📄 rfc2179.txt
字号:
RFC 2179 Network Security For Trade Shows July 1997 Tips: * "find / -user root -perm -4000 -print" will find any occurrence of a setuid file anywhere in the system, including those on NFS mounted partitions. * "find / -group kmem -perm -2000 -print" will do the same for kmem group permissions.System Directory Ownership and Write Permissions Check ownership of all system directories and permissions needed to write or modify files. There is no simple way to do this on PC operating systems like Windows NT without simply checking all files and directories or using a version of "ls" that will list ACLs. On Unix systems, a directory with permissions such as "drwxrwxrwx" (such as /tmp) is world-writable and anyone can create or modify files in such area. Pay special attention to "/" and "/etc". These should be owned by some system account-not by an individual user. When in doubt, contact the vendor of the system software for confirmation of the appropriate directory or file permissions.Network Services Any servers not needed should be disabled. The notorious "R services" (rexec, rsh, and rlogin) are particularly prone to security problems and should be disabled unless specifically needed. Pay particular attention to trusted hosts files, and be aware of the risk of IP spoofing attacks from machines "pretending" to be trusted hosts. Tips: * On Unix systems, comment out "R services" (rexec, rsh, rlogin) in /etc/inetd.conf. * Check for other unknown or unneeded services.Trivial File Transfer Protocol (TFTP) TFTP can be an easy way for an intruder to access system files. It is good general practice to disable TFTP. If TFTP is needed, verify that only files targeted for export are accessible. A simple way to check security is to attempt to tftp files such as /etc/passwd or /etc/motd to check accessiblity of system files.Gwinn Informational [Page 6]
RFC 2179 Network Security For Trade Shows July 1997TCP Connection Monitoring Public domain software (TCP Wrappers or "tcpd" for Unix systems) allow restriction and monitoring of TCP connections on a host by host basis. Systems can be configured to notify an administrator and syslog when any unauthorized party attempts to access the host. This software is available from: * ftp://info.cert.org/pub/tools/tcp_wrappers/BIND (Berkeley Internet Name Daemon) Earlier versions of BIND have been prone to various attacks. If a host is going to be acting as DNS, use the latest version of BIND. It is available at: * ftp://ftp.isc.org/isc/bindSendmail and Mailer Security A great number of previous versions of Sendmail have known security holes. Check installed sendmail for the most recent version. Alternatively, consult the operating system vendor to get the most recent release for the platform.Web Server Scripting Security All Web server scripts and binaries should be checked (especially the "...httpd/cgi-bin" directory) for those that allow shell commands to be executed. Many attacks in recent months have focused on the use of utilities such as "phf" for accessing /etc/passwd on a target system. Remove any script that is not needed in the course of operation of a web server.Other Suggestions * Check with the vendor of the operating system for known security issues. Make certain that all systems have the latest version of software--especially security patches to fix specific problems. * Examine log files on the host frequently. On Unix systems, the "last" command will furnish information on recent logins and where they came from. The "syslogs" or "Event Viewer" will contain more specific information on system events.Gwinn Informational [Page 7]
RFC 2179 Network Security For Trade Shows July 1997 * Web server logfiles (...httpd/log/access_log and ...httpd/log/error_log) will contain information on who has been accessing a WWW server, what has been accessed, and what has failed. * Good backups are the best defense against system damage. Perform backups before placing a system on the trade show network then continue backups throughout the show and again following the event. A final backup set is useful to examine for possible attempts at (or successful) penetrations of system security.General Network Security As would be expected at network trade shows (large or otherwise), there are many entities running packet sniffers. Most are exhibitors who have a legitimate need to run them during the course of product demonstrations. However, be aware that there are many "listening ears" on network segments--any of whom can "hear" or "see" information as it crosses the net. Particularly prone to eavesdropping are telnet sessions. A good rule of thumb is to assume that "when you type your password, the only one that doesn't see it is you!" It is a good practice to not log in (or "su") to an account with privileges across the network if at all possible. As mentioned previously, authentication tokens and ssh are a simple way to add security to system account access.Packet Filtering Many routers support basic packet filtering. If a router can be deployed between the local network and the show's network, general basic packet filtering should be employed. Below is a good "general" packet filter approach. The approach itself is ordered into categories: * General global denials/acceptance. * Specific global service denials. * Specific service acceptance. * Final denial of all other TCP/UDP services. Based on the theory of denying everything that you don't know is acceptable traffic, a good approach to a filter ruleset, in order of execution priority, might be:Gwinn Informational [Page 8]
RFC 2179 Network Security For Trade Shows July 1997 General Global Denials/Acceptance 1 Filter spoofed source addresses by interface. Match source addresses to routing information available for the interface. Discard packets with source addresses arriving on one interface (from the "outside" for example) claiming a source address on another interface (the "inside"). 2 Filter all source routed packets unless source routing is specifically needed. 3 Allow outbound connections from "inside" hosts. 4 Allow established TCP connections (protocol field contains 6 and the TCP flags field either contains ACK or does NOT contain SYN bit). Only filter requests for 'new' connections. 5 Filter 'new' connections with source port of 25. Prevents people from pretending to be a remote mail server. 6 Filter loopback address (source address 127.0.0.1). Prevents packets from a misconfigured DNS resolver. Specific Global Service Denials 1 Specifically block all "R-command" ports (destination ports 512-515). 2 Block telnet (destination port 23) from any host not requiring telnet access from the outside. (If you use ssh, you can block it from all hosts!) 3 Add specific filters to deny other specific protocols to the network, as needed. Specific Host/Service Acceptance 1 Add specific access to specific "public" hosts' services (unsecure FTP or WWW servers). 2 Allow SMTP (source and destination port 25) for electronic mail to the mail server(s). 3 Allow inbound FTP connections (source port 20) to the FTP server(s). 4 Allow DNS (source and destination port 53, UDP & TCP) to name servers. If zone transfers are not needed, block the TCP ports. 5 Allow RIP packets in (source and destination port 520, UDP), if appropriate. 6 Add specific filters to allow other desired specific protocols or to open certain ports to specific machines. Final Service Denial 1 Deny all other UDP and TCP services not allowed by the previous filters.Gwinn Informational [Page 9]
RFC 2179 Network Security For Trade Shows July 1997Author's Address R. Allen Gwinn, Jr. Associate Director, Computing Business Information Center Southern Methodist University Dallas, TX 75275 Phone: 214/768-3186 EMail: allen@mail.cox.smu.edu or allen@radio.netContributing Writer Stephen S. Hultquist President Worldwide Solutions, Inc. 4450 Arapahoe Ave., Suite 100 Boulder, CO 80303 Phone: +1.303.581.0800 EMail: ssh@wwsi.comGwinn Informational [Page 10]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -