 |  |
20.7. Information Lookup Services
The finger and whois services are very specialized sorts of directory services; they look up information about users and sites on the Internet and provide it in a human-readable format. They are relatively little used these days.20.7.1. finger
The finger service looks up information about users. This information may include the person's real name, username, and information about when they most recently logged in and where they logged in from. finger can also be used to show the list of all users currently logged into a host. finger is designed to allow people to find each other, but it gives out more information than you probably want to make available. Intruders find it invaluable; it will tell them what the valid usernames on the host are, which of them are not in use, and when people are logged in who are likely to notice their activity.We recommend that you limit incoming finger requests to a bastion host and that you run a replacement finger server on that host. Chapter 11, "Unix and Linux Bastion Hosts", discusses how to construct and install a replacement finger server.
Outgoing finger requests are also mildly problematic. The finger protocol has no command channel to the client, so command channel attacks are nonexistent, but data-driven attacks are possible. Many finger clients do no filtering on the data they receive from the server (although the standards strongly suggest that clients should allow only printable ASCII characters). The attacks possible through this data channel are mostly annoyances; the nasty finger server sends back immense amounts of data or makes your terminal beep 400 times and start displaying black letters on a black background. Some of them are more serious. Some terminals are programmable with control characters, so that a finger server can send back data that reprograms the "e" key so that it executes the command "rm -rf/*" or a command that mails your password file. Such terminals are not particularly widespread these days (the most popular terminal emulators don't support this kind of thing), but they still exist, and so do terminal emulators that are overly faithful and reproduce these behaviors. If you are using intelligent terminals, or terminal emulators set up to emulate mainframe terminals with programmable function keys, you may be vulnerable.
In general, data-driven attacks on finger are not a major concern, but if your users frequently use finger to external sites -- particularly universities, which have lots of people who still think making your terminal beep 400 times is amusing -- you may want to run a replacement finger client that filters out control characters and limits the amount of returned data it will accept.[128]
[128]This will prevent you from appreciating the cleverness of people who have managed to put animations in their .plan files using only VT100 control sequences, but that's not a major loss.A modified finger with an extended protocol is available from the GNU Project. This version of finger supports some useful features for large sites (for example, it lets one machine keep track of the most recent login times for an entire network so that users are not constantly complaining that they're incorrect), but it does not include any security enhancements on either the server or the client ends. Several pieces of information it makes available are clearly undesirable to provide to attackers (for example, it will provide a list of machines that are idle and/or have no users logged in). The security implications of the extended protocol it uses are unclear.
20.7.1.1. Packet filtering characteristics of finger
finger is a TCP-based service. Servers use port 79. Clients use ports above 1023.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| In | Ext | Int | TCP | >1023 | 79 |
[129]
|
Query, external client to internal server |
| Out | Int | Ext | TCP | 79 | >1023 | Yes | Response, internal server to external client |
| Out | Int | Ext | TCP | >1023 | 79 | [129] | Query, internal client to external server |
| In | Ext | Int | TCP | 79 | >1023 | Yes | Response, external server to internal client |
[129]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
20.7.1.2. Proxying characteristics of finger
SOCKS provides a modified finger client for Unix, and finger clients on other platforms should be easy to modify to use SOCKS. Some finger servers support the notation finger user@host@proxying-host, which sends the request to the proxying host and from there to the destination host. If this form of proxying is available, however, it will work equally for external and internal users. External users will be able to use it to reach your internal hosts, which you may find undesirable.
20.7.1.3. Network address translation characteristics of finger
finger does not use embedded IP addresses and can be used with network address translation without problems.
20.7.2. whois
whois is another information-lookup protocol, much like finger. It is commonly used to obtain public information about hosts, networks, domains, and the people who manage them from various Network Information Centers (NICs), such as whois.internic.net. Sites generally don't provide their own whois server; they merely access the whois servers at the NICs. People don't expect other sites to run whois servers. whois clients are available for almost every platform and are sometimes embedded into other tools.The data that is available via whois is not necessarily of much interest to normal users. It is really useful only as a way of tracking down what IP addresses belong to what organizations, and it's no longer easy to use even for that purpose, because many addresses have been allocated to service providers that then distribute them to their clients. In addition, there used to be only one NIC, which held all the information for the Internet. Now there are multiple NICs, and it may be necessary to query multiple ones before you find the one that holds the information of interest. Older whois clients do not do this automatically. At most sites, the only people who have any use for whois are system and network administrators. Many NICs also make the same data available via other methods, such as the World Wide Web.
On the other hand, there have been no known security problems with whois clients, and any that occurred would have to be data-driven. (All that a whois server can do to a client is to return data.) Because whois is almost never used with arbitrary servers, in order to do any real damage, somebody who manages to find a data-driven bug in a whois client would have to compromise, subvert, or forge packets from the most frequently used and most secure machines on the Internet. Furthermore, while finger shows data that was entered by random users, whois pulls its information from a central database. Therefore, if your users want to use whois clients, there's no reason to prevent them. If they don't have any particular desire to use whois, there's no reason to make it available.
20.7.2.1. Packet filtering characteristics of whois
whois is TCP-based. Servers use port 43. Clients use ports above 1023.| Direction | SourceAddr. | Dest.Addr. | Protocol | SourcePort | Dest.Port | ACKSet | Notes |
|---|---|---|---|---|---|---|---|
| Out | Int | Ext | TCP | >1023 | 43 |
[130]
|
Query, internal client to external server |
| In | Ext | Int | TCP | 43 | >1023 | Yes | Response, external server to internal client |
[130]ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
20.7.2.2. Proxying characteristics of whois
SOCKS does not provide a modified whois client, but such clients are available. Because whois is a straightforward single-connection protocol with plenty of user-specified data, it is trivial to modify whois clients for SOCKS, and relatively simple to write a modified-procedure proxy server for it.
20.7.2.3. Network address translation characteristics of whois
whois does not use embedded IP addresses and will function with network address translation without problems.
20.7.2.4. Summary of recommendations for whois
- You don't need to run an externally visible whois server.
- Don't allow incoming whois queries unless you put a server up.
- If you have whois clients available, allow outgoing whois queries from the machines your system and network administrators are likely to use. Otherwise, use web services to look up this data.
|  | |
| 20.6. Active Directory |  | 21. Authentication and Auditing Services |
