lotus

previous page: 02 Can anyone here tell me how to exploit the [whatever] bug? or Can anyone here tell me how to break in to my ISP?
  
page up: comp.security.unix and comp.security.misc FAQ
  
next page: 04 I just noticed that [something]. Has my machine been compromised?

03 What do the "identd" lines in my syslog mean? Is this a security exposure? Can I turn off identd?




Description

This article is from the comp.security.unix and comp.security.misc FAQ, by Alan J Rosenthal flaps@dgp.toronto.edu with numerous contributions by others.

03 What do the "identd" lines in my syslog mean? Is this a security exposure? Can I turn off identd?

Discarding the timestamp and hostname, the lines look something like this:

identd[10362]: from: 205.238.143.33 ( mail.dejanews.com ) for: 20546, 25
identd[10362]: Successful lookup: 20546 , 25 : flaps.users

This states that the machine 205.238.143.33 asked your machine who was
connecting from port 20546 on your machine to port 25 on 205.238.143.33.
And your machine responded that the user was "flaps", and that flaps's group
is "users". (10362 is the process id number of this particular invocation of
identd; for example, if two identd requests happened at about the same time
and the two lines were interleaved, it would help you sort them out.)

Theoretically, this is a security-sensitive data exposure, although the
practical effect of this is arguably nil. And it can be very helpful to the
admin of a machine which often has more than a few simultaneous users. When
one of your users does something untoward, this allows the remote machine to
log the username, and then the remote sysadmin's complaint to you will
contain information useful to you. A linux machine at home connected to the
internet via ppp and with only one user should not be running identd because
it does not contribute to this process. Very few things on the net REQUIRE
the sender to be running identd, because many machines don't have it and
because many people turn it off.

Your identd program probably has various options to configure what
information it discloses; see the man page. You might want to run it with
options to minimize data OTHER than the above (-o and -e in the common
implementation), and/or perhaps run it with the option to report numeric uids
rather than lognames (-n), which is just as useful for tracking down
offenders from your point of view. On the other hand, if you report numeric
uids, then in some cases the remote people will be able to gain logname<->uid
translation info (e.g. the outgoing connection is a mail message bearing
'from' information), so it's hard to say which discloses less data.

If you feel that this data is sensitive but still want to run identd, there
are some identd servers out there which report the data encrypted, so that
all the target sysadmins can do with the information they get is to send the
token back to you for your own use. This facility might be available as -C.

You specify these options on the identd command-line, wherever it appears,
which is usually in /etc/inetd.conf.

The identd protocol is documented in RFC 1413. It is the same as "auth".
The query specifies the port numbers only; the two IP addresses implied
are the sender and target of the identd query. Thus you cannot query about
IP connections to other machines, although you can query about connections
which don't concern you but are to a machine you have an account on.

RFC 1413 states, "If you wouldn't run a 'finger' server due to privacy
considerations you may not want to run this protocol." I agree with this but
suggest that it might not apply to a cryptographic identd (e.g. -C).

 

Continue to:













TOP
previous page: 02 Can anyone here tell me how to exploit the [whatever] bug? or Can anyone here tell me how to break in to my ISP?
  
page up: comp.security.unix and comp.security.misc FAQ
  
next page: 04 I just noticed that [something]. Has my machine been compromised?