Results 1 to 8 of 8

Thread: Audit: anonymous ftp and /etc/shadow - is this a risk?

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    Audit: anonymous ftp and /etc/shadow - is this a risk?

    Hello all-

    My brain is misfiring and I need to ask for some advice. We are conducting on audit on some HP-UX 11.i servers and found one server, deemed a public ftp server, to have anoymous ftp. But we also found that the admins have enabled shadowed passwords. Now my first thought is that they need to disable ftp post-haste, but am I wrong on this? Can /etc/shadow be compromised and lead to the compromise of /etc/passwd? I think so, but again my brain is misfiring right now.

    Also - as stated before, I believe they should have ftp turned off, even if they have imposed disk quota limits and move to ssh. The reason I ask this is because... they do not have ssh deployed everywhere and I have preached til I was coarse - so I was looking for some advice there as well.

    Thanks in advance.

    genXer.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    I can only tell you that you must have a compelling business case and critical functional need to have an anonymous FTP server running. You must also have gone through a strict, lockstep configuration of the site. Even then, you are running a huge risk to activate an open FTP service. There are other, more secure solutions to the file transfer problem.

    You are correct, genXer.

  3. #3
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Thanks rapier57. I have been searching though and wanted to inform management, one way or another, that even with /etc/shadow enabled, having anon ftp could still lead to a compromise - though I am not sure how without causing some VanDamage, so without stating how, am I correct that /etc/shadow could be compromised leading to the compromise of /etc/passwd via anon ftp - or have I been huffing the wrong paint again?

    Thanks again.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am a little confused here...

    I think the relevant question would be:
    What permissions are the child processes of ftpd (or in.ftpd) running under?
    What is the current permission on /etc/shadow ?
    Does the ftpd run in a chroot environment ?

    If you answerd: < root (ftp), 500 root:root, and yes, you should be ok, at least from the perspective of a direct accessing of /etc/shadow. That doesn't mean that there couldn't be other potential ways to cause problems, but the way I understand your question is that you are most concerned with the person using FTP to obain the hashes in the shadow and then cracking them to access the system...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Why not bypass all this and simply use SCP??? If the FTP service is there strictly for the use of admins, then there is no reason why they can't use SCP or SFTP.

    Anonymous FTP servers are a no no here. Anything that negotiates connections in cleartext ain't gonna fly. There is also the obvious issue with FTP servers becomming warehouses for undesired apps and such.

    Neb brings up many good points. If you are auditing the box, you need to consider everything that it's doing from a high level all the way down to the permission structure. However, you first have to do a complete risk assessment before you can run around deciding what a tolerable level of risk is defined as.

    Anyway, my 2 cents.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    If you answerd: < root (ftp), 500 root:root, and yes, you should be ok, at least from the perspective of a direct accessing of /etc/shadow. That doesn't mean that there couldn't be other potential ways to cause problems, but the way I understand your question is that you are most concerned with the person using FTP to obain the hashes in the shadow and then cracking them to access the system...
    Yes - I would answer how you did on your questions - I am just trying to understand the risk - what is the risk, and yes to state another way "but the way I understand your question is that you are most concerned with the person using FTP to obain the hashes in the shadow and then cracking them to access the system..." I want to confirm or disconfirm the belief I have that anon ftp should be disabled and we should move to scp, as TH13 suggests:

    Why not bypass all this and simply use SCP??? If the FTP service is there strictly for the use of admins, then there is no reason why they can't use SCP or SFTP.
    TH13 - Risk assessments - yep I know that - believe it or not, we have to work to convince certain IT AND Audit managers that risk assessments are needed to understand the level of acceptable risks for a the organization at all levels - even down to the permissions of files/directories and what services should be enabled or not. Your and nebulus200's statements confirms exactly what we have been preaching. For this audit - I am unfortunately having to go with a general risk assessment; however, I do have our policies and standards, which we do normally anyway, that I am also utilizing to audit this entity.

    Thanks to you both for your advice - I appreciate the feedback.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  7. #7

  8. #8
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Have you tried vsftpd
    http://vsftpd.beasts.org/
    Not before but just did - looks interesting, we will check out and see if they could use it or scp.

    Thanks!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •