Re: duplicates

Michael H. Warfield (
Sun, 13 Jul 1997 13:32:56 -0400 (EDT)


Disclaimer: Before I start and someone flames me for "plugging a
product" in the next paragraph, I'm the Senior Engineer for Internet Security
Systems, Inc. I'm also, specifically, the project leader for the Internet
Scanner, which runs on Linux. My intent here is not to plug the product
but rather to raise some non-obvious security issues. I want to make that
clear before someone accuses me of hiding behind my personal accounts and
addresses in order to sneak product promotions into the mailing list. I'm
mentioning the scanner below just as an example.

David S. Miller enscribed thusly:

> (one thing which makes a "brute force" search for these things
> imposible today is the new fad of disallowing EXPAND operations on
> port 25 on so many sites, how the heck am I supposed to check to see
> if some subscriber has a messed up .forward file?)

This is not exactly a "fad" as security scanners such as Internet
Security System's "Internet Scanner" (amoungst others) flag these as a "low
risk vulnerability". Many security concious sites are disabling that feature.

Some may ask what is the security issue involved here. It's simply
an issue of allowing possible intruders to aquire information from your
system that you probably do not want them to have. This could be simply
spammers looking to expand their real address databases or a serious system
intruder looking to lists of real account names to try and bruteforce.
Bruteforcing an alias is a waste of his time. Just being able to use EXPN
and VRFY to determine if an address is real or an alias (or maybe has a
crackable program in a .forward) is of immense benefit to someone looking
to break into your system.

It IS a pain the the *ss when you have legitimate need to use
something like this and someone has disabled it to prevent abuse, but
that's nothing new at all. When the choice boils down to not providing
information to people intent on doing you evil and providing a convenience
to some legitimate outsiders, guess what takes priority?

Lots of mailing lists are disabling the ability to list subscribers
and other lists on the system for the same reasons... There are creeps out
there crusing around and attempting to take advantage of those "features"
for purposes we don't want them to have.

The same arguements apply to totally disabling finger on a system.
Personally, I strongly recommend disabling EXPN and VRFY on sendmail and
totally disabling finger on systems unless you have an overriding NEED for
them. Those are just a few among many "services" that many system have and
most systems don't need. They should not be enabled just by default.

Side note to Eric Raymond: (I know he lurks on this list from time
to time. He and I had some fun discussing the merits / demerits of
the hacker / cracker / intruder terminology debate at the Atlanta Linux
Showcase a month ago.) See Eric - I didn't use either the term hacker OR
cracker (the term "cracker" really sucks - especially here down South).
:-) :-)

Regards to all!

 Michael H. Warfield    |  (770) 985-6132   |
  (The Mad Wizard)      |  (770) 925-8248   |
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!