Acceptable Limits of Security Scan

Acceptable Limits of Security Scan

Post by Wes Fel » Sun, 11 Aug 1996 04:00:00



Acceptable Limits for Security Scanning.

We are having some dialog on Security Scanning that is proposed for our
Internet site, and it would be helpful to get opinions from other
SysAdmins.

Here is our situation...we are a school district that has given out about
1400 shell accounts to teachers and employees over the last three years on
our own Server at no cost to the users.  Due to some very lame security
decisions in our early days, we have quite a number of hackers (Crackers)
who very easily moved into our system.  I've caught 22 of them in the last
year, usually when then did something obvious and dumb when I happened to
be looking.  (I have a "w" command setup to auto run on my logons).

For security reasons, we do NOT allow .rhosts files.  Our admin agrees to
not allow these but won't shut down the rlogon processes.  So, I set up a
crontab job to search for .rhost files every noght, to remove them if it
finds them, and to e-mail me the contents.  (Finding "+ +" is how we found
a number of the hackers.)

Some of us would like to expand this nightly "Security Scan" to do a
"find" on files like "WaReZ",  "[Cc]rack", "passwd", and other Cracker
file names.  Some people even would like to search for "playmate*" and
such files since the Server is school district property.

The question then is "Is this acceptable Security Scanning or an invasion
of the users' privacy?".  We exclude all of the e-mail files from the
scanning and we don't look inside any files.  Of course, smarter people
will just change the names of their Cracker files, but we hope to catch
them before they catch on.  If this Scanning is acceptable, how much
notification is necessary to the users?  

-Wes

 
 
 

Acceptable Limits of Security Scan

Post by bill davids » Tue, 13 Aug 1996 04:00:00



| For security reasons, we do NOT allow .rhosts files.  Our admin agrees to
| not allow these but won't shut down the rlogon processes.  So, I set up a
| crontab job to search for .rhost files every noght, to remove them if it
| finds them, and to e-mail me the contents.  (Finding "+ +" is how we found
| a number of the hackers.)

Sounds like an administrative problem rather than a technical one.
Tell the admin to turn off rlogin and rsh on your system. There is
no reason to have rlogin/rsh if you don't allow .rhosts files. Just
comment out the entries in /etc/inetd.conf and the problem goes away
forever.

That problem, not the cracker problem.
|
| Some of us would like to expand this nightly "Security Scan" to do a
| "find" on files like "WaReZ",  "[Cc]rack", "passwd", and other Cracker
| file names.  Some people even would like to search for "playmate*" and
| such files since the Server is school district property.

I have doubts that it will do much good, but you can do it. I would
put all these users in a group not allowed to use the compilers, and
run them in a restricted shell.

| The question then is "Is this acceptable Security Scanning or an invasion
| of the users' privacy?".  We exclude all of the e-mail files from the
| scanning and we don't look inside any files.  Of course, smarter people
| will just change the names of their Cracker files, but we hope to catch
| them before they catch on.  If this Scanning is acceptable, how much
| notification is necessary to the users?  

I would not give any notice. You're giving people access to your
system, and they're abusing it. If you tell them what you're doing
they can get around it more easily.

On high risk systems I like to log errors to another machine with
high security. This prevents removal of log files. You can set
syslog.conf to remote log stuff, or even log it over a serial line
to a non-net machine (I do).
--

"As a software development model, Anarchy does not scale well."
                -Dave Welch

 
 
 

Acceptable Limits of Security Scan

Post by Sander Ves » Tue, 13 Aug 1996 04:00:00


: Acceptable Limits for Security Scanning.

: We are having some dialog on Security Scanning that is proposed for our
: Internet site, and it would be helpful to get opinions from other
: SysAdmins.

: Here is our situation...we are a school district that has given out about
: 1400 shell accounts to teachers and employees over the last three years on
: our own Server at no cost to the users.  Due to some very lame security
: decisions in our early days, we have quite a number of hackers (Crackers)
: who very easily moved into our system.  I've caught 22 of them in the last
: year, usually when then did something obvious and dumb when I happened to
: be looking.  (I have a "w" command setup to auto run on my logons).

