Appendix 10

     As the name suggests it is "internet super server". It listens for connections on certain sockets and when a connection request is received a corresponding program is executed to service the request. The configuration file is generally located as /etc/inetd.conf but other locations can be used also from the command prompt. It is generally invoked at the boot time by /etc/rc script but first enabled in the /etc/rc.conf file. So, if you want to give your users rlogin, telnet, ftp etc. services you should enable inetd in /etc/inetd.conf file as:

     inetd_enable="YES"
     inetd_flags="" # only necessary if you want to pass some option

If you are not sure whether your whether your inetd is already running or not just do:

maple@junan:/home/junan{1002}% ps waux | grep inetd 338 5.5 3.7 244 512 p1 S+ 9:37PM 0:00.10 grep inetd 127 0.0 0.0 208 0 ?? IWs - 0:00.00 (inetd)
maple@junan:/home/junan{1003}%

     Yes, it's running. Ok, let's edit a configuration file: /etc/inetd.conf. Most probably you got a pre-configured configuration file already and it will work quite nicely. Here's one you will most probably get as a default:

---------------------- Start of inetd.conf -----------------
# $Id: inetd.conf,v 1.23.2.6 1998/09/03 22:14:37 brian Exp $
# Internet server configuration database
# @(#)inetd.conf 5.4 (Berkeley) 6/30/90
ftp          stream       tcp      nowait     root     /usr/local/libexec/ftpd      ftpd -l
#ftp    stream tcp nowait root /usr/libexec/ftpd ftpd -l
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
shell stream tcp nowait root /usr/libexec/rshd rshd
login stream tcp nowait root /usr/libexec/rlogind rlogind
finger stream tcp nowait nobody /usr/libexec/fingerd fingerd -s
#exec stream tcp nowait root /usr/libexec/rexecd rexecd
#uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
#nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd
comsat dgram udp wait root /usr/libexec/comsat comsat
ntalk dgram udp wait root /usr/libexec/ntalkd ntalkd
#tftp dgram udp wait nobody /usr/libexec/tftpd tftpd /tftpboot
#bootps dgram udp wait root /usr/libexec/bootpd bootpd
# "Small servers" -- used to be standard on, but we're more conservative
# about things due to Internet security concerns. Only turn on what you
# need.
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
# Kerberos authenticated services
#klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k
#eklogin stream tcp nowait root /usr/libexec/rlogind rlogind -k -x
#kshell stream tcp nowait root /usr/libexec/rshd rshd -k
#rkinit stream tcp nowait root /usr/libexec/rkinitd rkinitd
# Services run ONLY on the Kerberos server
#krbupdate stream tcp nowait root /usr/libexec/registerd registerd
#kpasswd stream tcp nowait root /usr/libexec/kpasswdd kpasswdd
# RPC based services (you MUST have portmapper running to use these)
#rstatd/1-3 dgram rpc/udp wait root /usr/libexec/rpc.rstatd rpc.rstatd
#rusersd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.rusersd rpc.rusersd
#walld/1 dgram rpc/udp wait root /usr/libexec/rpc.rwalld rpc.rwalld
#pcnfsd/1-2 dgram rpc/udp wait root /usr/libexec/rpc.pcnfsd rpc.pcnfsd
#rquotad/1 dgram rpc/udp wait root /usr/libexec/rpc.rquotad rpc.rquotad
#sprayd/1 dgram rpc/udp wait root /usr/libexec/rpc.sprayd rpc.sprayd
# example entry for the optional pop3 server
pop3 stream tcp nowait root /usr/local/libexec/popper popper
# example entry for the optional imap4 server
#imap4 stream tcp nowait root /usr/local/libexec/imapd imapd
# example entry for the optional ident server
#ident stream tcp wait root /usr/local/sbin/identd identd -w -t120
# example entry for the optional qmail MTA
#smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env var/qmail/bin/qmail-smtpd
# Enable the following two entries to enable samba startup from inetd
# (from the Samba documentation).
#netbios-ssn stream tcp nowait root /usr/local/sbin/smbd smbd
#netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd

