Ten Practical Security Steps
Dual Remote Login
7. Make it take two difficult passwords before administrative access
can be attained remotely (either over a network or via dial up access).
This may only be achievable on UNIX systems. Allow root or
administrative logons at the local system console only. Restrict
access to su or sudo (or any other program that allows a user to
change their status to an adminstrative user) to those users who are
authorized to use the administrative password and be sure they use
strong passwords with their personal accounts.
It's often fairly simple to get some or even many user names for a
system. Finger still runs on some systems. If a web site lists staff
e-mail addresses or has a staff list, a reader can likely guess user
accounts for at least some system. On nearly all systems with many
users, some will have bad passwords. If telnet is not needed and has
not been turned off or blocked by a firewall, getting on a system
could be as simple as telneting, entering the first part of an e-mail
address or simple variations on staff names and guessing at a few
passwords. Once this toehold has been gained, the usual setup will
let any user use su. Though the attempts will be logged, if an
intruder has already gotten this far by the methods described, no one
is looking at su logs. By entering all the common variations on
admin, variations on company name and some of the more common
passwords, it's possible that root access could be gained. Simple
username and password guessing remains a common means by which systems
are compromised.
If the use of su, sudo and similar programs is restricted to
administrators in the wheel or security user groups, who are
authorized to use the root password, then the population is reduced
from perhaps dozens or even thousands on some systems to a few who are
responsible for the system and should be choosing strong passwords
for themselves. If just the password step for IT staff and this step
is followed, even with no firewall, telnet running and open to the
entire Internet and a huge user population all with horrible or even
blank passwords, no one is going to gain root access just by guessing
passwords. To do so would require getting two passwords that are
beyond the capabilities of password guessing programs.
The preceding statements are in no way intended to suggest the
two steps are sufficient, only that they will stop one common
avenue of attack. The open network described above, almost guarantees
the system will be cracked by other means.
If passwords are transmitted in plain text over network segments that
may be sniffed, forcing root to use two passwords may not provide the
hoped for level of security. Actually, if someone is actively
sniffing a segment between the administrator and the remote
administered machines, plain text administrative passwords make it
highly likely your systems will be compromised. Firewalls may make it
harder with the right source restrictions. Because the sniffer is
between your systems, has administrative access on their machine (to
run a sniffer), will have your admin passwords and can use network
techniques such as session hijacking that are typically not available,
expect your systems to fall. If any remote administration of your
systems involves the use of plain text passwords (telnet), your
systems cannot be considered secure, regardless of all other measures
you may take.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|