[lug] What do you do about hackers (in the current sense of uninvitedobnoxious intruders)

Bear Giles bgiles at coyotesong.com
Sat Apr 13 19:34:19 MDT 2002 

> > It's normal for all kinds of local authentication.  But anyone asking
> > for it via the network should be viewed with extreme suspicion.
> 
> Depends. For NFS, quite a few PAM based auths, and I'm sure more that
> depend on either a system directory of users (I'm loosely including
> multiple means of doing this), all access it. 

But they access it locally, on behalf of a remote user.  Either NFS nor
PAM asks a remote system for its copy of the /etc/passwd file.  The only
thing even remotely close is NIS, and even NIS should not be distributing
the ypasswd file to anyone other than the local subnet.

> Some distributed authentications will access this, but it
> will be via a system library function, not a read of the whole file.

With NSS setups, /etc/passwd may only contain the standard system
accounts with all user accounts maintained in an LDAP directory.

> > > Do you
> > > have shadow on? If so, don't worry about someone reading it or even
> > > copying it.
> > 
> > Unless it's being returned by a server with root access.
> 
> I don't know of any even semi-modern Linux distros that use root access
> (of course there is IIS on win that runs as administrator, and plays
> suid games to make it appear less vulnerable, but has just as many games
> available to get admin level back). 

I wasn't just refering to the web server.  It's harder to exploit a
buffer overflow, but it's not impossible.  That's why it's important
that all services eventually run as non-privileged users and/or in
sandboxes.
 
> Actually, a variation on this would be fun. Make it so that fake
> accounts have passwords that if a dictionary finds it, and someone tries
> to use it, a network sniffer triggers alarms and traces whatever it is
> trying to use that name with the unencrypted pass (honeypot?).

That's skirting "feeding the trolls" - how sure are you that you don't
have any potential exploits in your honeypot?

> I would be highly surprised if the original attacker wasn't themself a
> cracked machine.

I agree, but I also know that many sites refuse to believe that they've
been cracked until presented with indisputable proof.  Hence the comment
about filling a partition with a bogus /etc/passwd file - it would be
hard to ignore the fact that you've been cracked in this case.

In contrast, I'm still getting hit with MSTDs from about 10 other cable
modem users.  If I could somehow track down the owners, I'm sure every
one of them would insist that their system hasn't been compromised and
there's no reason for them to take any corrective action.

Bear

More information about the LUG mailing list