---------------------- Start of inetd.conf -----------------

From this sample file you can let's think about the line

ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l

When a ftp request is received ftpd(ftp daemon) located at /usr/libexec/ftpd is executed thus control being passed over to the ftpd daemon. ftpd daemon is invoked with the option flag -l which enables the logging via syslog(that means you should have an entry in the /etc/syslog.conf file like:

ftp.*                                                        /var/log/ftpd
--- space should be created by the tab key ---

And if you do this now, make sure to run:

When you try to look at your /var/log/ftpd file you might get something like this:

maple# tail /var/log/ftpd
maple# tail /var/log/ftpd
Feb 4 18:17:50 maple ftpd[3009]: FTP LOGIN FROM mercury-gw.st.yatsushiro-nct.ac.jp [202.251.36.3], junan
maple#

ftpd started with -l -l(yes twice) option will log every tried command in a ftp session. So, if your server is accessed frequently for the ftp service while ftpd was invoked with two -l options then your /var/log/ftpd can get quite big. Before enabling two -l take a moment and think. Other available nice options are:

     -a When -D is specified, accept connections only on the specified address.
     -A Allow only anonymous ftp access.

     -t The inactivity timeout period is set to timeout seconds (the default is 15 minutes).

Let's think what can we do with the second line:
telnet stream tcp nowait root /usr/libexec/telnetd telnetd
Sure this line is same as ftpd but here's no option was available. Let's look at the manual page if useful options are available:

     -h Disable the printing of host-specific information before login has been completed.

Let's try to login at the our own machine:

maple@junan:/home/junan{1011}% telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
FreeBSD (maple) (ttyp3)
login:

Yes you can see that Host specific information(that this host is running FreeBSD, name is maple, terminal is ttyp3) without login inside the host. Some people turn it off by invoking telnetd with a -h option in which case you will see something like:

maple@junan:/home/junan{1013}% !telnet
telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login:

But most of the time I prefer not using -h option because I don't mind showing the informations available. If you are very much worried that some 'bad-guy' will see your operating system and try some exploits on the specific OS then you should use this option but the chances are high that those guys will try even if they don't get the options. Anyhow it's up to you.

     -u len This option is used to specify the size of the field in the utmp

structure that holds the remote host name. If the resolved host
name is longer than len, the dotted decimal value will be used
instead. This allows hosts with very long host names that over-
flow this field to still be uniquely identified. Specifying -u0
indicates that only dotted decimal addresses should be put into
the utmp file.So, if you are interested in putting the dotted addresses in the utmp file you should put the -u0 option. Let's try but at first the usual way:

maple# telnet localhost
......
login: junan
passwd:
maple@/home/junan{1001}% last | grep junan | more
junan ttyp3 localhost Thu Feb 4 23:15 still logged in

But if you use -u0 option you will get something like:

junan ttyp3 127.0.0.1 Thu Feb 4 24:17 still logged in

We like this option cause there are a lot of machines inside this school with a lot of peculiar names and they are not available from the name server by name(availabe by address). It's a nice tool to try to figure out from where your users usually log from hoping that they are sending good dotted addresses.

     -U This option causes telnetd to refuse connections from addresses
          that cannot be mapped back into a symbolic name via the gethostbyaddr(3) routine.

As the option suggests it uses gethostbyaddr(3) to map back the address. Unfortunately different school hosts available do not give proper hostname to map them back(just the short name), thus using -U option makes maple a hosts in which users won't be able to logon though they are valid hosts. Security concerned people can use this option and ask the users to use properly configured hosts. ntalk, comstat can be commented out without much concern. During this one year stay in this server we never used these two services. Finger daemon is up to one's choice. We keep it open though security concern people are not interested giving the requested information to the outside users(who are not any way related to the local server). From the point of view of security it should be disabled. Nowadays nobody runs a fingerd server anymore.
If you want to disabl inetd just add the following line in the /etc/rc.conf file:
    

inetd_enable="NO"

And you can forget about loggin from remote machines to your own host. It's history!

