User information

By Kurt Seifried [email protected]

 

Overview

There are a variety of services that can provide information about local users to other local users, and other machines. These can be useful if you want to find out which user connected to a machine, or see when they last logged in. Of course these are great services for attackers since they can glean a lot of information from them.

Ident server software

The ident service is used to map users/processes to ports in use. For example most IRC servers attempt to find out who is connecting to them by doing an ident lookup, which basically consists of asking the ident server on the client computer what information it has about a port number, and the response can range from nothing (if no-one is using that particular port) to a username, groupname, process id, and other interesting information. The default setting in most distributions is that identd is on (it is polite to run it, irc servers and newer versions of sendmail check identd responses), and will only hand out the username. The primary use of identd is to allow remote systems some means of tracking down users that are connecting to their servers, irc, telnet, mail, or other, for authentication purposes (not a good idea since it is very easy to fake). The local university here in Edmonton requires you to run identd if you want to telnet into any of the main shell servers, primarily so they can track down compromised accounts quickly. 

Running identd on your machine will help other administrators when tracking down problems, as they can not only get the IP address and time of a problem, but using identd can look up the user name. In this way it is a two edged sword, while it gives out information useful for tracking down malicious users (definitely people you want to boot off of your servers) it can also be used to gain information about users on your system, leading to their accounts being compromised. Running identd on servers only makes sense if they are hosting shell accounts/etc.

Identd runs on port 113 using tcp, and typically you will only need if you want to IRC (many irc networks require an identd response), or be nice to systems running daemons (such as tcp_wrapped telnet, or sendmail) that do identd lookups on connections.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 113
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 113
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 113

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 113
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 113
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 113

Identd

Identd supports quite a few features, and can be easily set to run as a non-root user. Depending on your security policies you may not want to give out very much information, or you might want to give out as much as possible. Simply tack the option on in inetd.conf, after in.identd (the defaults are -l -e -o).

-p port
-a address
Can be used to specify which port and address it binds to (in the case of a machine with IP’s aliased, or multiple interfaces), this is generally only useful if you want internal machines to connect, since external machines will probably not be able to figure out what port you changed it to.

-u uid
-g gid
Are used to set the user and group that identd will drop its privileges to after connecting to the port, this will result in it being far less susceptible to compromising system security. As for handling the amount of information it gives out:

-o
Specifies that identd will not return the operating system type, and simply say "UNKNOWN", a very good option.

-n
Will have identd return user numbers (i.e. UID) and not the username, which still gives them enough information to tell you and allow you to track the user down easily, without giving valuable hints to would be attackers.

-N
Allows users to make a ~/.noident file, which will force identd to return "HIDDEN-USER" instead of information. This allows users the option of having a degree of privacy, but a malicious user will use this to evade identification.

-F format
Enables you to specify far more information than is standard, everything from user name and number to the actual PID, command name, and command name and arguments that were given! This I would recommend only for internal use, as it is a lot of information that attackers would find useful.

In general I would advise running identd on servers with user shell accounts, and otherwise disabling it, primarily due to the number of denial of service attacks it is susceptible to. Running identd will make life a lot easier for other administrators when tracking down attacks originating from your site, which will ultimately make your life easier. 

Other Identd daemons

There are also other versions of identd available, some with security enhancements (I do not endorse these as I have yet to test them):

http://www.tildeslash.org/nullidentd.html - null identd
http://www.ajk.tele.fi/~too/sw/ - fake identd
http://p8ur.op.het.net/midentd/ - midentd

 

Finger server software

Finger is one of those things most admins just disable and ignore. It is a useful tool on occasion, but if you want to allow other admins to figure out which of your users is currently trying to crack their machines, use identd. Finger lets out way to much info, and is a favorite tool for initial probes and data gathering on targets. There have also been several nasty DOS attacks released, basically consisting of sending hundreds of finger requests and in certain configurations just watching the server croak. Please don't run finger. Many distributions ship with it enabled, but to quote inetd.conf from Red Hat:

# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable 
# some or all of these services to improve security.

If you still have the urge that you absolutely must run it use -u to deny finger @host requests that are only ever used to gather information for future attacks. Disable finger, really. Fingerd has also been the cause of a few recent and very bad denial of service attacks, especially if you run NIS with large maps, DO NOT, repeat NOT run fingerd. Finger runs on port 79, and cfingerd runs on port 2003, both use tcp.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 79
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 79
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 79

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 79
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 79
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 79

 

PFinger

PFinger is similar to Cfingerd in that it is a secure replacement for the stock fingerd. You can get PFinger from: http://www.xelia.ch/unix/pfinger/.

 

Back

Last updated on 1/9/2001

Copyright Kurt Seifried 2001 [email protected]