SUMMARY:Finger Security

From: Hisham Al Saad (ahisham@batelco.com.bh)
Date: Wed Aug 09 2000 - 06:47:49 CDT


Thanks to all who replied.

My original message ,
> Is enabling finger service on UNIX machines considered as a security
> hole? and if so how to correct it?
> I would appreciate any information about this.

Here are the replies :-

Brett Lymn:
If you have fingerd running then it will give out details about user
logins to anyone that asks. If this makes you nervous then shut it
down.
edit /etc/inetd.conf and comment out the in.fingerd entry save the
file and then kill -HUP the inetd.
===========================
Andrew Brennan:
It's not a security hole in the sense that there are bugs in the finger
daemon code (though that is certainly a possibility). Finger is a hole
in the sense that it provides an outside user with more details that he
can then use in social engineering, or brute force attacks, etc.

Finger'ng a system, getting a list of usernames ... then calling a help
desk and asking them to change your "forgotten" password. Or scripting
password attacks against those usernames via POP, etc.

Finger gives that information away ... and if the ideal goal is to keep
people out of your systems, you don't want to *give* anything away.
============================
Jason Ziemlak:
Yes, leaving the finger port open is considered a security risk. You must
close it in your /etc/inetd.conf ... Edit that, and comment out the line
for the finger daemon, and then HUP the inetd process.

============================
Bruce M. Simpson:
The vendor-supplied in.fingerd in many Solaris versions was prone to
a Denial of Service attack of the form:

hostile% finger @.@.@.@.@.@.@.@.@.@.@.@sunhost

This would cause 'sunhost' to fork off many processes to respond to
the nested/forwarded finger requests from 'hostile'.

In general, enabling finger service is problematic, because it allows
a remote intruder to make guesses about user accounts and form a picture
of user activity.

If you really wish to install finger, consider an alternative such as GNU
fingerd which allows the administrator to fine-tune certain aspects of
fingerd behavior.

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:14 CDT