[lug] What do you do about hackers (in the current sense of uninvited obnoxious intruders)

Bear Giles bgiles at coyotesong.com
Fri Apr 12 22:21:12 MDT 2002 

> > Is there anything that can or shoud be done about folks trying to access
> > /etc/passwd?
> 
> This is normal for all kinds of authentication.

It's normal for all kinds of local authentication.  But anyone asking
for it via the network should be viewed with extreme suspicion.

> Stopping it prevents
> even valid logins. That is why shadow passwords exist. The non-shadowed
> versions still save passes in a one-way hash, but nowadays could be
> cracked with a good dictionary (assuming old crypt functions; crypt with
> sha-1 or md5 might be a *long* session, unless a set of high-probability
> words were used for a pass and the cracker tests those first).

You still need salt.  Let's assume a dictionary of a million passwords.
Hell, let's go for 10 million passwords.  SHA-1 is 20 bytes, plus another
12 bytes for the password itself.  That's only 320 MB, half a CD-R.  The
other half of the CD-R could contain the same dictionary hashed with MD-5.
If I use a B-tree index with a blocksize of 4k, that's a branching factor
of a bit over 100.  So we're looking at 4 seeks (100^4 > 10 million) to
look up any hash.

But with 12 bits of salt that 320 MB is bumped to 1.3 TB.  No longer
impossible, but not something the casual attacker will have access to.

> Do you
> have shadow on? If so, don't worry about someone reading it or even
> copying it.

Unless it's being returned by a server with root access.

BTW, it's usually not a good idea to encourage attackers but in this
case I wouldn't mind a little servlet that dutifully returned a response
to any "*/etc/passwd" file:

  root:x:0:0:root:/root/bin/bash
  a:x:1:1:a:/home/a/a:/bin/bash
  aa:x:2:2:aa:/home/a/aa:/bin/bash
  aaa:x:3:3:aa:/home/a/aaa:/bin/bash
  ...
  zzzzzzzz:x:3512479453921:3512479453921:/home/z/zzzzzzzz:/bin/bash

Think their system could handle an /etc/password file with approx.
3.5 trillion entries?  (what is the number of valid user names?)
The mere fact that a monster file containing a bogus password file
should cause alarm among most competent sysadmins.  (Insert obcomment
about MCSE here.)

> > 217.82.33.200 - - [12/Apr/2002:13:28:10 -0600] "GET
> > HTTP://www.microsoft.com/ HTTP/1.0" 200 5714

I think this was a request for your server to act as a proxy.  If it
succeeded, your server could be used to launch attacks on others... and
you would catch any flak.

Bear

More information about the LUG mailing list