security risk of having a long list of services in inetd

> From: Paul Dufresne <dufresnep@gmail.com>
>> For myself, rkhunter give warning about inetd.
>> Looking to /etc/services, I found that Debian seems to like to have a
>> very big file with all known services rather than just add the
>> services needed. I don't even knows if other distributions does just
>> add the needed services.
>
> That file is just a mapping of service names and ports, it has no relation
> to services that are actually running.

Yes, I know. But as I see it, each mapping is like a *possible* door
to the Internet.
When there is so much, it become too hard to look at each door to see
if there is a program behind,
and if it does what it should.

Moreover I now see that /etc/hosts.allow and /etc/hosts.deny are empty
(well just comments), which means that it is open to everybody.

Taken from http://en.wikipedia.org/wiki/Inetd :
"the long list of services that inetd traditionally provided gave
computer security experts pause. The possibility of a service having
an exploitable flaw, or the service just being abused, had to be
considered. Unnecessary services were disabled and off by default
became the mantra. It is not uncommon to find an /etc/inetd.conf with
almost all the services commented out in a modern Unix distribution."

This begin to look like a discussion for developper list however.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Paul Dufresne <dufresnep@gmail.com> schrieb:
>> From: Paul Dufresne <dufresnep@gmail.com>
>>> Looking to /etc/services, I found that Debian seems to like to have a
>>> very big file with all known services rather than just add the
>>> services needed. I don't even knows if other distributions does just
>>> add the needed services.
>>
>> That file is just a mapping of service names and ports, it has no relation
>> to services that are actually running.
>
> Yes, I know. But as I see it, each mapping is like a *possible* door
> to the Internet.

No, each *port* is like a possible door to the internet. /etc/services
is just a way to give ports names, regards if those ports are used or
not.

> When there is so much, it become too hard to look at each door to see
> if there is a program behind, and if it does what it should.

"netstat -plunt" will show you exactly which programs are listening on
which port.


Thomas Weinbrenner
--
Freiheit statt Angst 2008 -- Groß-Demonstration in Berlin!
Samstag, 11. Oktober 2008 um 14 Uhr am Alexanderplatz
http://www.freiheitstattangst.de


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Paul Dufresne wrote:
> Yes, I know. But as I see it, each mapping is like a *possible* door
> to the Internet.
> When there is so much, it become too hard to look at each door to see
> if there is a program behind,
> and if it does what it should.
>
> Taken from http://en.wikipedia.org/wiki/Inetd :
> "the long list of services that inetd traditionally provided gave
> computer security experts pause. The possibility of a service having
> an exploitable flaw, or the service just being abused, had to be
> considered. Unnecessary services were disabled and off by default
> became the mantra. It is not uncommon to find an /etc/inetd.conf with
> almost all the services commented out in a modern Unix distribution."

I think you are mixing you're mixing /etc/inetd.conf (or whatever its
actual location is in Debian) with /etc/services. The latter file is
just a mapping of common port numbers to service names, so that iptables
can, for example, display service names instead of ports, or you can
type "telnet HOST smtp" instead of "telnet HOST 25".

It's presence or contents have no effect in the ability to have a
program listening on a port. It's actually easier to bind a socket to a
port number than first lookup the port number corresponding to the
service "foo" and later bind to that number. Telnet might do the long
way to make things easier for the user, but some kind of backdoor will
simply start listening on some predefined port, without bothering about
/etc/services.

/etc/inetd.conf, however, lists ports that are listened to and programs
to run when a connection is made to that port. That file should be as
empty as possible (unless necessary for some service you need, you
shouldn't even be running inetd or some equivalent), and if it's not in
a default install, I'd consider it a bug.

> Moreover I now see that /etc/hosts.allow and /etc/hosts.deny are empty
> (well just comments), which means that it is open to everybody.

The problem with that is that the installer cannot know the requirements
of each system, it's not possible to supply files denying everything,
because some hosts will need to have access to the daemon (otherwise,
there is no need to run it, or at least, bind it only to the loopback
interface if it's only for other programs in the same machine).


--
Q: What is printed on the bottom of beer bottles in Minnesota?
A: Open other end.

Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
http://move.to/hpkb


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

2008/8/30 Thomas Weinbrenner <thomas@thomas-weinbrenner.de>:
> Paul Dufresne <dufresnep@gmail.com> schrieb:
>>> From: Paul Dufresne <dufresnep@gmail.com>
>>>> Looking to /etc/services, I found that Debian seems to like to have a
>>>> very big file with all known services rather than just add the
>>>> services needed. I don't even knows if other distributions does just
>>>> add the needed services.
>>>
>>> That file is just a mapping of service names and ports, it has no relation
>>> to services that are actually running.
>>
>> Yes, I know. But as I see it, each mapping is like a *possible* door
>> to the Internet.
>
> No, each *port* is like a possible door to the internet. /etc/services
> is just a way to give ports names, regards if those ports are used or
> not.
Well, it is more than just a name. man inetd says:
"inetd should be run at boot time by /etc/rc (see rc(8)). It then listens
for connections on certain internet sockets. When a connection is found
on one of its sockets, it decides what service the socket corresponds to,
and invokes a program to service the request. After the program is fin$B!>(B
ished, it continues to listen on the socket (except in some cases which
will be described below). Essentially, inetd allows running one daemon
to invoke several others, reducing load on the system."

