IDENT security breach?

IDENT security breach?

Post by MH » Sat, 22 Jul 2000 04:00:00



I've come across a couple of posts discussing the relative security of
running identd but nothing that made it clear to me what the issues
were.  I've installed a firewall that leaves the IDENT port (113) open.
Is this something I should be concerned about?  Not?  Why?  What are the
issues with locking this service down?  If there is a good, succinct,
discussion of these issues posted somewhere, I'd appreciate a pointer.

TIA

 
 
 

IDENT security breach?

Post by Jessica Luedtk » Sun, 23 Jul 2000 04:00:00


: I've come across a couple of posts discussing the relative security of
: running identd but nothing that made it clear to me what the issues
: were.  I've installed a firewall that leaves the IDENT port (113) open.
: Is this something I should be concerned about?  Not?  Why?  What are the
: issues with locking this service down?  If there is a good, succinct,
: discussion of these issues posted somewhere, I'd appreciate a pointer.

The biggest danger about IDENT is that it allows an attacker to find out
information about your system. In particular, it can be used to find out
what user/group a particular service is running as and valid usernames,
though this behaviour can be changed by editing /etc/identd.cof (you can
have it return uid's instead of usernames).

If you're running a multi-user system, especially one with untrusted
users, it might be a good idea to leave it on. That way, if one of your
users is screwing around elsewhere, you'll be able to identify them
easier. If you're on a single user system, there isn't too much point. The
only possible drawback to not running it would be that you'd have trouble
connecting to certain irc servers. If that's the case, leave it on or find
a program to spoof it or something.

If you do choose to firewall it off, use REJECT instead of DENY. DENYing
can cause excessive waits and timeouts when attempting to connect to
servers that utilize ident.

jessica

 
 
 

IDENT security breach?

Post by elle.. » Sun, 23 Jul 2000 04:00:00



> I've come across a couple of posts discussing the relative security of
> running identd but nothing that made it clear to me what the issues
> were.  I've installed a firewall that leaves the IDENT port (113) open.
> Is this something I should be concerned about?  Not?  Why?  What are the
> issues with locking this service down?  If there is a good, succinct,
> discussion of these issues posted somewhere, I'd appreciate a pointer.

Ident is the single most misunderstood service ever. I used to have a
nice article on it someplace that I've since lost. That's the only
good, succint discussion I've ever seen on the topic though. They're
usually a long-running useless argument with little real
information. ;)

Basically, running ident is only useful to _you_ and _not_ to anyone
else. It was never meant as a form of authentication, and places that
use it for that are abusing it horribly.

By default, it returns user names, which some people consider a
security risk. It can be a risk in certain circumstances. If you never
intend on using the information yourself, it's probably better to
disable it.

If you are going to run ident, it's worthwhile to minimize the amount
of information leaked. Most versions allow you to return a uid, rather
than user name, which is much safer. Better versions will allow you to
encrypt the response, which is the best approach. Sending a block of
ciphertext prevents any information leakage, and allows you to find
out the user, date, time and other information for any results
returned.

--

 
 
 

1. unusual acct record - possible security breach?

hi!
I noticed that the system accounting reported a line with an unknown
user-id (-1),
just like this:

        LOGIN      CPU (MINS)     KCORE-MINS    CONNECT (MINS)  DISK  
# OF    # OF    # DISK  FEE
UID     NAME     PRIME  NPRIME  PRIME   NPRIME  PRIME   NPRIME  BLOCKS
PROCS   SESS    SAMPLES
-1      someuser 0       0       0       0       4924    69      0      
0       77      0       0

The system is running Solaris 7 sparc. Login name length is 9 symbols
(if it's matter)... Host is nfs-server,
but user SOMEUSER have NO account on nfs-clients...
Also I have correct account report 'bout this user:

        LOGIN      CPU (MINS)     KCORE-MINS    CONNECT (MINS)  DISK  
# OF    # OF    # DISK  FEE
UID     NAME     PRIME  NPRIME  PRIME   NPRIME  PRIME   NPRIME  BLOCKS
PROCS   SESS    SAMPLES
20104   someuser 0       0       203     0       0       0       0      
1       0       0       0

Can anyone explain this strange situation?

---
    WBR, Eugene

2. SUNWCall package listing

3. Is this a security breach?

4. problems with tekram dc-390 scsi-host-adapter

5. Security breach/feature ?

6. Problem-Not accessing exported dir

7. Security Breached- need file information

8. usbnet: prolific fails reset

9. Security breached? New BSD hole?

10. Security breach?

11. Security Breach ?

12. Web site containing info on "famous" www security breaches???

13. Security Breach