Top Ten Internet Security Threats (fwd)
Dave Dittrich
dittrich at cac.washington.edu
Fri Jun 2 17:31:13 PDT 2000
================================================================
How To Eliminate The Ten Most Critical Internet Security Threats
The Experts' Consensus
Version 1.10 June 1, 2000
Copyright, 2000, The SANS Institute
Stop the Break-Ins!
The majority of successful attacks on computer systems via the
Internet can be traced to exploitation of one of a small number of
security flaws. Most of the systems compromised in the Solar Sunrise
Pentagon hacking incident were attacked through a single
vulnerability. A related flaw was exploited to break into many of the
computers later used in massive distributed denial of service attacks.
Recent compromises of Windows NT-based web servers are typically
traced to entry via a well-known vulnerability. Another vulnerability
is widely thought to be the means used to compromise more than 30,000
Linux systems.
A few software vulnerabilities account for the majority of successful
attacks because attackers are opportunistic - taking the easiest and
most convenient route. They exploit the best-known flaws with the most
effective and widely available attack tools. They count on
organizations not fixing the problems, and they often attack
indiscriminately, by scanning the Internet for vulnerable systems.
System administrators report that they have not corrected these flaws
because they simply do not know which of over 500 potential problems
are the ones that are most dangerous, and they are too busy to correct
them all.
The information security community is meeting this problem head on by
identifying the most critical Internet security problem areas - the
clusters of vulnerabilities that system administrators need to
eliminate immediately. This consensus Top Ten list represents an
unprecedented example of active cooperation among industry,
government, and academia. The participants came together from the most
security-conscious federal agencies, from the leading security
software vendors and consulting firms, from the top university-based
security programs, and from CERT/CC and the SANS Institute. A
complete list of participants may be found at the end of this article.
Here is the experts' list of the Ten Most Often Exploited Internet
Security Flaws along with the actions needed to rid your systems of
these vulnerabilities.
Three Notes For Readers:
Note 1. This is a living document. It includes initial, step-
by-step instructions and pointers for correcting the flaws. We
will update these instructions as more current or convenient
methods are identified and we welcome your input. This is a
community consensus document - your experience in eliminating
the vulnerabilities can help others who come after you. To make
suggestions e-mail <info at sans.org> with the subject Top Ten
Comments. To get the latest version of the guidelines, e-mail
<info at sans.org> with the subject Top Ten Fixes.
Note 2. You'll find references to CVE numbers - the Common
Vulnerabilities and Exposures reference numbers that correspond
with vulnerabilities. CAN numbers are candidates for CVE
entries that are not yet fully verified. For more data on the
award-winning CVE project, see http://cve.mitre.org.
Note 3. At the end of the list, you'll find an extra section
offering a list of the ports used by commonly probed and
attacked services. By blocking traffic to those ports at the
firewall or other network perimeter protection device, you add
an extra layer of defense that helps protect you from
configuration mistakes.
=========================================================
Contents
1. BIND weaknesses: nxt, qinv and in.named allow immediate root
compromise.
2. Vulnerable CGI programs and application extensions (e.g.,
ColdFusion) installed on web servers.
3. Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk),
rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root
compromise
4. RDS security hole in the Microsoft Internet Information Server (IIS).
5. Sendmail buffer overflow weaknesses, pipe attacks and MIMEbo, that
allow immediate root compromise.
6. sadmind and mountd
7. Global file sharing and inappropriate information sharing via NFS and
Windows NT ports 135->139 (445 in Windows2000) or UNIX NFS exports on port
2049. Also Appletalk over IP with Macintosh file sharing enabled.
8. User IDs, especially root/administrator with no passwords or weak
passwords.
9. IMAP and POP buffer overflow vulnerabilities or incorrect
configuration.
10. Default SNMP community strings set to 'public' and 'private.'
Plus: A High Priority Bonus Item for Windows Users and Administrators
Various Scripting Holes in Internet Explorer and Office2000
Perimeter Protection For An Added Layer of Defense In Depth
List of Participants
===========================================================
1. BIND weaknesses: nxt, qinv and in.named allow immediate root
compromise.
