Path: utzoo!attcan!utgpu!watmath!iuvax!mailrus!accuvax.nwu.edu!delta.eecs.nwu.edu!phil From: phil@delta.eecs.nwu.edu (William LeFebvre) Newsgroups: comp.unix.wizards Subject: Re: Unix network security (was "CERT Internet Security Advisory") Message-ID: <1064@accuvax.nwu.edu> Date: 17 Aug 89 15:50:56 GMT References: <3855@fy.sei.cmu.edu> Reply-To: phil@delta.eecs.nwu.edu (William LeFebvre) Organization: Northwestern U, Evanston IL, USA Lines: 52 Now that the CERT has made the problem known, I can put forth an idea that might help prevent similar "breaches" in the future.... I have an idea for protecting Internet sites from breakins such as the one that was at the root of the problem just described by CERT. I have had this idea for quite some time, and I really can't see anything seriously wrong with it. When /bin/login knows it is processing a remote login, why can't it check the hostname against a list of "allowed" hosts? If the host is not in the list, make the login fail in the usual way (encrypt the password and fail the login) no matter *what* the password is. Each user can have his/her own list of "allowed" hosts, just like we do with ".rhosts". This file could contain not only host names, but also a limited form of wildcarding, such as "*.nwu.edu" (which would allow any host in the "nwu.edu" domain). What this prevents: random user from random Internet site repeatedly trying different passwords to try to log into an account over the net. As I understand it, the person in this most recent rash of invasions would first find a username (very easy to do) and try obvious passwords for that name. Login's 60 second limit is pretty much unimportant on the Internet: just type "!!" and keep trying (my apologies to "sh" users). Since this is done by /bin/login, ALL forms of network access are limited, be they rlogin, telnet, or whathaveyou. How this interferes: as a legitimate user, you can't log in from just anywhere. But how often does that happen? How often do you sit down at a random Internet site and log in to your primary computer? If you know you are about to make a trip to some other location, then plan ahead and put that location's domain in the list of allowed hosts before you leave. But just in case there are some people who really need the current openness, there should probably be a way for an individual user to disable the checking for his/her account, such as adding the line "*" to the list of allowed hosts. Let's face it: for 99% of the Internet hosts, you don't want a remote login from that host into your account to succeed. So why not have a mechanism in place for disallowing them? As a concerned sysadmin and user, I certainly want this kind of protection for my own account, and especially for my "root" account! And it's not like this is all that hard to do...... What think you all? William LeFebvre Department of Electrical Engineering and Computer Science Northwestern University