RE: Mac X-Server Security Questions...

From: Brad Berson (brad.berson_at_bytebrothers.org)
Date: 04/08/05

  • Next message: Kelly Martin: "SF new column announcement: Absolute Security is a Myth"
    Date: Fri, 8 Apr 2005 16:46:05 -0400
    To: "John Jasen" <jjasen@realityfailure.org>
    
    

    > How? What did the logs say? What service?

    Ahh, let's fish back for the emails... (replacing admin level account
    name with zzzzz and other accounts with zzzzN to protect the innocent)

    First disturbing event was just after midnight, since nobody legit is
    hitting that box at that hour...

    00:14:26 RSAPUBLIC: ok
    00:14:26 GETPOLICY: user {0x00000000000000000000000000000001, zzzzzz},
    policies: isDisabled=0 isAdminUser=1 newPasswordRequired=0
    usingHistory=0
    canModifyPasswordforSelf=1 usingExpirationDate=0
    usingHardExpirationDate=0
    requiresAlpha=0 requiresNumeric=0 expirationDateGMT=4294967295
    hardExpireDateGMT=4294967295 maxMinutesUntilChangePassword=0
    maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0
    minChars=0
    maxChars=0 passwordCannotBeName=0 isSessionKeyAgent=0
    00:14:26 QUIT: {no user} has disconnected.
    00:14:26 RSAPUBLIC: ok
    00:14:26 GETPOLICY: user {0x4229e957188225070000000300000003,
    zzzzz1}, policies: isDisabled=0 isAdminUser=0 newPasswordRequired=0
    usingHistory=0
    canModifyPasswordforSelf=1 usingExpirationDate=0
    usingHardExpirationDate=0
    requiresAlpha=0 requiresNumeric=0 expirationDateGMT=0
    hardExpireDateGMT=0
    maxMinutesUntilChangePassword=129600 maxMinutesUntilDisabled=0
    maxMinutesOfNonUse=0
    maxFailedLoginAttempts=5 minChars=6 maxChars=0 passwordCannotBeName=0
    isSessionKeyAgent=0
    [etc...]

    This whole thing goes on for the entire collection of accounts. Happens
    a few more times through the evening.

    A few hours later, some ssh-host keys (key and key.pub / dsa_key and
    dsa_key.pub / rsa_key and rsa_key.pub) are changed. Why? Certainly
    nothing WE did!

    BTW #1: Please don't lecture me on the terrible policy in place here -
    I didn't do it.

    BTW #2: ipfw is a joke and Apple doesn't support it. Thanks for nada!

    I can't find the ipfw logs for that particular night right now. I'll
    dig around.

    -Brad

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------


  • Next message: Kelly Martin: "SF new column announcement: Absolute Security is a Myth"

    Relevant Pages

    • Re: Account Lockout Policies
      ... Deleting user accounts after 30 days of inactivity allows a windows of opportunity of 30 days for an ex-user to re-use the network. ... If a technical solution is unavoidable due to a lack of management buy-in, there are a few ways that it can be achieved. ... Ascertain from those logs when users last logged in and add 30 days. ... From the users logon script, touch a unique file in a common area. ...
      (microsoft.public.security)
    • Re: How do I abort a logon script
      ... Unfortunately all my accounts ... >> that I try to login into immediate logs me back out. ... >> there a way to abort a login script. ... >> clean up and reboot but once I rebooted I could not log ...
      (microsoft.public.win2000.security)
    • Re: Do not have permission to send to recipient....
      ... ever try enabling diagnostic logging for msexchangetransport? ... Topics for Exchange Server 2003 Diagnostic Logs ... email accounts and internal accounts. ... logs and there are no errors relating to this problem. ...
      (microsoft.public.exchange.admin)
    • Re: 2000/XP Networking Problem
      ... PASSWORDS are what need to match up between the two computers. ... >> you've checked event logs to see if there are any clues there. ... user accounts I did say "On the W2000 machine Network Identification ...
      (microsoft.public.win2000.networking)
    • Re: cannot receive email for multiple accounts
      ... instance in which the server said that it had any messages. ... So if these logs ... That is strange indeed because I sent multiple emails to the other accounts ... > credentials of the logged-in user first, ...
      (microsoft.public.outlook.general)