Post Mortem
Read and Act on CERT Alerts - is not optional ! Key to this attack was the statd vulnerability.
R-series commands are a serious exposure !
Unix systems tend to activate many services that may not really be needed - review them !
Various techniques are available, some of which will be mentioned. It’s a compromise: you have to keep your house better defended than your neighbours.
Insecure hosts inside a domain can compromise the security of others.
Notes:
We realised that we had been remiss in not following the CERT advisories closely enough. There are relatively few, and it shouldn’t be too onerous for someone to review the new ones and assess their relevance to one’s own situation. However, catching up with a backlog when under pressure is not a good idea, as we can report from experience.
The initial key to this attack was the statd vulnerability. However, it was made much worse by the power of the .rhosts file to allow execution of arbitrary R-series commands. It would be better if the effect of “+ +” could be disabled, or indeed R-series commands disabled entirely.
It’s also noted that unix systems tend to install with a baroque collection of IP services activated, many of which aren’t really needed. It’s not unheard of for naïve unix sysadmins to discover that one of their services is a trojan horse with an innocent looking name.
Think hard whether you really need “finger”, especially its long form response, that tells hackers far too much about your users.
Security is of course a compromise: if you block everything then you might as well not have an Internet connection, but everything that you enable has some potential to cause harm. The main thing is to have defences that are no weaker than your neighbours’.
And it should not be forgotten that insecure hosts inside a domain can compromise the security of others. If you have a mixed cluster of hosts that are closely-coupled then your security is limited by the weakest.