|
|
|
|
|
08-29-2012, 05:59 PM
|
#1
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
Attn Sonatine Unix questions
I just delete this insane /etc/services file and I swear it doesn't have any affect. But some /etc files I delete I'm staring at a zero-fill reinstall.
Is this supposed to be this ridiculous / in the /etc folder?
|
|
|
08-29-2012, 06:04 PM
|
#2
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
What's the deal with these creepy users?
http://www.semicomplete.com/articles/ssh-security/
SSH Security and You - /bin/false is *not* security
Posted Wed, 28 Dec 2005
Backstory
While at RIT around 2004 or 2005, I discovered that a few important machines at the datacenter allowed all students, faculty, and staff to authenticate against them via ssh. Everyone's shells appear to be set to /bin/false (or some derivative) on said machines, so the only thing you'll see after you authenticate is the login banner and your connection will close. I thought to myself, "Fine, no shell for me. I wonder if port forwarding works?"
Seems reasonable, right? Whatever sysadmin was tasked with securing these machines forgot something very important about ssh2: channels. I use them often for doing agent, x11, or port forwarding. You probably use them too, right? So what happens if we try to port forward without requesting a shell (ssh -N)? You might not have guessed that it allows you to do the requested port forward and keeps the connection alive. SSH stays connected because it never executes the shell, so it never gets told to die. Whoops!
ITS (RIT's "we make the network go" department) uses ssh.com's sshd on all (afaik) of their servers. I looked at the sshd_config manual for ssh.com's sshd. It clearly defines an option exactly the same as OpenSSH's sshd: AllowGroups. This allows you to restrict ssh-authenticatable users by group. What does that mean? It means you can put all the users who need to ssh to your machines into a single group and prevent unauthorized users from authenticating (getting a shell, port forwarding, etc). So what any intelligent sysadmin would do in this situation is use the AllowGroups option and fix this fairly major security issue.
RIT's ITS has fixed the issue on their own machines. Have you?
In summary: If you don't want me to have access to your machines, then don't allow me access to your machines. /bin/false is not security.
What is /bin/false?
Many times you will have a system where you need a user to exist in the account database (say, /etc/passwd) but don't want to give them shell access to your machine(s). A common solution to this is to set a user's shell to /bin/false. This has the effect of rejecting shell login attempts over ssh, telnet, or other shell-requesting protocols.
Simply using /bin/false as someone's shell does not keep them from using said account to authenticate over ssh and using non-shell tools such as port forwarding. A default configuration in sshd will often allow tunneling and other non-shell activity.
Hole #1: Potential Firewall Bypass
So, to make things more interesting, there are two obvious holes I can exploit here. The first, is firewall-bypass. ITS employs lots of ACLs limiting access to machines by IP ranges. This is a normal practice in the world. However, what if the machine I am port forwarding through is one of these trusted machines? You just gave me access to your supposedly locked-down network. Don't do that.
Hole #2: Anonymous traffic
I can make my traffic far more anonymous by using ssh's port-forward or SOCKS proxy feature. OpenSSH does not appear to log port-forward-only sessions, so chances are you can get away with using this half-secured server as a proxy.
Hole #3: Resource Starvation
The third one is less obvious, but quite easy. You setup a remote port forward (ssh -R) pointed at "itself" (the machine you're logging into) and then a local port forward (ssh -L) to the machine so you can just touch it with telnet and walk away. This creates a large problem on the end machine becuase you will eventually take up all the available file descriptors, and since unix lives on file descriptors, you just DoS'd the machine. So if some naughty person manages to guess a password of one of your 30000 users, he/she can happily perform resource starvation attacks 'till the end of the day despite your wishes that I stay off your machine. Like I said, /bin/false is not security.
He said it in 2005 though.
|
|
|
08-29-2012, 06:07 PM
|
#3
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
So I only found out today that you have to be logged in as a specific user to fiddle with their launchdctl / default jobs (ostensibly) - I certainly never came across any of these logged in as root.
But when I try to delete the domain using the OS X defaults command, nothing is deleted as you can see.
Nothing is deleted from my root domains either. It's almost as if I was booting from a remotely 'localised' filesystem.
|
|
|
08-29-2012, 06:09 PM
|
#4
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
What does Adobe Photoshop (which I have never used nor downloaded) got to do with a clean install of OS X?
|
|
|
08-29-2012, 06:16 PM
|
#5
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
Fuck I hate rpc from Microsoft Windows tilting. Why is it doing it to me again? Is RPC supposed to be for servers or clients or both? I hate that faggot binding shit. I hate named. I hate Berkeley. I hate MIT. I hate those fucking geeks.
But mostly I hate rpc.
And I hate servers. Why did Microsoft make Win 7 a server-client surreptitiously? No one gives me an answer. And just when Apple make Lion a server-client surreptitiously, without anyone but me noticing. What are the odds.
Oh I mean, if you wanted to make your MBA-server COMPATIBLE laptop into a Server system, back in the crazy old days you had to get a Server.app to download.
Now, and this is PROGRESS, to be a Server you have to get a Server.app to download. I know right? But that's looking at it from a glass-half-filled PoV. Up until you download that Server.app, you have a Server that's serving files and netstat'ing it's way all over the place, but you just can't control any of that functionality.
No no it would be a mistake to imagine you could with the Server.app, either. I have...explored...that avenue.
aSHS;H
|
|
|
08-29-2012, 06:18 PM
|
#6
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
Sigh. I feel it is a valid question. sysctl -w returns "readonly variable" errors for all the important sysv's I want to....vary, from on to off.
|
|
|
08-29-2012, 06:19 PM
|
#7
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
Every window open is relevant to my WTF.
|
|
|
08-29-2012, 06:21 PM
|
#8
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
Really?
|
|
|
08-29-2012, 06:38 PM
|
#9
|
Things could be worse...
Join Date: Dec 2009
Mentioned: 19 Post(s)
Tagged: 22 Thread(s)
|
|
|
|
08-29-2012, 06:58 PM
|
#10
|
Lord Bathrobe
Join Date: Dec 2009
Mentioned: 17 Post(s)
Tagged: 39 Thread(s)
|
Originally Posted by SkyNigger
I just delete this insane /etc/services file and I swear it doesn't have any affect. But some /etc files I delete I'm staring at a zero-fill reinstall.
Is this supposed to be this ridiculous / in the /etc folder?
/etc/services is simply a file to map ports to their corresponding services as defined here: http://tools.ietf.org/html/rfc6335
Example:
root@bt:~# grep smtp /etc/services
smtp 25/tcp mail
Field1: service name
Field2: port
Field3: description
Basically if you send packets to smtp, port 25, or mail, they will all go to the same place thanks to /etc/services.
|
|
|
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads |
No Threads to Display.
|
» RESPECT THE LEGEND FOREVER |
|
» Twittering all over your face |
|
|