Top Document: comp.security.unix and comp.security.misc frequently asked questions Previous Document: Can anyone here tell me how to exploit the [whatever] bug? or Can anyone here tell me how to break in to my ISP? Next Document: I just noticed that [something]. Has my machine been compromised? See reader questions & answers on this topic! - Help others by sharing your knowledge Discarding the timestamp and hostname, the lines look something like this: identd[10362]: from: 205.238.143.33 ( mail.dejanews.com ) for: 20546, 25 identd[10362]: Successful lookup: 20546 , 25 : flaps.users This states that the machine 205.238.143.33 asked your machine who was connecting from port 20546 on your machine to port 25 on 205.238.143.33. And your machine responded that the user was "flaps", and that flaps's group is "users". (10362 is the process id number of this particular invocation of identd; for example, if two identd requests happened at about the same time and the two lines were interleaved, it would help you sort them out.) Theoretically, this is a security-sensitive data exposure, although the practical effect of this is arguably nil. And it can be very helpful to the admin of a machine which often has more than a few simultaneous users. When one of your users does something untoward, this allows the remote machine to log the username, and then the remote sysadmin's complaint to you will contain information useful to you. A linux machine at home connected to the internet via ppp and with only one user should not be running identd because it does not contribute to this process. Very few things on the net REQUIRE the sender to be running identd, because many machines don't have it and because many people turn it off. Your identd program probably has various options to configure what information it discloses; see the man page. You might want to run it with options to minimize data OTHER than the above (-o and -e in the common implementation), and/or perhaps run it with the option to report numeric uids rather than lognames (-n), which is just as useful for tracking down offenders from your point of view. On the other hand, if you report numeric uids, then in some cases the remote people will be able to gain logname<->uid translation info (e.g. the outgoing connection is a mail message bearing 'from' information), so it's hard to say which discloses less data. If you feel that this data is sensitive but still want to run identd, there are some identd servers out there which report the data encrypted, so that all the target sysadmins can do with the information they get is to send the token back to you for your own use. This facility might be available as -C. You specify these options on the identd command-line, wherever it appears, which is usually in /etc/inetd.conf. The identd protocol is documented in RFC 1413. It is the same as "auth". The query specifies the port numbers only; the two IP addresses implied are the sender and target of the identd query. Thus you cannot query about IP connections to other machines, although you can query about connections which don't concern you but are to a machine you have an account on. RFC 1413 states, "If you wouldn't run a 'finger' server due to privacy considerations you may not want to run this protocol." I agree with this but suggest that it might not apply to a cryptographic identd (e.g. -C). User Contributions:Top Document: comp.security.unix and comp.security.misc frequently asked questions Previous Document: Can anyone here tell me how to exploit the [whatever] bug? or Can anyone here tell me how to break in to my ISP? Next Document: I just noticed that [something]. Has my machine been compromised? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: flaps@dgp.toronto.edu (Alan J Rosenthal)
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: