SLIP and PPP Security Information


Introduction

My experience for writing this document is based upon private internets, like the one at SGI. Some of it isn't terribly useful for servers directly to the Internet, although I have added sections as people have brought them to my attention (eg: the section on plugging the FTP security hole).

Many people need access to a private internet but do not or cannot have a permanent connection. By design, there is minimal security within a private internet but a strong wall around the outside of the network (think of a classic medieval castle). Remote access is like doors or tunnels through the wall, and they need to be protected. Some types of access can compromise the security of a private internet unless special care is taken. This document is aimed primarily at those types of remote access, where special precautions need to be taken.

This is primarily aimed at desktop machines with answering modems, but the principles apply to all SGI machines with modems.

There must be no un-passworded accounts on any dialin machines. Many of the standard accounts are not intended to be logged into, especially accounts on a server. These accounts must be disabled by placing an "*" in the second field of /etc/passwd file. Accounts in this category include: sysadm, diag, daemon, bin, uucp, sys, adm, lp, man, nobody, nuucp, tutor, demos and 4Dgifts (add rfindd, dbadmin, auditor, cmwlogin, sgiweb, EZsetup, OutOfBox, and noaccess in various later releases). Active accounts that need good passwords include: root, guest, and all user accounts.

Guest Accounts

A "good" password is one that is difficult to guess, especially by an external "cracker". The guest account can still be open to the private internet and yet secure from dialup (and reasonably secure from hackery) by creating a .rhosts file, as follows:
   % su
   # echo "+ +" >~guest/.rhosts
   # chown root.sys ~guest ~guest/.rhosts
   # chmod 444 ~guest/.rhosts
   # chmod a+w,+t ~guest
   # exit
   %
Note: NIS accounts (aka YP, ones that start with a "+") are at least as important to check as the local ones. In addition, these accounts may be harder to secure.

.rhosts Files

If there is a /.rhosts file, it is mandatory that it be minimal and secure. Minimize the number of entries! Refer to this example:
   % su
   # chown root.sys /.rhosts
   # chmod 400 /.rhosts
   # exit
   %

Preventing FTP access as root

Because the SLIP and PPP programs must run as root, anybody with a SLIP or PPP account can login as root via FTP. This is a BIG security hole on your server.

To eliminate this, create a file /etc/ftpusers and put in all the accounts that you don't want to have FTP access, one userid per line. This includes all SLIP and PPP accounts, and may include root itself.

Adding Passwords

Passwords may be added to accounts either using the System Manager, or from a shell as follows:
   % su
   # passwd nuucp
   Changing password for nuucp on host.
   New password:
   Re-enter new password:
   # exit
   %

Creating /etc/dialups and /etc/d_passwd Files

To prevent unauthorized access to the private internet by outsiders, the dialup password facility should be enabled. This is done by creating the two files /etc/dialups and /etc/d_passwd. The following example allows SLIP and PPP connections but not UUCP or interactive dialups via modems attached to ports 1 and 2.

Create an /etc/dialups file with the following entries:

   /dev/ttyd1
   /dev/ttym1
   /dev/ttyf1
   /dev/ttyd2
   /dev/ttym2
   /dev/ttyf2

Create an /etc/d_passwd file with the following entries:

   /bin/csh:*:
   /bin/tcsh:*:
   /bin/sh:*:
   /bin/ksh:*:
   /bin/bash:*:
   /usr/lib/uucp/uucico:*:
   /usr/etc/remoteslip::
   /usr/etc/ppp::
   /usr/etc/dbslip::
   /usr/etc/ppp/Login::
The preceding configuration allows PPP and SLIP accounts to login via modems on ports 1 and 2, but disallows all shell accounts. Putting an encrypted password (same format as in /etc/passwd) in place of the the :*: or :: will use that as a dialup password, which is prompted for by the system after the normal user password.

Where To Go From Here


Scott Henry <scotth@sgi.com>
Last modified: Sun Feb 1 14:29:59 1998