Close Some Network Security Holes

As shipped, the SGI is fairly permissive in its networking. Their philosophy appears to be that novices should be able to use their systems and networks immediately, and if you're smart enough to be concerned with network security, you're smart enough to close the holes in the network. I don't necessarily agree with this approach, but I'm sure it cuts down on the number of novice helpdesk calls they get.

XDM

XDM is the X Window System Display Manager. It presents a login window (with user-icons, in the SGI case), accepts username and password, and starts the session. It is configurable via files specifying resources, other configuration files, and scripts. As shipped, it has a number of holes...

xhosts +

SGI ships with XDM allowing all hosts access to your X server because it runs xhost + in the XDM session files. This means that anyone on the net can attach to your server and display on, take over, or -- more importantly -- monitor your session (eg: login keystrokes). You should negate this with xhost -.

Edit your system's xdm startup files to comment out the xhost + stuff. Here are the files from Irix 5.3:

cshenton@wirehead> cd /usr/lib/X11/xdm/
cshenton@wirehead> grep -n xhost * 
Xsession:80:/usr/bin/X11/xhost +
Xsession-remote:44:/usr/bin/X11/xhost +
Xsession.dt:159:/usr/bin/X11/xhost +
I change these to say:
/usr/bin/X11/xhost -

It would be smart to then verify this. Log out of the console to restart xdm, then log in again. Telnet to some host for which you have not authorized X11 access to your console. Then launch an xclock or something back to the SGI and make sure that the connection gets rejected. Example, after logging into the console for host `apollo':

cshenton@apollo% telnet notmyfriend.hq.nasa.gov
Username: chris
Password:

chris@notmyfriend% xclock -display apollo.hq.nasa.gov:0
Error: Can't open display: apollo.hq.nasa.gov:0

Warning: don't do the following!

I found, to my cost, that something in the following X11-oriented recommendations hoses the X server badly: you can't log in -- the X server just restarts. Unfortunately, I haven't had time to determine which one yet. If you do, please send me mail. Sorry...

Do continue with tightening the security by installing tcp_wrappers and a modern version of sendmail, at the end of this document.


xdm-config: authorize

According to the relevant section of the xdm man page, the authorize resource should be on to enforce access authorization to the server. Although this is said to be the default, this is set to off in the /usr/lib/X11/xdm/xdm-config file. You should change this, like:
DisplayManager*authorize:		on

xdm-config: terminateServer

Although not really a security hole, you might as well fix this while you're in the xdm-config file. According to the appripriate part of the xdm man page, this defaults to false. But the server tends to grow without bounds, consuming system memory resources. You should set it to true so that the server restarts, rather than resets, upon logout:
DisplayManager._0.terminateServer:	True
DisplayManager._1.terminateServer:	True
DisplayManager._2.terminateServer:	True
DisplayManager._3.terminateServer:	True

X server shm bug

As mentioned above in the xdm manpage, authorization can be bypassed because of a bug. Workaround it by the following fix to /usr/lib/X11/xdm/Xservers; add the option -shmnumclients 0 to the invocation of the X server:
:0 secure /usr/bin/X11/X -bs -nobitscale -c -pseudomap 4sight \
-solidroot sgilightblue -cursorFG red -cursorBG white \
-shmnumclients 0
(Note: the line above has be split with backslashes for readability).

Deny root login from the network

Most systems these days deny logins by root if they're coming from the network. The idea is that if you want to log in as root, you should do it from the console. Otherwise, you can login over the net as yourself, then use su to become root.

SGI, by default, allows root logins from the net; here's how to fix that. The file /etc/default/login defines lots of login parameters. Here's the relevant part you want to use:

# If defined, only allows root logins on the device specified.
# MUST NOT be defined as either "/dev/syscon" or "/dev/systty"!
CONSOLE=/dev/console
Originally, that CONSOLE variable was commented out. You might also want to change the following variable which is defaulted to NO for some strange reason:
# Like PASSREQ, but locks out user if they have no password.
MANDPASS=YES

There are other interesting variables there which you may want to play with including ones to log failures, lockout accounts after a certain number of failures, etc.

Sendmail

I like to replace my vendors' sendmail with the UCB Sendmail. It's code has been scrutinized and fixes are made quickly.

TCP wrappers

I install tcp_wrappers on my systems to restrict Internet access to my machines' network services. It's fairly easy to install and I think it stops most of the bad guys at the front door.
Chris Shenton
$Id: close-security-holes.html,v 1.7 1996/06/11 15:28:58 cshenton Exp $