good to know; thanks.  Since I pretty much always do custom
installs, I'm out of the loop for what happens by default.

Cheers,
Raven
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work

More information about the Courses mailing list