IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.21 Secure use of telnet, ftp, tftp and rexec
Initiation responsibility: IT Security Management, Administrators
Implementation responsibility: Administrators
With the telnet hostname command it is possible to log into the hostname
computer after entry of a user name and associated password. With ftp,
sizeable quantities of data can be copied, and rexec allows execution of a
command on another computer without previously logging on. For all of these
three programs, the entered user names and passwords are transmitted
unencrypted over the network; so they should only be used when one can be
certain that the network cannot be intercepted (cf. T 5.7). All calls to telnet, ftp
and rexec must be logged. Particular attention must be paid to unsuccessful
connection attempts by external IT systems.
When using the ftpd daemon, it must be borne in mind that, as in the case of
sendmail (cf. S 5.19 Use of the sendmail security mechanisms), new, serious
security flaws are constantly coming to light which may make it possible to
gain Administrator privileges without a password (on this point, see CERT
notice CA-94-08. 14 April 1994). ftp versions that are older than those
described there should not be used.
In addition, all user names for which ftp access is not to be permitted should
be entered in the /etc/ftpusers file. These include, for example, root, uucp and
bin. When configuring new users, care should be taken to ensure that these are
entered in /etc/ftpusers if their profile does not permit them any ftp access (see
also S 2.30 Provisions governing the configuration of users and user groups).
With .netrc-files, automatic FTP accesses to remote IT systems are permitted
as .netrc files contain the necessary passwords. Steps must therefore be taken
to ensure that there are no .netrc-files in the user directories or else that they
are empty and the user is unable to access them.
Use of the tftpd, rexd and rexecd daemons must be prevented (e.g. by deleting
the corresponding entry in /etc/inetd.conf) or, as a minimum, steps must be
taken to ensure that, when using tftp, users only have restricted access to files
from the log-in directory (see also S 2.32 Establishment of a restricted user
environment). This can be verified by making the following entries:
tftp hostname
tftp>get /etc/passwd /tmp/txt
If the tftp daemon does not respond with an error message, its use must be
prevented.
If notwithstanding tftp is still used for the start-up process of active network
components or X terminals, it is essential that this is documented and the
underlying rationale is explained. Again, if tftp is used, steps must be taken to
ensure that the tftp daemon is started with the option –s directory. The
directory entered here must be the only directory which is visible to the
daemon.
Secure Shell (ssh) can be used as a substitute for telnet and rexec. It makes use
of extensive functions designed to ensure secure authentication and to
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Passwords in plain text
Security weaknesses in
ftpd
Restrict ftp access
Restricted file access
with tftp
Use Secure Shell as a
substitute