The Berkeley Internet Name Domain (BIND) package is the most widely
used implementation of Domain Name Service (DNS) -- the critical means
by which we all locate systems on the Internet by name (e.g.,
www.sans.org) without having to know specific IP addresses -- and this
makes it a favorite target for attack. Sadly, according to a mid-1999
survey, about 50% of all DNS servers connected to the Internet are
running vulnerable versions of BIND. In a typical example of a BIND
attack, intruders erased the system logs, and installed tools to gain
administrative access. They then compiled and installed IRC utilities
and network scanning tools, which they used to scan more than a dozen
class-B networks in search of additional systems running vulnerable
versions of BIND. In a matter of minutes, they had used the
compromised system to attack hundreds of remote systems abroad,
resulting in many additional successful compromises. This illustrates
the chaos that can result from a single vulnerability in the software
for ubiquitous Internet services such as DNS.
Systems Affected:
Multiple UNIX and Linux systems
As of May 22, 2000, any version earlier than BIND v.8.2.2 patch level
5 is vulnerable.
CVE Entries:
nxt CVE-1999-0833
qinv CVE-1999-0009
Other related entries CVE-1999-0835, CVE-1999-0848, CVE-1999-0849,
CVE-1999-0851
Advice on correcting the problem:
A. Disable the BIND name daemon (named) on all systems that are not
authorized to be DNS servers. Some experts recommend you also remove
the DNS software.
B. On machines that are authorized DNS servers, update to the latest
version and patch level (as of May 22, 2000, latest version was 8.2.2
patch level 5)
Use the guidance contained in the following advisories:
For the NXT vulnerability:
-- http://www.cert.org/advisories/CA-99-14-bind.html
For the QINV (Inverse Query) and NAMED vulnerabilities:
-- http://www.cert.org/advisories/CA-98.05.bind_problems.html
-- http://www.cert.org/summaries/CS-98.04.html
C. Run BIND as a non-privileged user for protection in the event of
future remote-compromise attacks. (However, only processes running as
root can be configured to use ports below 1024 - a requirement for
DNS. Therefore you must configure BIND to change the user-id after
binding to the port.)
D. Run BIND in a chroot()ed directory structure for protection in the
event of future remote-compromise attacks.
2. Vulnerable CGI programs and application extensions (e.g.,
ColdFusion) installed on web servers.
Most web servers support Common Gateway Interface (CGI) programs to
provide interactivity in web pages, such as data collection and
verification. Many web servers come with sample CGI programs installed
by default. Unfortunately, many CGI programmers fail to consider ways
in which their programs may be misused or subverted to execute
malicious commands. Vulnerable CGI programs present a particularly
attractive target to intruders because they are relatively easy to
locate, and they operate with the privileges and power of the web
server software itself. Intruders are known to have exploited
vulnerable CGI programs to vandalize web pages, steal credit card
information, and set up back doors to enable future intrusions, even
if the CGI programs are secured. When Janet Reno's picture was
replaced by that of Adolph Hitler at the Department of Justice web
site, an in-depth assessment concluded that a CGI hole was the most
probable avenue of compromise. Allaire's ColdFusion is a web server
application package which includes vulnerable sample programs when
installed. As a general rule, sample programs should always be removed
from production systems.
Systems Affected:
All web servers.