4.2.1 COPS

     Now that we become a little bit familiar with few things we feel like testing few things a little. Here we will describe how to set up COPS for an average user on our system from a tar file. This file was supplied with the book Unix System Administration Handbook. At first we have to mount the CD-ROM somewhere. From that mounted point we have to copy that file to our system. The file name iscops.tar.

maple@junan:/home/junan/COPS{1067}% ls -l cops.tar
-rw-r--r-- 1 junan wheel 491520 Feb 19 23:43 cops.tar
maple@junan:/home/junan/COPS{1068}%
maple@junan:/home/junan/COPS{1069}% tar -xvf cops.tar
cops/
cops/1.04+/
cops/1.04+/p4+.shar.18.Z
..omitted
cops/1.04+/p4+.shar.03.Z
cops/1.04+/p4+.shar.02.Z
cops/1.04+/p4+.shar.01.Z
cops/README
maple@junan:/home/junan/COPS{1070}% cd cops
maple@junan:/home/junan/COPS/cops{1074}%

The README file on this directory don't have anything, you can omit this file. Let's go to the directory:

maple@junan:/home/junan/COPS/cops{1074}% cd 1.04+
maple@junan:/home/junan/COPS/cops/1.04+{1075}% ls -al
total 468
drwxr-xr-x 2 junan wheel 512 Sep 22 1997 .
drwxr-xr-x 3 junan wheel 512 Sep 22 1997 ..
-rw-r--r-- 1 junan wheel 25289 May 28 1993 p4+.shar.01.Z
-rw-r--r-- 1 junan wheel 25164 May 28 1993 p4+.shar.02.Z
-rw-r--r-- 1 junan wheel 27056 May 28 1993 p4+.shar.03.Z
-rw-r--r-- 1 junan wheel 25920 May 28 1993 p4+.shar.17.Z
-rw-r--r-- 1 junan wheel 23439 May 28 1993 p4+.shar.18.Z
maple@junan:/home/junan/COPS/cops/1.04+{1076}%

This *.Z extenstion should be gzipped file. Let's gunzip them.

maple@junan:/home/junan/COPS/cops/1.04+{1076}% gunzip *
maple@junan:/home/junan/COPS/cops/1.04+{1077}% ls -al
total 987
drwxr-xr-x 2 junan wheel 512 Feb 19 23:59 .
drwxr-xr-x 3 junan wheel 512 Sep 22 1997 ..
-rw-r--r-- 1 junan wheel 55823 May 28 1993 p4+.shar.01
-rw-r--r-- 1 junan wheel 56210 May 28 1993 p4+.shar.02
-rw-r--r-- 1 junan wheel 55876 May 28 1993 p4+.shar.03
.omitted
-rw-r--r-- 1 junan wheel 55802 May 28 1993 p4+.shar.17
-rw-r--r-- 1 junan wheel 50637 May 28 1993 p4+.shar.18
maple@junan:/home/junan/COPS/cops/1.04+{1078}%

We don't know anything about this file. Let's try to see what's inside them:

maple@junan:/home/junan/COPS/cops/1.04+{1078}% more p4+.shar.01
#!/bin/sh
# This is a shell archive (produced by shar 3.49)
# To extract the files from this archive, save it to a file, remove
# everything above the "!/bin/sh" line above, and type "sh file_name".
# made 03/08/1993 17:19 UTC by zen@death
# Source directory /big/zen/COPS
..omitted

So, these are shell scripts! Let's try a single script.

maple@junan:/home/junan/COPS/cops/1.04+{1083}% sh p4+.shar.01
x - creating directory cops_104+
x - extracting cops_104+/MANIFEST (Text)
x - extracting cops_104+/README.1 (Text)
x - extracting cops_104+/README.2.pl (Text)
x - extracting cops_104+/README.2.sh (Text)
x - extracting cops_104+/README.3 (Text)
End of part 1
File cops_104+/README.3 is continued in part 2
maple@junan:/home/junan/COPS/cops/1.04+{1084}%

