-----BEGIN PGP SIGNED MESSAGE----- Protecting Yourself from Password File Attacks We have seen incidents in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability. These incidents point to the need for system administrators to adequately defend their systems from this type of attack. We urge you to do the following. 1. Protect your password file so that an intruder cannot obtain a copy of it. 2. Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology in which passwords are not located in the password file. 3. Ensure that you are up-to-date with security patches and workarounds. 4. Watch for unusual activity. More specifically, here are steps you can take to minimize the possibility that your password file (with passwords in it) can fall into the hands of an intruder. 1. Protect your password file. - Use a shadow password. Under a shadow password system, the /etc/passwd file does not have encrypted passwords in the password field. Instead, the encrypted passwords are held in a shadow file that is not world-readable. Consult your system manuals to determine whether or not a shadow password capability is available on your system and to get information on how to set up and manage such a facility. - Use a technology, such as one-time passwords or Kerberos, that does not rely on having passwords in the password file. For more information on one-time passwords, see Appendix B in ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks - Ensure that you are up-to-date with sendmail and are using smrsh. Some sendmail vulnerabilities can be exploited by intruders to obtain a copy of a password file. Information on known sendmail vulnerabilities can be obtained from: ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers The smrsh program can be obtained from ftp://info.cert.org/pub/tools/smrsh/ smrsh is also included in the sendmail 8.7.5 distribution. - If you are using the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and previous versions), ensure that you have followed the advice in the advisory listed below. ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code - To help defend your site from NIS-based attacks, you may wish to install a portmapper/rpcbind replacement that has access control built in. Note that an attacker may still be able to find the portnumber of the NIS server by scanning all privileged ports of the target machine. While the portmapper replacement won't defend you from this attack, effective packet filtering can defend you and effective logging will alert you to any attack in progress. To deny access to the NIS server you have to block all privileged portnumbers (all portnumbers less than 1024) on your router except those "well known" services you need and that are on fixed portnumbers (like telnet and ftp). A replacement for portmapper/rcpbind that has access control and logging is available from ftp://ftp.win.tue.nl/pub/security/portmap_3.BLURB ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z.asc ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.README ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z.asc - Ensure that your anonymous ftp area is configured correctly. Intruders frequently exploit an ftp area that is not correctly configured to obtain the password file of the ftp server. For more information on configuring your ftp server, see the document "Anonymous FTP Configuration Guidelines" available at ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config 2. Ensure that the passwords being used on accounts cannot easily be guessed or cracked by intruders. You may wish to verify that good passwords are being selected at your site (in accordance with your organization's policies and procedures). Crack is a tool you can use to do this. It is a freely available program designed to identify standard UNIX DES encrypted passwords that can be found in widely available dictionaries by standard guessing techniques outlined in the Crack documentation. Crack is available by anonymous FTP from ftp://info.cert.org/pub/tools/crack 3. Ensure that you are up-to-date with patches and workarounds on your machines. Keeping up-to-date can help minimize the likelihood that you will be root compromised if user accounts are compromised. For information about the latest patches and workarounds, contact your vendor. You can also find information in ftp://info.cert.org/pub/latest_sw_versions 4. Watch for unusual activity. Use all of the logging facilities available, including wtmp, syslog, and process accounting. Use tcp wrappers and log all connection attempts for all services made available via inetd. Examine these logs looking for suspicious activity. One tool that is available to analyze syslog files is SWATCH. It is available at ftp://ftp.stanford.edu/general/security-tools/swatch - ------------------------------------------------------------------------------ Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNDjXHXVP+x0t4w7BAQG0rQQAgbY4++xQmhGsINARdk84YeUsPGR+57CQ VngUTNijRGS433RQOvkBTgClM2qHsMkIcIr3nt/V2cIzq+8TRDrAtUAfFGfnTWJp R32y6VfUob9rRqjZi8UPFymEOPtwFu3veFWbqKCN6b+iVrhdF9PKUbES1dzkQkCM wxbJ8iLgEwk= =c78h -----END PGP SIGNATURE-----