: For security reasons, we do NOT allow .rhosts files.  Our admin agrees to
: not allow these but won't shut down the rlogon processes.  So, I set up a
: crontab job to search for .rhost files every noght, to remove them if it
: finds them, and to e-mail me the contents.  (Finding "+ +" is how we found
: a number of the hackers.)

: Some of us would like to expand this nightly "Security Scan" to do a
: "find" on files like "WaReZ",  "[Cc]rack", "passwd", and other Cracker
: file names.  Some people even would like to search for "playmate*" and
: such files since the Server is school district property.

I doubt anyone in his/her true mind will leave any files with these names
around. In any case, it may be illegal to look into such files, maybe just
remove them. But what if someone stores a useful file with such a name?
Can you later prove it was done so intentionally?

: The question then is "Is this acceptable Security Scanning or an invasion
: of the users' privacy?".  We exclude all of the e-mail files from the
: scanning and we don't look inside any files.  Of course, smarter people
: will just change the names of their Cracker files, but we hope to catch
: them before they catch on.  If this Scanning is acceptable, how much
: notification is necessary to the users?  

You should perhaps just have a vote among the legal users? Yes, 1400 is
much but after all, it will avoid a lot of later crumbling... Any kind
of watching and security scanning should be known to the people -
no surveilancxe without the court order.

        Sander

: -Wes

 
 
 

Acceptable Limits of Security Scan

Post by brian moo » Wed, 14 Aug 1996 04:00:00






>| For security reasons, we do NOT allow .rhosts files.  Our admin agrees to
>| not allow these but won't shut down the rlogon processes.  So, I set up a
>| crontab job to search for .rhost files every noght, to remove them if it
>| finds them, and to e-mail me the contents.  (Finding "+ +" is how we found
>| a number of the hackers.)

>Sounds like an administrative problem rather than a technical one.
>Tell the admin to turn off rlogin and rsh on your system. There is
>no reason to have rlogin/rsh if you don't allow .rhosts files. Just
>comment out the entries in /etc/inetd.conf and the problem goes away
>forever.

Um, I beg to differ on that.  rsh does insist on .rhosts or /etc/hosts.equiv,
but even on 'untrusted' hosts, I use rlogin, since the protocol is a lot more
transparent than telnet.  I'd grab tcpwrappers and the replacement logind
from Wietse Venema's site (ftp.win.tue.nl) and wrap everything and make
rlogin ignore .rhosts.  (There is an advantage to source.)

Depending on things like your backup program you may need to keep rsh, but
with source, you can make it only work for certain host/user pairs.

Quote:>| Some of us would like to expand this nightly "Security Scan" to do a
>| "find" on files like "WaReZ",  "[Cc]rack", "passwd", and other Cracker
>| file names.  Some people even would like to search for "playmate*" and
>| such files since the Server is school district property.

>I have doubts that it will do much good, but you can do it. I would
>put all these users in a group not allowed to use the compilers, and
>run them in a restricted shell.

But that won't stop them from ftp'ing or even uuencoding a binary compiled
elsewhere.  Denying tools to legit users is not a good thing and the
'bad guys' can easily get around it.

Quote:>On high risk systems I like to log errors to another machine with
>high security. This prevents removal of log files. You can set
>syslog.conf to remote log stuff, or even log it over a serial line
>to a non-net machine (I do).

Well, logging to a secure machine is a given.  I hope, anyway.

--
Brian Moore                      The opinions expressed above are my own, not
Sysadmin, C/Perl Hacker          necesarily my employers'.

 
 
 

Acceptable Limits of Security Scan

Post by John P. Jord » Wed, 14 Aug 1996 04:00:00




Quote:

>Acceptable Limits for Security Scanning.

>We are having some dialog on Security Scanning that is proposed for our
>Internet site, and it would be helpful to get opinions from other
>SysAdmins.

>Here is our situation...we are a school district that has given out about
>1400 shell accounts to teachers and employees over the last three years on
>our own Server at no cost to the users.  Due to some very lame security
>decisions in our early days, we have quite a number of hackers (Crackers)
>who very easily moved into our system.  I've caught 22 of them in the last
>year, usually when then did something obvious and dumb when I happened to
>be looking.  (I have a "w" command setup to auto run on my logons).