CVE Entries:
Sample CGI programs
CAN-1999-0736
CVE-1999-0067
CVE-1999-0068
CVE-1999-0270
CVE-1999-0346
CVE-2000-0207
Most important CGI Vulnerabilities not including sample programs
CAN-1999-0467
CAN-1999-0509
CVE-1999-0021
CVE-1999-0039
CVE-1999-0058
CVE-1999-0147
CVE-1999-0148
CVE-1999-0149
CVE-1999-0174
CVE-1999-0177
CVE-1999-0178
CVE-1999-0237
CVE-1999-0262
CVE-1999-0279
CVE-1999-0771
CVE-1999-0951
CVE-2000-0012
CVE-2000-0039
CVE-2000-0208
ColdFusion Sample Program Vulnerabilities
CAN-1999-0455
CAN-1999-0922
CAN-1999-0923
ColdFusion Other Vulnerability
CAN-1999-0760
CVE-2000-0057
Advice on correcting the problem:
A. Do not run web servers as root
B. Get rid of CGI script interpreters in bin directories:
http://www.cert.org/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html
C. Remove unsafe CGI scripts
http://www.cert.org/advisories/CA-97.07.nph-test-cgi_script.html
http://www.cert.org/advisories/CA-96.06.cgi_example_code.html
http://www.cert.org/advisories/CA-97.12.webdist.html
D. Write safer CGI programs:
http://www-4.ibm.com/software/developer/library/secure-cgi/
http://www.cert.org/tech_tips/cgi_metacharacters.html
http://www.cert.org/advisories/CA-97.24.Count_cgi.html
E. Don't configure CGI support on Web servers that don't need it.
F. Run your Web server in a chroot()ed environment to protect the
machine against yet to be discovered exploits
3. Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd
(ToolTalk), rpc.cmsd (Calendar Manager), and rpc.statd that allow
immediate root compromise
Remote procedure calls (RPC) allow programs on one computer to execute
programs on a second computer. They are widely-used to access network
services such as shared files in NFS. Multiple vulnerabilities caused
by flaws in RPC, are being actively exploited. There is compelling
evidence that the vast majority of the distributed denial of service
attacks launched during 1999 and early 2000 were executed by systems
that had been victimized because they had the RPC vulnerabilities.
The broadly successful attack on U.S. military systems during the
Solar Sunrise incident also exploited an RPC flaw found on hundreds of
Department of Defense systems.
Systems Affected:
Multiple UNIX and Linux systems
CVE Entries:
rpc.ttdbserverd - CVE-1999-0687, CVE-1999-0003, CVE-1999-0693 (-0687
is newer than -0003, but both allow root from remote attackers and
it's likely that -0003 is still around a LOT; -0693 is only locally
exploitable, but does give root)
rpc.cmsd - CVE-1999-0696
rpc.statd - CVE-1999-0018, CVE-1999-0019.
Advice on correcting the problem:
A. Wherever possible, turn off and/or remove these services on
machines directly accessible from the Internet.
B. Where you must run them, install the latest patches:
For Solaris Software Patches:
--http://sunsolve.sun.com
For IBM AIX Software
--
http://techsupport.services.ibm.com/support/rs6000.support/downloads
--http://techsupport.services.ibm.com/rs6k/fixes.html
For SGI Software Patches:
--http://www.sgi.com/support/path_intro.html
For Compaq (Digital Unix) Patches:
--http://www.compaq.com/support
Search the vendor patch database for tooltalk patches and install them
right away.
A summary document pointing to specific guidance about each of three
principal RPC vulnerabilities may be found at:
http://www.cert.org/incident_notes/IN-99-04.html
For statdd:
- http://www.cert.org/advisories/CA-99-05-statd-automountd.html
For ToolTalk:
- http://www.cert.org/advisories/CA-98.11.tooltalk.html
For Calendar Manager:
- http://www.cert.org/advisories/CA-99-08-cmsd.html
4. RDS security hole in the Microsoft Internet Information Server
(IIS).
Microsoft's Internet Information Server (IIS) is the web server
software found on most web sites deployed on Microsoft Windows NT and
Windows 2000 servers. Programming flaws in IIS's Remote Data Services
(RDS) are being employed by malicious users to run remote commands
with administrator privileges. Some participants who developed the
"Top Ten" list believe that exploits of other IIS flaws, such as .HTR
files, are at least as common as exploits of RDS. Prudence dictates
that organizations using IIS install patches or upgrades to correct
all known IIS security flaws when they install patches or upgrades to
fix the RDS flaw.
