CERT^® Coordination Center

Protecting Yourself from Password File Attacks

Introduction

1. Protect your password file
2. Ensure that the passwords being used on accounts cannot easily be guessed or cracked by intruders
3. Ensure that you are up-to-date with security patches and workarounds
4. Watch for unusual activity

The CERT/CC has had incident reports in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability.

These incidents point to the need for system administrators to adequately defend their systems from this type of attack. We urge you to do the following.

1. Protect your password file so that an intruder cannot obtain a copy of it.
2. Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology in which passwords are not located in the password file.
3. Ensure that you are up-to-date with security patches and workarounds.
4. Watch for unusual activity.

1. Protect your password file
   • Use a shadow password. Under a shadow password system, the /etc/passwd file does not have encrypted passwords in the password field. Instead, the encrypted passwords are held in a shadow file that is not world-readable. Consult your system manuals to determine whether or not a shadow password capability is available on your system and to get information on how to set up and manage such a facility.
   • Use a technology, such as one-time passwords or Kerberos, that does not rely on having passwords in the password file.

     For more information on one-time passwords, see Appendix B in

     http://www.cert.org/advisories/CA-1994-01.html

   • Ensure that you are up-to-date with sendmail and are using smrsh. Some sendmail vulnerabilities can be exploited by intruders to obtain a copy of a password file.

     Information on known sendmail vulnerabilities can be obtained from:

     • http://www.cert.org/advisories/CA-93.16a.sendmail.vulnerability.supplement
     • http://www.cert.org/advisories/CA-93.16.sendmail.vulnerability
     • http://www.cert.org/advisories/CA-95.05.sendmail.vulnerabilities
     • http://www.cert.org/advisories/CA-1995-08.html
     • http://www.cert.org/advisories/CA-95.11.sun.sendmail-oR.vul
     • http://www.cert.org/advisories/CA-1995-13.html
     • http://www.cert.org/advisories/CA-1996-04.html
     The smrsh program can be obtained from

     ftp://info.cert.org/pub/tools/smrsh/

     smrsh is also included in the sendmail 8.7.5 distribution.

   • If you are using the NCSA httpd 1.5a-export and APACHE httpd 1.0.3 (and previous versions), ensure that you have followed the advice in the advisory listed below.

     http://www.cert.org/advisories/CA-1996-06.html

   • To help defend your site from NIS-based attacks, you may wish to install a portmapper/rpcbind replacement that has access control built in. Note that an attacker may still be able to find the portnumber of the NIS server by scanning all privileged ports of the target machine. While the portmapper replacement won't defend you from this attack, effective packet filtering can defend you and effective logging will alert you to any attack in progress. To deny access to the NIS server you have to block all privileged portnumbers (all portnumbers less than 1024) on your router except those "well known" services you need and that are on fixed portnumbers (like telnet and ftp). A replacement for portmapper/rcpbind that has access control and logging is available from
     • ftp://ftp.win.tue.nl/pub/security/portmap_3.BLURB
       ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z.asc
       ftp://ftp.win.tue.nl/pub/security/portmap_3.shar.Z
     • ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.README
       ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z
       ftp://ftp.win.tue.nl/pub/security/rpcbind_1.1.tar.Z.asc

   • Ensure that your anonymous ftp area is configured correctly. Intruders frequently exploit an ftp area that is not correctly configured to obtain the password file of the ftp server. For more information on configuring your ftp server, see the document "Anonymous FTP Configuration Guidelines" available at

     http://www.cert.org/tech_tips/anonymous_ftp_config.html

2. Ensure that the passwords being used on accounts cannot easily be guessed or cracked by intruders.

   You may wish to verify that good passwords are being selected at your site (in accordance with your organization's policies and procedures). Crack is a tool you can use to do this. It is a freely available program designed to identify standard UNIX DES encrypted passwords that can be found in widely available dictionaries by standard guessing techniques outlined in the Crack documentation.

   Crack is available by anonymous FTP from

   ftp://info.cert.org/pub/tools/crack

3. Ensure that you are up-to-date with patches and workarounds on your machines.

   Keeping up-to-date can help minimize the likelihood that you will be root compromised if user accounts are compromised. For information about the latest patches and workarounds, contact your vendor. You can also find information in

   ftp://info.cert.org/pub/latest_sw_versions

4. Watch for unusual activity.

   Use all of the logging facilities available, including wtmp, syslog, and process accounting. Use tcp wrappers and log all connection attempts for all services made available via inetd. Examine these logs looking for suspicious activity. One tool that is available to analyze syslog files is SWATCH. It is available at

   http://www.stanford.edu/group/itss-ccs/security.test/sectools.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2001, 2002 Carnegie Mellon University