-----BEGIN PGP SIGNED MESSAGE-----
Protecting Yourself from Password File Attacks
We have seen incidents in which intruders obtain password files from sites and
then try to compromise accounts by cracking passwords. Once intruders gain
access to a user account, they attempt to gain root access through a cracked
root password or by exploiting another vulnerability.
These incidents point to the need for system administrators to adequately
defend their systems from this type of attack. We urge you to do the
following.
1. Protect your password file so that an intruder cannot obtain a copy of it.
2. Ensure that good passwords are selected so that they cannot easily be
cracked, or use a technology in which passwords are not located in the
password file.
3. Ensure that you are up-to-date with security patches and workarounds.
4. Watch for unusual activity.
More specifically, here are steps you can take to minimize the possibility
that your password file (with passwords in it) can fall into the hands of an
intruder.
1. Protect your password file.
- Use a shadow password. Under a shadow password system, the /etc/passwd
file does not have encrypted passwords in the password field. Instead, the
encrypted passwords are held in a shadow file that is not world-readable.
Consult your system manuals to determine whether or not a shadow password
capability is available on your system and to get information on how to
set up and manage such a facility.
- Use a technology, such as one-time passwords or Kerberos, that does not
rely on having passwords in the password file.
For more information on one-time passwords, see Appendix B in
ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attacks
- Ensure that you are up-to-date with sendmail and are using smrsh. Some
sendmail vulnerabilities can be exploited by intruders to obtain a
copy of a password file.
Information on known sendmail vulnerabilities can be obtained from:
ftp://info.cert.org/pub/cert_advisories/CA-93:16.sendmail.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-93:16a.sendmail.vulnerability.supplement
ftp://info.cert.org/pub/cert_advisories/CA-95:05.sendmail.vulnerabilities
ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-95:11.sun.sendmail-oR.vul
ftp://info.cert.org/pub/cert_advisories/CA-95:13.syslog.vul
ftp://info.cert.org/pub/cert_advisories/CA-96.04.corrupt_info_from_servers
The smrsh program can be obtained from
ftp://info.cert.org/pub/tools/smrsh/
smrsh is also included in the sendmail 8.7.5 distribution.
- If you are using the NCSA httpd 1.5a-export and APACHE httpd
1.0.3 (and previous versions), ensure that you have followed
the advice in the advisory listed below.
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
- To help defend your site from NIS-based attacks, you may
wish to install a portmapper/rpcbind replacement that has
access control built in. Note that an attacker may still be
able to find the portnumber of the NIS server by scanning
all privileged ports of the target machine. While the
portmapper replacement won't defend you from this attack,
effective packet filtering can defend you and effective
logging will alert you to any attack in progress.
To deny access to the NIS server you have to block all
privileged portnumbers (all portnumbers less than 1024) on
your router except those "well known" services you need and
that are on fixed portnumbers (like telnet and ftp). A
replacement for portmapper/rcpbind that has access control
and logging is available from
ftp://ftp.win.tue.nl/pub/security/portmap_3.BLURB
ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z
ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z.asc
ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.README
ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z
ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z.asc
- Ensure that your anonymous ftp area is configured correctly.
Intruders frequently exploit an ftp area that is not correctly
configured to obtain the password file of the ftp server. For
more information on configuring your ftp server, see the document
"Anonymous FTP Configuration Guidelines" available at
ftp://ftp.cert.org/pub/tech_tips/anonymous_ftp_config
2. Ensure that the passwords being used on accounts cannot easily be guessed
or cracked by intruders.
You may wish to verify that good passwords are being selected at your
site (in accordance with your organization's policies and procedures).
Crack is a tool you can use to do this. It is a freely available program
designed to identify standard UNIX DES encrypted passwords that can be
found in widely available dictionaries by standard guessing techniques
outlined in the Crack documentation.
Crack is available by anonymous FTP from
ftp://info.cert.org/pub/tools/crack
3. Ensure that you are up-to-date with patches and workarounds on your
machines.
Keeping up-to-date can help minimize the likelihood that you will be root
compromised if user accounts are compromised. For information about the
latest patches and workarounds, contact your vendor. You can also find
information in
ftp://info.cert.org/pub/latest_sw_versions
4. Watch for unusual activity.
Use all of the logging facilities available, including wtmp, syslog,
and process accounting. Use tcp wrappers and log all connection
attempts for all services made available via inetd. Examine these
logs looking for suspicious activity. One tool that is available to
analyze syslog files is SWATCH. It is available at
ftp://ftp.stanford.edu/general/security-tools/swatch
- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDjXHXVP+x0t4w7BAQG0rQQAgbY4++xQmhGsINARdk84YeUsPGR+57CQ
VngUTNijRGS433RQOvkBTgClM2qHsMkIcIr3nt/V2cIzq+8TRDrAtUAfFGfnTWJp
R32y6VfUob9rRqjZi8UPFymEOPtwFu3veFWbqKCN6b+iVrhdF9PKUbES1dzkQkCM
wxbJ8iLgEwk=
=c78h
-----END PGP SIGNATURE-----