Systems Affected:
Microsoft Windows NT systems using Internet Information Server
CVE Entries:
CVE-1999-1011
Advice on correcting the problem:
A. Implement custom handlers AND delete the references to VBBusObj at
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/W3SVC/Parameters/
ADCLaunch/VbBusObj.VbBusObjCls
B. Use the information posted by Microsoft to disable the service or
correct the RDS vulnerability and all other security flaws in IIS.
http://support.microsoft.com/support/kb/articles/q184/3/75.asp
http://www.microsoft.com/technet/security/bulletin/ms98-004.asp
http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
5. Sendmail buffer overflow weaknesses, pipe attacks and MIMEbo, that
allow immediate root compromise.
Sendmail is the program that sends, receives, and forwards most
electronic mail processed on UNIX and Linux computers. Sendmail's
widespread use on the Internet makes it a prime target of attackers.
Several flaws have been found over the years. The very first advisory
issued by CERT/CC in 1988 made reference to an exploitable weakness in
sendmail. In one of the most common exploits, the attacker sends a
crafted mail message to the machine running Sendmail, and Sendmail
reads the message as instructions requiring the victim machine to send
its password file to the attacker's machine (or to another victim)
where the passwords can be cracked.
Systems Affected:
Multiple UNIX and Linux systems
CVE Entries:
CVE-1999-0047, CVE-1999-0130, CVE-1999-0131, CVE-1999-0203, CVE-1999-
0204, CVE-1999-0206.
CVE-1999-0130 is locally exploitable only.
Advice on correcting the problem:
A. Implement patches for sendmail. See
http://www.cert.org/advisories/CA-97.05.sendmail.html
B. Do not run Sendmail in daemon mode (turn off the -bd switch) on
machines that are neither mail servers nor mail relays.
C. Consider running an alternate Mail Transfer Agent such as Postfix,
QMail, or Exim. More information may be found at www.postfix.org,
www.qmail.org, www.exim.org. (Note, however, that these programs are
not transparent replacements, and may have weaknesses of their own
that have yet to be discovered.)
6. sadmind and mountd
Sadmind allows remote administration access to Solaris systems,
providing graphical access to system administration functions. Mountd
controls and arbitrates access to NFS mounts on UNIX hosts. Buffer
overflows in these applications can be exploited allowing attackers to
gain control with root access.
Systems Affected:
Multiple UNIX and Linux systems
Sadmind: Solaris machines only
CVE Entries:
sadmind - CVE-1999-0977
mountd - CVE-1999-0002.
Advice on correcting the problem:
A. Wherever possible, turn off and/or remove these services on
machines directly accessible from the Internet.
B. Install the latest patches:
For Solaris Software Patches:
--http://sunsolve.sun.com
For IBM AIX Software
--
http://techsupport.services.ibm.com/support/rs6000.support/downloads
--http://techsupport.services.ibm.com/rs6k/fixes.html
For SGI Software Patches:
--http://www.sgi.com/support/path_intro.html
For Compaq (Digital Unix) Patches:
--http://www.compaq.com/support
C. More guidance at:
http://www.cert.org/advisories/CA-99-16-sadmind.html
http://www.cert.org/advisories/CA-98.12.mountd.html
7. Global file sharing and inappropriate information sharing via NFS
and Windows NT ports 135->139 (445 in Windows2000) or UNIX NFS exports
on port 2049. Also Appletalk over IP with Macintosh file sharing
enabled.
These services allow file sharing over networks. When improperly
configured, they can expose critical system files or give full file
system access to any hostile party connected to the network. Many
computer owners and administrators use these services to make their
file systems readable and writeable in an effort to improve the
convenience of data access. Administrators of a government computer
site used for software development for mission planning made their
files world readable so people at a different government facility
could get easy access. Within two days, other people had discovered
the open file shares and stolen the mission planning software.
When file sharing is enabled on Windows machines they become
vulnerable to both information theft and certain types of quick-moving
viruses. A recently released virus called the 911 Worm uses file
shares on Windows 95 and 98 systems to propagate and causes the
victim's computer to dial 911 on its modem. Macintosh computers are
also vulnerable to file sharing exploits.
The same NetBIOS mechanisms that permit Windows File Sharing may also
be used to enumerate sensitive system information from NT systems.
