RE: Mac X-Server Security Questions...

From: Brad Berson (brad.berson_at_bytebrothers.org)
Date: 04/08/05

  • Next message: Kelly Martin: "SF new column announcement: Absolute Security is a Myth"
    Date: Fri, 8 Apr 2005 16:46:05 -0400
    To: "John Jasen" <jjasen@realityfailure.org>
    
    

    > How? What did the logs say? What service?

    Ahh, let's fish back for the emails... (replacing admin level account
    name with zzzzz and other accounts with zzzzN to protect the innocent)

    First disturbing event was just after midnight, since nobody legit is
    hitting that box at that hour...

    00:14:26 RSAPUBLIC: ok
    00:14:26 GETPOLICY: user {0x00000000000000000000000000000001, zzzzzz},
    policies: isDisabled=0 isAdminUser=1 newPasswordRequired=0
    usingHistory=0
    canModifyPasswordforSelf=1 usingExpirationDate=0
    usingHardExpirationDate=0
    requiresAlpha=0 requiresNumeric=0 expirationDateGMT=4294967295
    hardExpireDateGMT=4294967295 maxMinutesUntilChangePassword=0
    maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0
    minChars=0
    maxChars=0 passwordCannotBeName=0 isSessionKeyAgent=0
    00:14:26 QUIT: {no user} has disconnected.
    00:14:26 RSAPUBLIC: ok
    00:14:26 GETPOLICY: user {0x4229e957188225070000000300000003,
    zzzzz1}, policies: isDisabled=0 isAdminUser=0 newPasswordRequired=0
    usingHistory=0
    canModifyPasswordforSelf=1 usingExpirationDate=0
    usingHardExpirationDate=0
    requiresAlpha=0 requiresNumeric=0 expirationDateGMT=0
    hardExpireDateGMT=0
    maxMinutesUntilChangePassword=129600 maxMinutesUntilDisabled=0
    maxMinutesOfNonUse=0
    maxFailedLoginAttempts=5 minChars=6 maxChars=0 passwordCannotBeName=0
    isSessionKeyAgent=0
    [etc...]

    This whole thing goes on for the entire collection of accounts. Happens
    a few more times through the evening.

    A few hours later, some ssh-host keys (key and key.pub / dsa_key and
    dsa_key.pub / rsa_key and rsa_key.pub) are changed. Why? Certainly
    nothing WE did!

    BTW #1: Please don't lecture me on the terrible policy in place here -
    I didn't do it.

    BTW #2: ipfw is a joke and Apple doesn't support it. Thanks for nada!

    I can't find the ipfw logs for that particular night right now. I'll
    dig around.

    -Brad

    ---------------------------------------------------------------------------
    Earn your MS in Information Security ONLINE
    Organizations worldwide are in need of highly qualified information security
    professionals. Norwich University is fulfilling this demand with its MS in
    Information Security offered online. Recognized by the NSA as an
    academically excellent program, NU offers you the opportunity to earn your
    degree without disrupting your home or work life.

    http://www.msia.norwich.edu/secfocus_en
    ----------------------------------------------------------------------------


  • Next message: Kelly Martin: "SF new column announcement: Absolute Security is a Myth"