Security Basics mailing list archives
RE: Mac X-Server Security Questions...
From: "Brad Berson" <brad.berson () bytebrothers org>
Date: Fri, 8 Apr 2005 16:46:05 -0400
How? What did the logs say? What service?
Ahh, let's fish back for the emails... (replacing admin level account
name with zzzzz and other accounts with zzzzN to protect the innocent)
First disturbing event was just after midnight, since nobody legit is
hitting that box at that hour...
00:14:26 RSAPUBLIC: ok
00:14:26 GETPOLICY: user {0x00000000000000000000000000000001, zzzzzz},
policies: isDisabled=0 isAdminUser=1 newPasswordRequired=0
usingHistory=0
canModifyPasswordforSelf=1 usingExpirationDate=0
usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=4294967295
hardExpireDateGMT=4294967295 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0
minChars=0
maxChars=0 passwordCannotBeName=0 isSessionKeyAgent=0
00:14:26 QUIT: {no user} has disconnected.
00:14:26 RSAPUBLIC: ok
00:14:26 GETPOLICY: user {0x4229e957188225070000000300000003,
zzzzz1}, policies: isDisabled=0 isAdminUser=0 newPasswordRequired=0
usingHistory=0
canModifyPasswordforSelf=1 usingExpirationDate=0
usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=0
hardExpireDateGMT=0
maxMinutesUntilChangePassword=129600 maxMinutesUntilDisabled=0
maxMinutesOfNonUse=0
maxFailedLoginAttempts=5 minChars=6 maxChars=0 passwordCannotBeName=0
isSessionKeyAgent=0
[etc...]
This whole thing goes on for the entire collection of accounts. Happens
a few more times through the evening.
A few hours later, some ssh-host keys (key and key.pub / dsa_key and
dsa_key.pub / rsa_key and rsa_key.pub) are changed. Why? Certainly
nothing WE did!
BTW #1: Please don't lecture me on the terrible policy in place here -
I didn't do it.
BTW #2: ipfw is a joke and Apple doesn't support it. Thanks for nada!
I can't find the ipfw logs for that particular night right now. I'll
dig around.
-Brad
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
Current thread:
- Re: Mac X-Server Security Questions..., (continued)
- Re: Mac X-Server Security Questions... David Haines (Apr 06)
- Re: Mac X-Server Security Questions... Florian Rommel (Apr 07)
- IDMS Database... Tuck Wai Chan (Apr 07)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 07)
- Re: Mac X-Server Security Questions... Javier Blanque (Apr 07)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 08)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 08)
- Re: Mac X-Server Security Questions... Florian Rommel (Apr 08)
- Re: Mac X-Server Security Questions... Florian Rommel (Apr 08)
- RE: Mac X-Server Security Questions... John Jasen (Apr 08)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 08)
- Re: Mac X-Server Security Questions... Robert Inder (Apr 09)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 09)
- Re: Mac X-Server Security Questions... Florian Rommel (Apr 11)
- Re: Mac X-Server Security Questions... Javier Blanque (Apr 11)
- RE: Mac X-Server Security Questions... M. Shirk (Apr 11)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 11)
- RE: Mac X-Server Security Questions... Brad Berson (Apr 11)
- Re: Mac X-Server Security Questions... David Haines (Apr 06)