My question:
> Open Systems Today, in its February 21 issue, advises removing support for
> /dev/nit in SunOS 4.1.x by reconfiguring the kernel, to disallow promiscuous
> mode and stave off eavesdroppers. Any tips on how to do this? If it matters,
> the machine is a SUN 4/330.
Many respondents were kind enough to pass on to me the CERT advisory from
February 3 on "Ongoing Network Monitoring Attacks". Others pointed me to the
relevant section of the kernel config file. The advisory contains specifics
on the problems as well as what to do about them. To disable /dev/nit, you
comment out the following lines in your kernel configuration file
(/usr/kvm/sys/sun{4,4c}/conf/MYKERNEL, if your kernel is named MYKERNEL):
pseudo-device snit # streams NIT
pseudo-device pf # packet filter
pseudo-device nbuf # NIT buffering module
Then:
# config MYKERNEL
# cd ../MYKERNEL
# make
# mv /vmunix /vmunix.old
# cp vmunix /vmunix
and reboot. Other comments mentioned that an intruder clever enough to have
gained root access to the system (which you need to set the interface in
promiscuous mode) can configure back the system for /dev/nit and reboot it;
that seems to me like a hard one to pull off without people noticing, at
least if the machine is an NFS server. I suppose you could have a cron job
periodically check for the existence of /dev/nit (or check if the interface
is in promiscuous mode).
Thanks to:
Casper Dik <casper@fwi.uva.nl>
Dave Fetrow <fetrow@biostat.washington.edu>
Gary Blumenstein <garyb@gcm.com>
Gustavo Vegas <titan!gustavo@enuucp.eas.asu.edu>
John T Wilson <wilsonj@awcdb1.eglin.af.mil>
Kelvin Hui <kelvinh@sa-htn.valmet.com>
Kevin Cosgrove <qiclab!solomon!kevinc>
Michael Myers <mmyers@willamette.edu>
Rich Schultz <rich@ccrwest.org>
Steve Elliott <se@computing.lancaster.ac.uk>
Steve Simmons <scs@lokkur.dexter.mi.us>
adamfox@super.org (Adam Fox)
checkedg@eee.bham.ac.uk (Dr. Dave Checketts)
cj%mssls3.mssl.ucl.ac.uk@ucl.ac.uk (Colin Johnson)
cogan@mso.anu.edu.au (Bruce Cogan)
fmrco!ocean!tom@uunet.UU.NET (Tom Yen)
glenn@uniq.com.au (Glenn Satchell - Uniq Professional Services)
julian@syd.dwt.csiro.au (Julian Dryden)
leroy@norland.rabbit.net (Todd LeRoy)
markz@markz.acs.ucalgary.ca (Mark Zawalykut)
pbh@cfsmo.honeywell.com (Paul B. Henninger)
root@rjrt.COM (0000-Admin(0000))
stern@sunrise.East.Sun.COM (Hal Stern - NE Area Systems Engineer)
tkevans@eplrx7.es.duPont.com (Tim Evans)
wade@kegs.saic.com (Jeff Wade 552-5117)
walt@adaclabs.com (Walt Klingenberg)
zinnato@NADC.NADC.NAVY.MIL
Rob
------------------------------------------------------------------
| Rob Weltman robw@microguild.com |
| Microguild, Inc. (415)-428-3693 |
| 888 Villa Street, suite 500 fax (415)-428-3696 |
| Mountain View, CA 94041 |
------------------------------------------------------------------
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:57 CDT