Firewalls: Re: DNS w/NIS

Firewalls
(September 1993)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DNS w/NIS
From:	btk @ matrix . cray . com (Bryan Koch)
Date:	Tue, 28 Sep 93 13:17:39 CDT
To:	Brad . Powell @ Corp . Sun . COM (Brad Powell)
Cc:	Firewalls @ GreatCircle . COM, ccsis @ ss1 . bath . ac . uk
In-reply-to:	<9309281728 . AA01342 @ olympics . corp . sun . com . corp . sun . com>; from "Brad Powell" at Sep 28, 93 10:28 am

> Watch out here. rcp is one of the best ways a cracker can transfer toolkits
> to your system without leaving any log. Scenario is that he/she/it logs in
> as a common user, then places a  "+ +" rhosts entry for the user, then uses 
> rcp to transfer over a toolkit. rcp isn't logged.

I've modified the Berkeley rshd (used by rsh and rcp) to log all connections
in wtmp, as login and ftpd already do.  Logs contain the initiating host,
the source login on that host, and the target login on the destination
system.  

This seems to be a resonable compromise between running with released
(non-logging) versions of rshd, and removing the features which make
remote commands useful in the first place.

Bryan Koch
Data Security Leader      VOICE:  +1-612-683-3129 (1-800-284-2729 x33129)
Cray Research, Inc.       FAX:    +1-612-683-3099
Eagan, Minnesota, USA     EMAIL:  btk @
 cray .
 com

References:

Re: DNS w/NIS
From: Brad . Powell @ Corp . Sun . COM (Brad Powell)

Indexed By Date	Previous:	Re: DNS w/NIS From: Brad . Powell @ Corp . Sun . COM (Brad Powell)
Indexed By Date	Next:	Re: DNS w/NIS From: cr95cmd @ ctcdbs . cummins . com (C M Destry "Chris" - CTC)
Indexed By Thread	Previous:	Re: DNS w/NIS From: Brad . Powell @ Corp . Sun . COM (Brad Powell)
Indexed By Thread	Next:	Re: DNS w/NIS From: Rik Harris <rik @ brain . vifp . monash . edu . au>