Section 4.12 The ident Service | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

4.12 The ident Service

graphics/fourdangerlevel.gif

The ident service operates via the identd program that can operate either as a daemon or by being started from inetd. When someone using a client program, such as Netscape, telnet, or FTP from your system connects to a server on a remote system, that remote system is told only your system's IP address and what port number on it initiated the connection. There is no way for that remote system even to know what user from your system has connected to it or even if they might have spoofed your IP address. If there is mischief caused by one of your users, that remote system cannot identify which user caused it and report the user to you. The ident service offers answers to these questions by telling the remote system which of your users has this port number. The identd server also can be configured to log these queries for later analysis.

The ident service does give information about your system to any process on any system that asks. If allowed to give out user names, these might be used by an attacker to guess passwords or e-mail addresses. Recall that both a valid user name and that user's password must be supplied for any information to be discerned from a login attempt guess. It is suggested that the -n flag be given when identd is invoked to cause a numeric UID to be given out instead of a user name because the UID is of no use for this purpose. Also, it is suggested that the -uuser and -ggroup flags be used to cause identd to change itself to a harmless user and group, such as ident. Thus, in case a cracker finds a vulnerability in it, the cracker will not get root access.

You might want to modify identd to provide the same response (the same fake user name) each time it is queried. This will prevent crackers from finding out who is logged on, and will prevent both crackers and spammers from getting user names for nefarious purposes. You can download such a fake version from

www.ajk.tele.fi/~too/sw/

Additionally, DoS attacks are possible, because it is a resource that an attacker can use up. It is suggested that if it is run, it be run only on systems that have "real users" with shell accounts. (Other systems have no use for it.) The -o option, which is on by default, will cause identd to say that the operating system type is OTHER instead of UNIX. Although some people advocate this for "security by obscurity," I do not find such a technique particularly valuable, though I do not believe in revealing version numbers because that information accurately would reveal vulnerabilities.

The -l option will cause identd to log requests via syslogd. It is on by default.

Any decent cracker can determine your system's operating system by observing differences in how it responds to certain error conditions in packet handling. The nmap program is particularly skillful at doing this. Even this will not be necessary if you supply this information via a telnet or FTP service or the offering of certain other services characteristic of Linux and UNIX. If in doubt, do not offer ident.

Top