So these are the files that continue. But here are 18 files at all. Though it's not much laborious to type all these commands 18 times let's create a simple script which will do all these commands:

--------------- Start of my.sh script ---------------
#!/bin/sh
while [ "$i" -le 18 ]
if [ "$i" -le 9 ]; then
FILENAME="p4+.shar.0$i"
echo $FILENAME
else
FILENAME="p4+.shar.$i"
echo $FILENAME
fi
i=`expr $i + 1`
done
--------------- End of the my.sh script ---------------

So, let's see what kind of result we get from this script:

maple@junan:/home/junan/COPS/cops/1.04+{1104}% sh my.sh
p4+.shar.00
p4+.shar.01
p4+.shar.02
p4+.shar.03
p4+.shar.04
omitted
p4+.shar.09
p4+.shar.10
.omitted
p4+.shar.17
p4+.shar.18
maple@junan:/home/junan/COPS/cops/1.04+{1105}%

It seems like that we get proper names! So, let's put the line in the script:

sh $FILENAME

before the immediate line i=`expr $i + 1`
Now let's run all the shell scripts:

maple@junan:/home/junan/COPS/cops/1.04+{1105}% sh my.sh

This should put all the necessary sources in nice places:

maple@junan:/home/junan/COPS/cops/1.04+{1106}% cd cops_104+
maple@junan:/home/junan/COPS/cops/1.04+/cops_104+{1106}%
In this directory you will find a lot of useful instructions in README files. Please refer to them if you are interested in details setting. But the following process do quite good:
maple@junan:/home/junan/COPS/cops/1.04+/cops_104+{1110}% ./reconfig
maple@junan:/home/junan/COPS/cops/1.04+/cops_104+{1111}% make

At this point you should get all the binaries necessary to run cops. The only problem can arise when the makefile can't locate crypt() routine.
But before running ./cops lets'edit the cops script as necessary. There are a lot places you might want to edit. At first the most necessary two lines without whom it will complain:

SECURE=/home/junan/COPS/cops/1.04+/cops_104+
SECURE_USERS="junan"

There are few other options we would like to strip off, but let's cut it short here:

maple@junan:/home/junan/COPS/cops/1.04+/cops_104+{1112}% ./cops

You should get a report at the maple directory. Let look at the report:

maple@junan:/home/junan/COPS/cops/1.04+/cops_104+/maple{1055}% more *Feb*
ATTENTION:
Security Report for Sat Feb 20 00:35:53 JST 1999
from host maple
Warning! Root does not own the following file(s):
/bin
Warning! NFS file system /usr exported with no restrictions!
Warning! NFS file system /cdrom exported with no restrictions!
Warning! /etc/security is _World_ readable!
Warning! User uucp's home directory /var/spool/uucppublic is mode 0777!
Warning! Password file, line 2, user toor has uid = 0 and is not root
toor:*:0:0:Bourne-again Superuser:/root:
ftp-Warning! /usr/ftp/etc/passwd and /etc/passwd are the same!
ftp-Warning! /usr/ftp/etc/group and /etc/group are the same!
ftp-Warning! File /usr/ftp/etc/group is missing (anon-ftp setup)!
ftp-Warning! /usr/ftp/etc/group should be owned by root or root!
ftp-Warning! File /usr/ftp/etc/passwd is missing (anon-ftp setup)!
ftp-Warning! /usr/ftp/etc/passwd should be owned by root or root!
ftp-Warning! /usr/ftp/bin/ls should be owned by root or root!
ftp-Warning! /usr/ftp/bin should be owned by root or root!
ftp-Warning! /usr/ftp should be owned by root or root!
ftp-Warning! /usr/ftp should be mode 555!
ftp-Warning! Incorrect permissions on "ls" in /usr/ftp/bin!
ftp-Warning! Incorrect permissions on "passwd" in /usr/ftp/etc!