>> When there is so much, it become too hard to look at each door to see
>> if there is a program behind, and if it does what it should.
>
> "netstat -plunt" will show you exactly which programs are listening on
> which port.
Thanks, I tend to use 'lsof -i4' but I believe your command is better for that.
If I was to exploit a security vulnerability (never did, nor want to)
and become root on your computer, I would prefer to abuse one of the
service in /etc/services rather than have a program sitting there to
listen to the Internet. That way, you would have to do the 'netstat
-plunt' command, while I am sending commands to your computer to
discover me.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Hi,

2008/8/30 Paul Dufresne <dufresnep@gmail.com>:
> 2008/8/30 Thomas Weinbrenner <thomas@thomas-weinbrenner.de>:
> Well, it is more than just a name. man inetd says:

It's simply the information that says:

smtp is on port 25
ssh is on port ...
....

nothing more nothing less.

It depends on inetd (and only inetd) wether to use this information
and how to use this information. There are btw. different inetd
servers available I'm too lazy right now to check up for but at least
openbsd-inetd and xinetd should be there. I vaguely remember some
inetd that insisted on only accepting services being configured if
they were listed in /etc/services - the chance of my brain lying to me
right now isn't that unrealistic so you might want to check that.

If you insist on making your /etc/services file tell that "ssh is on
port 2022" that is totally up to you but I wouldn't recommend it,
afaik the listings in there are standardized port numbers.

hth
martin


--
http://www.xing.com/profile/Martin_Marcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Forgot to add, if it wasn't clear enough:

man inetd doesn't necessarily have _anything_ to do with
/etc/services, totally depends on which inetd you use and wether your
inetd even cares about information in /etc/services (netstat can use
this information as someone else already told you).

/martin

On Sat, Aug 30, 2008 at 10:31 PM, Martin <martin@marcher.name> wrote:
> Hi,
>
> 2008/8/30 Paul Dufresne <dufresnep@gmail.com>:
>> 2008/8/30 Thomas Weinbrenner <thomas@thomas-weinbrenner.de>:
>> Well, it is more than just a name. man inetd says:
>
> It's simply the information that says:

--
http://www.xing.com/profile/Martin_Marcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Paul Dufresne wrote:
> 2008/8/30 Thomas Weinbrenner <thomas@thomas-weinbrenner.de>:

> Well, it is more than just a name. man inetd says:
> "inetd should be run at boot time by /etc/rc (see rc(8)). It then listens
> for connections on certain internet sockets. When a connection is found
> on one of its sockets, it decides what service the socket corresponds to,
> and invokes a program to service the request. After the program is fin$B!>(B
> ished, it continues to listen on the socket (except in some cases which
> will be described below). Essentially, inetd allows running one daemon
> to invoke several others, reducing load on the system."
>

The man page also says:
"Upon execution, inetd reads its configuration information from a
configu$B!>(Bration file which, by default, is /etc/inetd.conf"

As pointed out by martin /etc/services is just an information file, used
by all sorts of programs (netstat, tcpdump etc.) so that they know that,
for eg., the string 'ssh' means TCP port 22.

/etc/inetd.conf is the file you should be looking at as this is inetd's
config file, and controls which ports it will listen on. The default in
Debian, and most other distros, nowadays is for it not to listen on any
ports - you have to configure what services you want.

>>> When there is so much, it become too hard to look at each door to see
>>> if there is a program behind, and if it does what it should.
>> "netstat -plunt" will show you exactly which programs are listening on
>> which port.
> Thanks, I tend to use 'lsof -i4' but I believe your command is better for that.
> If I was to exploit a security vulnerability (never did, nor want to)
> and become root on your computer, I would prefer to abuse one of the
> service in /etc/services rather than have a program sitting there to
> listen to the Internet. That way, you would have to do the 'netstat
> -plunt' command, while I am sending commands to your computer to
> discover me.

But if there's no program sitting there listening on the port there's
nothing to connect to and nothing to abuse. You'll simply get a 'port
unreachable' (or something similar) ICMP message back from the kernel.
Unless the kernel itself has a security hole of course, which is why
running apt-get upgrade regularly is a good idea


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org