User and Group information (usernames, last logon dates, password
policy, RAS information), system information, and certain Registry
keys may be accessed via a "null session" connection to the NetBIOS
Session Service. This information is typically used to mount a
password guessing or brute force password attack against the NT
target.
Systems Affected:
UNIX, Windows, and Macintosh systems.
CVE Entries:
SMB shares with poor access control - CAN-1999-0520
NFS exports to the world - CAN-1999-0554
These candidate entries are likely to change significantly before
being accepted as full CVE entries.
Advice on correcting the problem:
A. When sharing mounted drives, ensure only required directories are
shared.
B. For added security, allow sharing only to specific IP addresses
because DNS names can be spoofed.
C. For Windows systems, ensure all shares are protected with strong
passwords.
D. For Windows NT systems, prevent anonymous enumeration of users,
groups, system configuration and registry keys via the "null session"
connection.
Block inbound connections to the NetBIOS Session Service (tcp 139) at
the router or the NT host.
Consider implementing the RestrictAnonymous registry key for Internet-
connected hosts in standalone or non-trusted domain environments:
NT4: http://support.microsoft.com/support/kb/articles/Q143/4/74.asp
Win2000:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
E. For Macintosh systems, disable file sharing and web sharing
extensions unless absolutely required. If file sharing must be
enabled,
ensure strong passwords for access, and stop file sharing during
periods
in which it is not required.
http://www.cert.org/incident_notes/IN-2000-02.html
8. User IDs, especially root/administrator with no passwords or weak
passwords.
Some systems come with "demo" or "guest" accounts with no passwords or
with widely-known default passwords. Service workers often leave
maintenance accounts with no passwords, and some database management
systems install administration accounts with default passwords. In
addition, busy system administrators often select system passwords
that are easily guessable ("love," "money," "wizard" are common) or
just use a blank password. Default passwords provide effortless
access for attackers. Many attackers try default passwords and then
try to guess passwords before resorting to more sophisticated methods.
Compromised user accounts get the attackers inside the firewall and
inside the target machine. Once inside, most attackers can use widely-
accessible exploits to gain root or administrator access.
Systems Affected:
All systems.
CVE Entries:
Unix guessable (weak) password - CAN-1999-0501
Unix default or blank password - CAN-1999-0502
NT guessable (weak) password - CAN-1999-0503
NT default or blank password - CAN-1999-0504
These candidate entries are likely to change significantly before
being accepted as full CVE entries.
Advice on correcting the problem:
A. Create an acceptable password policy including assigned
responsibility and frequency for verifying password quality. Ensure
senior executives are not exempted. Also include in the policy a
requirement to change all default passwords before attaching computers
to the Internet, with substantial penalties for non-compliance.
B1. VERY IMPORTANT! Obtain written authority to test passwords
B2. Test passwords with password cracking programs:
For Windows NT: l0pthcrack http://www.l0pht.com
For UNIX: Crack http://www.users.dircon.co.uk/~crypto
C. Implement utilities that check passwords when created.
For UNIX: Npasswd,
http://www.utexas.edu/cc/unix/software/npasswd
For Windows NT:
http://support.microsoft.com/support/kb/articles/Q161/9/90.asp
D. Force passwords to expire periodically (at a frequency established
in your security policy).
E. Maintain password histories so users cannot recycle old passwords.
Additional information may be found at:
http://www.cert.org/tech_tips/passwd_file_protection.html
http://www.cert.org/incident_notes/IN-98.03.html
http://www.cert.org/incident_notes/IN-98.01.irix.html
9. IMAP and POP buffer overflow vulnerabilities or incorrect
configuration.
IMAP and POP are popular remote access mail protocols, allowing users
to access their e-mail accounts from internal and external networks.
The "open access" nature of these services makes them especially
vulnerable to exploitation because openings are frequently left in
firewalls to allow for external e-mail access. Attackers who exploit
flaws in IMAP or POP often gain instant root-level control.