This is a nice report. But unfortunately not all the messages are quite right. For example /usr/ftp/etc/passwd file does not exists but we can see that that it warns us as if /usr/ftp/etc/passwd file do exists! So, there is something should be done on ftp.chk . But unfortunately we are in short of space and time to discuss it over here but it shouldn't be a hard work to find out what ftp.chk does. Why the warnings about /usr/ftp directory, files /usr/ftp/bin/ls etc ? Because users logged on as anonymous are actually logged in as the user ftp. So, user ftp can modify the existing files on his directory thus having a possibility of putting files as he wishes, which can be security concern. Since, overwriting is disabled this possibility is reduced. Anyhow, you can always go and check those files.
So, this is all you will need to do make COPS run for you.

4.2.2 john
      
     john is a password cracker. As you might wonder (if you are used to this kind of tools you won't wonder, though) why such kind of tools, we like to give a little explanation here. But before going through more details let's get it down from the net. At first we visit
www.freebsd.org. We search the word crack (since john didn't produced any useful results) and we get what we want, three addresses:

http://www.false.com/security/john/john-1.6.tar.gz
ftp://ftp.false.com/pub/security/john/john-1.6.tar.gz
ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/john-1.6.tar.gz

Unfortunately 1st and 3rd address don't have the source files anymore (We double check it by a browser, and by ftping to those places, anonymous login). 2nd place has the source files. We download it. Now the process of compiling it:

maple@junan:/home/junan/JOHN{1051}% ls -al john-1.6.tar.gz
-rw-r--r-- 1 junan wheel 497341 Feb 20 01:05 john-1.6.tar.gz
maple@junan:/home/junan/JOHN{1052}%

If for some reason you don't have such kind of extensions (*.tar.gz) please use
command to make those extensions, otherwise you might end up without being able to unzip them.

maple@junan:/home/junan/JOHN{1054}% cat john-1.6.tar.gz | gunzip | tar xfv -
maple@junan:/home/junan/JOHN{1055}% cd john-1.6
maple@junan:/home/junan/JOHN/john-1.6{1056}% make

Since no architecture type is specified make shows you supported types, you can select one of them:

maple@junan:/home/junan/JOHN/john-1.6/src{1065}% make \
freebsd-x86-any-a.out

It will give you necessary binary files. Let's check the tool we got here. But before that let
s make a password program ourselves so that it can accept easy guessed passwords. It will take quite a long time to explain the program here but you can find it as ~junan/public_html/maple/passwd.c. Please refer to it. Let's make few easily guessed passwords. Let's save this results in a file named testpass

maple@junan:/home/junan/JOHN/john-1.6/src{1066}% cat testpass
junan:689fh0wbC4I4c:1001:0:Junan Chakma:/home/junan:/bin/csh
junan:4AzcE1F7G.yT.:1001:0:Junan Chakma:/home/junan:/bin/csh

The password should be cracked in less than 1 second! Let's start the john program and see what happens:

maple@junan:/home/junan/JOHN/john-1.6/run{1094}% ./john -single testpass
maple@junan:/home/junan/JOHN/john-1.6/run{1094}% ./john -show testpass
junan:junancha:1001:0:Junan Chakma:/home/junan:/bin/csh
1 password cracked, 1 left
maple@junan:/home/junan/JOHN/john-1.6/run{1095}%

Please take at a look at password.lst. There are 2290 most commonly used passwords(as thought and researched by the writer), such as:

12345
abc123
stupid
falcon
Nirvana
shannon
iloveyou

     If you are having such kind of passwords then these should be guessed by john within 1 seconds! Now why these kinds of tools are used? Because these kinds of tools are provided for the system administrators so that they can find out the weak passwords before other guys can do it! The easiest way to make such kind of program fail is combination. If you can put few wild card signs in your password like: sha-n$*2x3, then john will go through millions of combination checking before finding out your password (it will take few months before a 486 can guess this combination and by this time you may be changed your password already).
    Since this kind of tools are freely available or easily(not easily one like john or crack) be written by people, you should always make those encrypted password unavailable to anyone except you(shadow system!).