Summary: Which of the hardening changes disabled the users "stored password" telnet login?

From: sunhux G <sunhux_at_gmail.com>
Date: Wed Sep 10 2008 - 09:51:39 EDT
Thanks Matthew & Anthony.

Just realized the problem lies with the Tcp wrapper for Solaris 8 which
I got from sunfreeware.org :

by removing  "/usr/local/bin/tcpd"  for telnetd  in inetd.conf this solved
the problem.  This wrapper has also caused "lp" printing problem when
used to 'wrap'  printer service in inetd.conf

There's suggestion that disabling "rlogin/rhost" in pam.conf could cause
this but it's not the case.

Good point why we're using "telnet" though it's supposed to be a hardening
exercise : there's scripts/macros built into the terminal emulator software
& this legacy which has been in place for ages will take a while to overcome


Thanks
U

On Tue, Sep 9, 2008 at 6:33 PM, sunhux G <sunhux@gmail.com> wrote:

>
> Hi,
>
> After doing some hardening (for audit purpose), our users (id  land1 &
> enq1) were
> not able to do "telnet  token login"  - they're using sort of Reflection
> terminal emulator
> that allows them to store their Unix password in their PC's emulator
> software.
> In the past, after getting the "telnet"  login prompt, a windows will pop
> up which allow
> them to select/click a userid & automatically the password will be fed into
> the emulator
> software into Solaris & they could login (without having to key in
> password).
> Which of the hardening steps I've taken below could have been the likely
> culprit?
>
>
> Negative: 1.2 tcp6-protocol service ftp in inetd.conf is not wrapped. -
> wrapped with tcpd
> Negative: 1.2 tcp6-protocol service telnet in inetd.conf is not wrapped.-
> wrapped with tcpd
> Negative: 1.2 tcp6-protocol service time in inetd.conf is not wrapped.-
> disabled in inetd.conf
> Negative: 1.2 udp6-protocol service time in inetd.conf is not wrapped. -
> disabled
> Negative: 1.2 tcp6-protocol service printer in inetd.conf is not wrapped.-
> wrapped with tcpd
> Negative: 1.2 udp-protocol service bootps in inetd.conf is not wrapped. -
> disabled
> Negative: 1.2 tcp-protocol service bgssd in inetd.conf is not wrapped. -
> disabled
> Negative: 1.2 tcp-protocol service omni in inetd.conf is not wrapped. -
> wrapped with tcpd
> Negative: 2.1 inetd listens on port time -- this port's line should be
> commented out or deleted in inetd.conf.  - disabled
> Negative: 2.1 inetd listens on port ufsd/1 -- this port's line should be
> commented out or deleted in inetd.conf.  - disabled
> Negative: 2.1 inetd listens on port 100235/1 -- this port's line should be
> commented out or deleted in inetd.conf. - disabled
> Negative: 2.2 telnet not deactivated. - needed so not deactivated
> Negative: 2.6 BSD-compatible printer server should be deactivated - needed,
> so wrapped using tcpd
> Negative: 2.8 CDE-related daemon rpc.ttdbserverd not deactivated in
> inetd.conf. - disabled
> Negative: 3.1 Serial login prompt not disabled. - disabled
> Negative: 3.3 inetd is still active. - needed so left alone
> Negative: 3.17 Graphical login-related script dtlogin not deactivated. -
> left alone
> Negative: 3.19 SNMP daemon should be deactivated. - needed so left alone
> Negative: 4.1 per-process coredumps are configured on, but not forced into
> a root-owned, 0700 directory with root-owned, non-group and world-writable
> parent directories. - done
> Negative: 4.3 NFS clients aren't restricted to privileged ports.
> Negative: 4.4 Source routing (ip_forward_src_routed) should be deactivated
> Negative: 4.4 ip6 source routing (ip6_forward_src_routed) should be
> deactivated
> Negative: 4.4 Forwarding of directed broadcasts
> (ip_forward_directed_broadcasts) isn't disabled.
> Negative: 4.4 tcp_conn_req_max_q0 should be at least 4096 to avoid TCP
> flood problems.
> Negative: 4.4 tcp_conn_req_max_q should be at least 1024 to avoid TCP flood