Systems Affected:
Multiple UNIX and Linux systems
CVE Entries:
CVE-1999-0005, CVE-1999-0006, CVE-1999-0042, CVE-1999-0920, CVE-2000-
0091
Advice on correcting the problem:
A. Disable these services on machines that are not e-mail servers.
B. Use the latest patches and versions.
Additional information may be found at:
http://www.cert.org/advisories/CA-98.09.imapd.html
http://www.cert.org/advisories/CA-98.08.qpopper_vul.html
http://www.cert.org/advisories/CA-97.09.imap_pop.html
C. Some of the experts also recommend controlling access to these
services using TCP wrappers and encrypted channels such as SSH and SSL
to protect passwords.
10. Default SNMP community strings set to 'public' and 'private.'
The Simple Network Management Protocol (SNMP) is widely used by
network administrators to monitor and administer all types of network-
connected devices ranging from routers to printers to computers. SNMP
uses an unencrypted "community string" as its only authentication
mechanism. Lack of encryption is bad enough, but the default
community string used by the vast majority of SNMP devices is
"public", with a few "clever" network equipment vendors changing the
string to "private". Attackers can use this vulnerability in SNMP to
reconfigure or shut down devices remotely. Sniffed SNMP traffic can
reveal a great deal about the structure of your network, as well as
the systems and devices attached to it. Intruders use such information
to pick targets and plan attacks.
Systems Affected:
All system and network devices.
CVE Entries:
default or blank SNMP community name (public) - CAN-1999-0517
guessable SNMP community name - CAN-1999-0516
hidden SNMP community strings - CAN-1999-0254, CAN-1999-0186
These candidate entries are likely to change significantly before
being accepted as full CVE entries.
Advice on correcting the problem:
A. If you do not absolutely require SNMP, disable it.
B. If you are using SNMP, use the same policy for community names as
used for passwords described in Vulnerability Cluster Number 8 above.
C. Validate and check community names using snmpwalk.
D. Where possible make MIBs read only.
Additional information:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm#xtocid210315
A High Priority Bonus Item for Windows Users and Administrators
Various Scripting Holes in Internet Explorer and Office2000
Recent virus attacks have illustrated how macro and script code could
spread easily through e-mail attachments, and people were admonished
to avoid opening potentially dangerous attachments. However, Windows
users can also spread malicious viruses without opening attachments.
Microsoft Outlook and Outlook Express will execute HTML and script
code in an e-mail in their default installations. In addition, several
so-called ActiveX components are incorrectly executable from an e-mail
containing HTML and script code. Some of the vulnerable controls
include the Scriplet.typlib (ships with IE 4.x and 5.x) and the UA
control (Office 2000). Other vulnerabilities arising from the use of
Active Scripting are that an e-mail could be used to install new
software on a users computer.
A relatively benign virus known as the kak worm is already spreading
through these mechanisms. A malicious version of kak can be
anticipated at any time. We recommend that all users and
administrators set Outlook and Outlook Express to read e-mail in the
"Restricted Sites Zone" and then further disable all Active Scripting
and ActiveX related settings in that zone. This is done in the Options
dialog's Security tab, but can be automated using System Policies.
Microsoft has made patches available for the individual problems and
is readying a patch which will set the security settings in Outlook,
but apparently has no plans on fixing Outlook Express.
Systems Affected:
All Windows systems with Internet Explorer 4.x and 5.x (even if it is
not
used) or Office 2000. Windows 2000 is not affected by some of the IE
issues.
CVE Entries:
CVE-1999-0668
CAN-2000-0329
Advice on correcting the problem:
http://www.microsoft.com/security/bulletins/ms99-032.asp
http://www.microsoft.com/security/bulletins/MS99-048.asp
http://www.microsoft.com/technet/security/bulletin/MS00-034.asp
The fixes for the particular vulnerabilities discussed here are
available
from:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm
http://officeupdate.microsoft.com/info/ocx.htm
Set your Security Zone to restricted sites and then disable all active
content in that zone
Apply the patch to Outlook as soon as it becomes available at:
http://www.officeupdate.com/2000/articles/out2ksecarticle.htm
Updating your virus detection software, while important, is not a
complete solution for this problem. You must also correct the flaws in
Microsoft's software.
Perimeter Protection For An Added Layer of Defense In Depth
In this section, we list ports that are commonly probed and attacked.
