S 5.21 Secure use of the telnet, ftp, tftp, and rexec
Initiation responsibility: IT Security Officer, Administrator
Implementation responsibility: Administrator
With the command telnet hostname it is possible to log into the hostname computer after entering a user name and associated password. With ftp, larger quantities of data can be copied and rexec allows the execution of commands on another computer without previously logging on. For all of these three programs, the entered user names and passwords are transmitted unencrypted over the network, and so they should only be used when it is ensured that the network cannot be tapped (see T 5.7 Line tapping). All calls to telnet, ftp and rexec must be logged. Particular attention must be paid to unsuccessful connection attempts by external IT systems.
When using the ftpd daemon, it must be borne in mind that, as in the case of sendmail (see S 5.19 Use of the sendmail security mechanisms), new, serious security gaps are constantly coming into light which may make it possible to gain administrator rights without a password (on this point, see CERT notice CA-94-08, 14 April 1994). ftp versions that are older than those described there should not be used.
In addition, all user names for which ftp access is not to be permitted should be entered in the /etc/ftpusers file. These include, for example, root, uucp and bin. When configuring new users, care should be taken to ensure that these are entered in /etc/ftpusers if their rights profile does not permit them any ftp access (see also S 2.30 Provisions governing the configuration of users and user groups).
With .netrc files, automatic FTP accesses to remote IT systems are permitted. To ensure that this is possible, .netrc files contain the necessary passwords. Steps must therefore be taken to ensure that there are no .netrc files in the user directories or else that they are empty and that the user does not have any access rights.
Use of the tftpd, rexd and rexecd daemons must be prevented (e.g. by deleting the corresponding entry in the /etc/inetd.conf file) or, as a minimum, steps must be taken to ensure that, when using tftp, users only have restricted access to files from the log-in directory (see also S 2.32 Establishment of a restricted user environment). This can be verified by making the following entries:
tftp hostname
tftp get /etc/passwd /tmp/txt
If the tftp daemon does not respond with an error message, its use must be prevented.
If tftp is nevertheless still used for the start-up process of active network components or X terminals, it is essential that this is documented and that the underlying rationale is explained. In addition, if tftp is used, it must be ensured that the tftp daemon is started with the -s directory option. The directory entered here must be the only directory which is visible to the daemon.
Secure Shell (ssh) can be used as substitute for telnet and rexec. It makes use of extensive functions designed to ensure secure authentication and to maintain confidentiality and integrity (see also S 5.64 Secure Shell). It is also possible using tunnelling to operate ftp with secure encryption. If ssh is used, then, if possible, these services should be disabled to ensure that the security safeguards cannot be circumvented. However, this requires that all communication partners have suitable implementations of ssh.
Review questions:
- Is the use of TELNET, FTP and REXEC programs avoided and/or are they only used when it is ensured that the network cannot be tapped?
- Use of FTP: Is FTP access prevented for all unauthorised users (for example, in the /etc/ftpusers file)?
- Is the use of relevant files (e.g. .netrc) and daemons (e.g. TFTP, rexd and REXEC) consistently prevented?