Bugtraq mailing list archives
Re: TCP SYN probe detection tool available
From: jrvalverde () samba cnb uam es (J.R.Valverde)
Date: Mon, 27 May 1996 10:43:23 WET
We are trying to set up the Enhanced Security option in a BSD Ultrix System 4.3a. Everything goes well, but now we can only su from console. Is there any workaround for this ?. The system administration tasks aren't carried
I tried this way ago and discovered that the only way was to make
ttys secure. The problem then is that ttys are assigned by login order,
meaning that the first logins should be those of system administrators.
Too bad. (Well, there are other ways, but I wouldn't even seriously mention
them).
What I'd suggest is a replacement for 'su' if you must necessarily
do it. I tried this approach later on a "secure" environment OSF/1 and it
worked, so I assume it should also work on Ultrix (couldn't test it there).
I did it for a test, and forgot about the subject. I don't like
the idea anyway of anybody being able to suid root from any network
terminal. If you must do it, I'd advise you at least try to make it as
difficult to subvert as possible. And at least safer that the "SECURE"
environment you are installing (otherwise it would be senseless).
That could mean: get a replacement for 'su' and 'passwd' (you can
give'em other names) for sysadmins. Ensure these use a separate password
file with shadow passwords in a hidden, root-readable only, directory, that
they require 'good' passwords, check against dictionaries, enforce bigger
password lengths and allow for 8+ length passwords, log every use and can
only be run by your sysadmins.
The point is that there is no single root password, but rather
that each potential sysadmin can have his/her own one, so you don't have
a shared secret and they can change their root password often enough to
avoid "guessing" attacks without the load of having to spread a single
password among many people.
In addition I would also install SSLeay (since you're in Spain) and
ssh and require that all remote logins by potential sysadmins be done via
them, to avoid password sniffing of their normal user and root passwords.
Forcing them to use a restricted shell could be useful too.
And all other tricks you can add. 'root' is the most sensible door to
your system in the network.
Note: many of the ideas above originally came from R.J.White, a
colleague who thought of them before and built a similar system.
Note2: since you're in Spain too, maybe I can help you more
directly. Just drop me a note.
jr
--
Jose R. Valverde
EMBnet/CNB
Current thread:
- Re: SunOS 4.1.4 fingerd, (continued)
- Re: SunOS 4.1.4 fingerd Eilon Gishri (May 21)
- Re: SunOS 4.1.4 fingerd Alan Brown (May 22)
- CERT Vendor-Initiated Bulletin VB-96.06 - FreeBSD CERT Bulletin (May 20)
- Re: SunOS 4.1.4 fingerd invalid opcode (May 16)
- Re: TCP SYN probe detection tool available James W. Abendschan (May 15)
- Re: TCP SYN probe detection tool available Henri Karrenbeld (May 16)
- Re: TCP SYN probe detection tool available Brian Mitchell (May 16)
- Re: TCP SYN probe detection tool available Mike Neuman (May 16)
- Re: TCP SYN probe detection tool available Darren Reed (May 26)
- Re: TCP SYN probe detection tool available JaDe (May 16)
- Re: TCP SYN probe detection tool available Henri Karrenbeld (May 16)