> problems.
> Negative: 4.4 ip_respond_to_timestamp isn't 0.
> Negative: 4.4 ip_respond_to_timestamp_broadcast should be 0.
> Negative: 4.4 ip_respond_to_echo_broadcast should be 0.
> Negative: 4.4 ip_ignore_redirect isn't set to 1.
> Negative: 4.4 ip6_ignore_redirect isn't set to 1.
> Negative: 4.4 Port 6112 is not included in tcp_extra_priv_ports.
> Negative: 4.4 ARP timer (arp_cleanup_interval) should be at most 60,000.
> Negative: 4.4 ARP timer (ip_ire_arp_interval) should be at most 60,000
> Negative: 4.5 ip_strict_dst_multihoming isn't activated.
> Negative: 4.5 ip6_strict_dst_multihoming isn't activated.
> Negative: 4.5 ip_send_redirects isn't set to 0.
> Negative: 4.6 TCP sequence numbers not strong enough.
> Negative: 5.1 inetd's connection logging is not active.
> Negative: 5.2 ftp is running out of inetd on port ftp, but does not do "-d"
> debug logging.
> Negative: 5.3 syslog does not permanently capture daemon.debug messages.
> Negative: 5.7 Couldn't find an active sadc line in /etc/rc2.d/S21perf to
> verify system acctg.
> Negative: 5.8 kernel-level auditing isn't enabled.
> Negative: 5.9 /var/adm/wtmpx should not be world or group writable.
> Negative: 6.1 logging option isn't set on root file system
> Negative: 6.8 Fix-modes has not been run here.
> Negative: 7.1 inetd.conf's sadmind line does not have a -S 2 argument.
> Negative: 7.3 /etc/pam.conf appears to support rhost auth.
> Negative: 7.4 User uucp is not present in /etc/ftpusers
> Negative: 7.5 System is running syslogd without the -t switch, accepting
> remote logging.
> Negative: 7.6 /etc/dt/config/Xconfig doesn't exist, thus permits xdmcp port
> listening.
> Negative: 7.8 /etc/dt/config/ doesn't exist, so GUI screenlocker can't be
> configured.
> Negative: 7.9 Non-root accounts are in cron.allow.
> Negative: 7.9 Couldn't open at.allow
> Negative: 7.10 The permissions on /var/spool/cron/crontabs/lp are not
> sufficiently restrictive.
> Negative: 8.8 User land1 has a world-executable homedir!
> Negative: 8.8 User land1 has a world-readable homedir!
> Negative: 8.8 User enq1 has a world-executable homedir!
> Negative: 8.8 User enq1 has a world-readable homedir!
> Negative: 8.11 Current umask setting in file /etc/.login is 000 -- it
> should be stronger to block world-read/write/execute. - changed to 022
> Negative: 8.11 Current umask setting in file /etc/.login is 000 -- it
> should be stronger to block group-read/write/execute. - changed to 022
> Negative: 8.11 Current umask setting in file /etc/profile is 022 -- it
> should be stronger to block world-read/write/execute.
> Negative: 8.11 Current umask setting in file /etc/profile is 022 -- it
> should be stronger to block group-read/write/execute.
> Negative: 8.11 Current umask setting in file /etc/default/login is 022 --
> it should be stronger to block world-read/write/execute.
> Negative: 8.11 Current umask setting in file /etc/default/login is 022 --
> it should be stronger to block group-read/write/execute.
> Negative: 8.13 /etc/profile should have mesg n to block talk/write commands
> and strengthen permissions on user tty.
> Negative: 8.13 /etc/.login should have mesg n to block talk/write commands
> and strengthen permissions on user tty.
> Negative: 9.1 /etc/issue doesn't have a authorized-use banner.
> Negative: 9.2 /etc/dt/config/ doesn't exist, so GUI welcome message
> couldn't have been changed.
> Negative: 9.3 Couldn't open /etc/default/telnetd to test for BANNER line -
> created /etc/default/telnetd with banner
> Negative: 9.4 Couldn't open /etc/default/ftpd to test for BANNER line -
> created ftpd with banner
>
> I could elaborate in more details the changes done as there's too much to
> write here.
>
>
> Thanks
> U
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Sep 10 09:54:10 2008

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:12 EST