Blocking these ports is a minimum requirement for perimeter security,
not a comprehensive firewall specification list. A far better rule is
to block all unused ports. And even if you believe these ports are
blocked, you should still actively monitor them to detect intrusion
attempts. A warning is also in order. Blocking some of the ports in
the following list may disable needed services. Please consider the
potential effects of these recommendations before implementing them.
1) Block "spoofed" addresses-- packets coming from outside your
company sourced from internal addresses or private (RFC1918 and
network 127) addresses. Also block source routed packets.
2) Login services-- telnet (23/tcp), SSH (22/tcp), FTP (21/tcp),
NetBIOS (139/tcp), rlogin et al (512/tcp through 514/tcp)
3) RPC and NFS-- Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp
and 2049/udp), lockd (4045/tcp and 4045/udp)
4) NetBIOS in Windows NT -- 135 (tcp and udp), 137 (udp), 138 (udp),
139 (tcp). Windows 2000 - earlier ports plus 445(tcp and udp)
5) X Windows -- 6000/tcp through 6255/tcp
6) Naming services-- DNS (53/udp) to all machines which are not DNS
servers, DNS zone transfers (53/tcp) except from external secondaries,
LDAP (389/tcp and 389/udp)
7) Mail-- SMTP (25/tcp) to all machines, which are not external mail
relays, POP (109/tcp and 110/tcp), IMAP (143/tcp)
8) Web-- HTTP (80/tcp) and SSL (443/tcp) except to external Web
servers, may also want to block common high-order HTTP port choices
(8000/tcp, 8080/tcp, 8888/tcp, etc.)
9) "Small Services"-- ports below 20/tcp and 20/udp, time (37/tcp and
37/udp)
10) Miscellaneous-- TFTP (69/udp), finger (79/tcp), NNTP (119/tcp),
NTP (123/tcp), LPD (515/tcp), syslog (514/udp), SNMP (161/tcp and
161/udp, 162/tcp and 162/udp), BGP (179/tcp), SOCKS (1080/tcp)
11) ICMP-- block incoming echo request (ping and Windows traceroute),
block outgoing echo replies, time exceeded, and unreachable messages
Signatories:
Randy Marchany, Virginia Tech
Scott Conti, University of Massachusetts
Matt Bishop, University of California, Davis
Lance Spitzner, Sun Microsystems GESS Security Team
Alan Paller, SANS Institute
Stephen Northcutt, SANS Institute
Eric Cole, SANS Institute
Gene Spafford, Purdue University CERIAS
Jim Ransome, Pilot Network Services
Frank Swift, Pilot Network Services
Jim Magdych, Network Associates, Inc.
Jimmy Kuo, Network Associates, Inc.
Igor Gashinsky, NetSec, Inc.
Greg Shipley, Neohapsis
Tony Sager, National Security Agency
Larry Merritt, National Security Agency
Bill Hill, MITRE
Steve Christey, MITRE
Viriya Upatising, Loxley Information Services Co.
Marcus Sachs, JTF-CND, US Department of Defense
Billy Austin, Intrusion.com
Christopher W. Klaus, Internet Security Systems
Wayne Stenson, Honeywell
Martin Roesch, Hiverworld, Inc.
Jeff Stutzman, Healthcare ISAC
Ed Skoudis, Global Integrity
Gene Schultz, Global Integrity
Kelly Cooper, Genuity
Eric Schultze, Foundstone
Bill Hancock, Exodus Communications
Ron Nguyen, Ernst & Young
Lee Brotzman, DoJCERT, Allied Technology Group, Inc.
Scott Lawler, DoD Cert
Hal Pomeranz, Deer Run Associates
Bruce Schneier, Counterpane Internet Security, Inc.
Shawn Hernan, CERT Coordination Center
Kathy Fithen, CERT Coordination Center
Derek Simmel, Carnegie Mellon University
Jesper Johansson, Boston University
Dave Mann, BindView
Rob Clyde, Axent
David Nolan, Arch Paging
Mudge, @stake
More information about the Linux
mailing list