Slide 10 of 21
Notes:
We realised that we had been remiss in not following the CERT advisories closely enough. There are relatively few, and it shouldnt be too onerous for someone to review the new ones and assess their relevance to ones own situation. However, catching up with a backlog when under pressure is not a good idea, as we can report from experience.
The initial key to this attack was the statd vulnerability. However, it was made much worse by the power of the .rhosts file to allow execution of arbitrary R-series commands. It would be better if the effect of + + could be disabled, or indeed R-series commands disabled entirely.
Its also noted that unix systems tend to install with a baroque collection of IP services activated, many of which arent really needed. Its not unheard of for naïve unix sysadmins to discover that one of their services is a trojan horse with an innocent looking name.
Think hard whether you really need finger, especially its long form response, that tells hackers far too much about your users.
Security is of course a compromise: if you block everything then you might as well not have an Internet connection, but everything that you enable has some potential to cause harm. The main thing is to have defences that are no weaker than your neighbours.
And it should not be forgotten that insecure hosts inside a domain can compromise the security of others. If you have a mixed cluster of hosts that are closely-coupled then your security is limited by the weakest.