Date: Sun, 14 Jan 2001 17:05:30 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Doug Young <dougy@bryden.apana.org.au> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: security issue with 4.2 Message-ID: <Pine.BSF.4.21.0101141647540.44600-100000@ren.sasknow.com> In-Reply-To: <014d01c07e39$aa566c00$847e03cb@apana.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Doug, Doug Young wrote to freebsd-questions@FreeBSD.ORG: > I'd appreciate feedback from the list on the following issue. As far > as I can tell, the attempted intrusion was not successful, however I > think its probably time to take another look at increasing security > measures & hopefully someone can suggest sources of suitable > documentation. I tend to rely fairly heavily on the user-friendly > sites such as bsdvault.net & freebsddiary.org but if there's other > sources of fairly explicit info on this subject I'd be very interested > in knowing. > > Some weeks after installing 4.2 & instituting as many security > features as I considered reasonable for a machine with nothing of > particular value on it, I discovered the following entries in > /var/log/messages > > Jan 14 11:52:41 bryden ftpd [32545]: /etc/pwd.db: No such file or directory > Jan 14 12:04:50 bryden ftpd [32559]: /etc/pwd.db: No such file or directory > > which I presume means some vandal was intent on mischief Actually, probably not. /etc/pwd.db is used by ftpd to map UIDs to usernames for remote display with ls. Those error messages probably mean that you either have a valid user logged on in ftp in a chroot environment, or you did not include /etc/pwd.db in your anonymous ftp tree. In any case, pwd.db was not sent to the user in this example. pwd.db is considered "insecure", because it does not contain any password information (encrypted or non), therefore, it is fairly safe to include in an ftp tree, with permissions 444. The worst that can happen is an attacker could use it to find valid usernames on your system for brute force password attacks or spam. If that's a concern, many sysadmins either don't include pwd.db at all, or they build a watered down version with only a few usernames. Better yet, if you don't need ftp, disable the daemon in /etc/inetd.conf and restart inetd spwd.db, on the other hand, should be protected with care :-) > The IP of the culprit is "216.232.154.85", nslookup tells me that > belongs to "atg93398y2j4.bc.hsia.telus.net" > > Since the number resolves to a name I figure the user probably has a > permanent account with telus.net, The fact that it reverse-resolves doesn't tell you much, but the name itself suggests a highspeed user in BC, Canada. If you have evidence to support an attack by this user, you'd have to report the exact time of the attack, as well. > so notification of the telus.net webmaster is in order. A security officer would be better equipped to deal with the notification, but I personally don't believe you really have a problem. - Ryan -- Ryan Thompson <ryan@sasknow.com> Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101141647540.44600-100000>