U1.1 Description

Most Unix/Linux systems include a number of standard services in their default installation. These services, even if fully patched, can be the cause of unintended compromises. Security savvy administrators harden systems by turning off unnecessary services and/or firewalling them from the Internet.

For example a default installation of Red Hat Enterprise Linux will have services such as cups (Common Unix Printing System), portmap (RPC support), sendmail (Mail Transport Agent), and sshd (OpenSSH server) which should be disabled if they are not required.

Of particular interest are brute-force attacks against command line access such as SSH, FTP, and telnet. These services are often the target of attacks due to the prevalence of these services for remote access. However over the last couple of years a concerted effort has been made by attackers to brute-force the passwords used by these applications. Increasingly worms and bots have brute force password engines built into them. Systems with weak passwords for user accounts are actively compromised; often privilege escalations are used to gain root access, and root-kits installed to hide the compromise. It is important to remember that brute forcing passwords can be a used as a technique to compromise even a fully patched system.

Security conscious administrators use SSH as their method of interactive remote access. If the version of SSH is current and it is fully patched, the service is generally assumed to be safe. However regardless of whether it is up to date and patched it can still be compromised via brute-force password-guessing attacks. For SSH it is recommended to use public key authentication mechanism to thwart such attacks. For the other interactive services audit passwords to ensure they are of sufficient complexity to resist a brute-force attacks.

U1.2 Affected Versions

All versions of UNIX/Linux are potentially at risk from improper and default configurations. All UNIX/Linux versions may be affected by accounts having weak or dictionary-based passwords for authentication.

U1.3 How to determine if you are vulnerable

Default installations (either from the manufacturer or by an administrator) of operating systems or network applications may introduce a wide range of unneeded and unused services. In many cases the uncertainty about operating system or application needs leads many manufacturers or administrators to install all of the software in case it is needed in the future. This simplifies the installation process significantly but also introduces a wide range of unneeded services and accounts that have default/weak/or known passwords.

The use of an updated vulnerability scanner or a port mapper can be highly effective in diagnosing any potential vulnerabilities left by default installations, such as unneeded and/or outdated services/applications. Also, a password cracker can help to avoid the use of weak passwords, which would make more difficult to guess in case of a brute force attack on remote services.

Please note: Never run a password cracker/vulnerability scanner, even on systems for which you have root-like access, without explicit and preferably written permission from your employer. Administrators with the most benevolent of intentions have been fired for running password cracking tools without authority to do so.