Unix network security (was "CERT Internet Security Advisory")

William LeFebvre phil at delta.eecs.nwu.edu
Fri Aug 18 01:50:56 AEST 1989 

Now that the CERT has made the problem known, I can put forth an idea
that might help prevent similar "breaches" in the future....

I have an idea for protecting Internet sites from breakins such as the
one that was at the root of the problem just described by CERT.  I
have had this idea for quite some time, and I really can't see
anything seriously wrong with it.

When /bin/login knows it is processing a remote login, why can't it
check the hostname against a list of "allowed" hosts?  If the host is
not in the list, make the login fail in the usual way (encrypt the
password and fail the login) no matter *what* the password is.  Each
user can have his/her own list of "allowed" hosts, just like we do
with ".rhosts".  This file could contain not only host names, but also
a limited form of wildcarding, such as "*.nwu.edu" (which would allow
any host in the "nwu.edu" domain).

What this prevents: random user from random Internet site repeatedly
trying different passwords to try to log into an account over the net.
As I understand it, the person in this most recent rash of invasions
would first find a username (very easy to do) and try obvious
passwords for that name.  Login's 60 second limit is pretty much
unimportant on the Internet:  just type "!!" and keep trying (my
apologies to "sh" users).  Since this is done by /bin/login, ALL forms
of network access are limited, be they rlogin, telnet, or whathaveyou.

How this interferes: as a legitimate user, you can't log in from just
anywhere.  But how often does that happen?  How often do you sit down
at a random Internet site and log in to your primary computer?  If you
know you are about to make a trip to some other location, then plan
ahead and put that location's domain in the list of allowed hosts
before you leave.  But just in case there are some people who really
need the current openness, there should probably be a way for an
individual user to disable the checking for his/her account, such as
adding the line "*" to the list of allowed hosts.

Let's face it: for 99% of the Internet hosts, you don't want a remote
login from that host into your account to succeed.  So why not have a
mechanism in place for disallowing them?  As a concerned sysadmin and
user, I certainly want this kind of protection for my own account, and
especially for my "root" account!

And it's not like this is all that hard to do......

What think you all?



		William LeFebvre
		Department of Electrical Engineering and Computer Science
		Northwestern University
		<phil at eecs.nwu.edu>

More information about the Comp.unix.wizards mailing list