>For security reasons, we do NOT allow .rhosts files.  Our admin agrees to
>not allow these but won't shut down the rlogon processes.  So, I set up a
>crontab job to search for .rhost files every noght, to remove them if it
>finds them, and to e-mail me the contents.  (Finding "+ +" is how we found
>a number of the hackers.)

>Some of us would like to expand this nightly "Security Scan" to do a
>"find" on files like "WaReZ",  "[Cc]rack", "passwd", and other Cracker
>file names.  Some people even would like to search for "playmate*" and
>such files since the Server is school district property.

>The question then is "Is this acceptable Security Scanning or an invasion
>of the users' privacy?".  We exclude all of the e-mail files from the
>scanning and we don't look inside any files.  Of course, smarter people
>will just change the names of their Cracker files, but we hope to catch
>them before they catch on.  If this Scanning is acceptable, how much
>notification is necessary to the users?  

>-Wes

You may want to check out a product called SeOS (Security for Open Systems)
from Memco Software (www.memco.com).  The product is able to prevent
unauthorized users from becoming *root* and doing the damage that only a root
user can do.
 
 
 

Acceptable Limits of Security Scan

Post by Robbie Honerka » Wed, 14 Aug 1996 04:00:00


: Here is our situation...we are a school district that has given out about
: 1400 shell accounts to teachers and employees over the last three years on
: our own Server at no cost to the users.  Due to some very lame security
: decisions in our early days, we have quite a number of hackers (Crackers)
: who very easily moved into our system.  I've caught 22 of them in the last
: year, usually when then did something obvious and dumb when I happened to
: be looking.  (I have a "w" command setup to auto run on my logons).

Well, if you've caught 22 of them, then you've probably got 5 or so
that you haven't found yet.

: For security reasons, we do NOT allow .rhosts files.  Our admin agrees to
: not allow these but won't shut down the rlogon processes.  So, I set up a
: crontab job to search for .rhost files every noght, to remove them if it
: finds them, and to e-mail me the contents.  (Finding "+ +" is how we found
: a number of the hackers.)

Hmm. Kill r* services. Kill r* services. Kill r* services. Sense a pattern
here? A few lines commented out in inetd.conf, and you don't have to worry
about scanning for .rhosts files.

If you absolutely must have r* style services, use ssh (secure shell).

: Some of us would like to expand this nightly "Security Scan" to do a
: "find" on files like "WaReZ",  "[Cc]rack", "passwd", and other Cracker
: file names.  Some people even would like to search for "playmate*" and
: such files since the Server is school district property.

Scanning for warez or dirty pics isn't a security scan....

: The question then is "Is this acceptable Security Scanning or an invasion
: of the users' privacy?".  We exclude all of the e-mail files from the
: scanning and we don't look inside any files.  Of course, smarter people
: will just change the names of their Cracker files, but we hope to catch
: them before they catch on.  If this Scanning is acceptable, how much
: notification is necessary to the users?  

You're only going to be catching the 13-year old AOL/alt.2600 morons with
this. You need to keep your machine tight..

Robbie

--
Robbie Honerkamp

http://www.shorty.com/~robbie/
 "It just goes to show you that ProDOS is too horrible to contemplate"
        -Imaginos, "Dead III"

 
 
 

1. Security Site Update/Free Security Scan

The following security sites have had changes within the last 6 hours.

http://www.hackernews.com
http://slashdot.org

If you need to stay up to date on Internet Security issues visit
http://hackerwhacker.com. We monitor all popular Security resources
and quickly inform you of those that have new information so you do
not have to waste your time on sites that are not kept up to date.

Thanks.

The Whacker

2. savage twister on asus b1 laptop.....and fonts

3. X configuration for NEC Versa 5000.....?

4. scanning and security

5. Can't make Plotmtv

6. Free security scans of your linux servers.

7. domain alias (cname) question

8. Security scanning with tiger..

9. security newbie - /var/log/messages scans

10. Network Scanning and Security Tools

11. Totally Free Host Security Scan - on the web-

12. free security scan / firewall