The programs running on your computer can give away information about
your identity. Particularly those involved in file transfer and logging
in to other computers.
Contents
1 ident lookups
2 ftp logins
3 Telnet
4 ssh keys
5 Terminal Services/rdesktop
6 SMB/NMBD
7 mDNSResponder (Bounjour/Rendezvous/ZeroConf)
8 UPNP
ident lookups
ident is the TCP identification service. It allows a remote host to determine the local username associated with any TCP connection involving that remote host. Naturally this is a concern, especially if your username reveals your true identity. So when do ident lookups happen? Well technically your machine's ident server will answer any request for a (server, client) port pair for which the destination IP is the same as the ident request source IP. However, normally is only used with FTP, SMTP and IRC traffic, if that. Some web and ssh servers also have it enabled. The best thing to do here is to kill your ident server, or add a firewall entry for port 113. Even better, you may wish to create an obfuscated or common username for regular use. Something like bob, jane, Acidburn, or ZeroCool, perhaps. ;)
[root@machine ~/dir]# iptables -A INPUT -p tcp --dport ident -j DROP
ftp logins
Be aware that your FTP client may also transmit your username or email address as the anonymous password independent of your ident response. So far I've tested Firefox, links, and ncftp, and none of them report your username OR hostname in the login. So that's good.
Telnet
It is possible for a telnet server to query any arbitrary environment variables from your telnet client. These include USER, HOSTNAME, DISPLAY, etc. However, the default behavior of Linux telnet is to only send DISPLAY and PRINTER. Note that in some cases, DISPLAY may contain your hostname.
ssh keys
The major threat with ssh keys for Mac OS and Linux users is your ssh host key. This can be used to fingerprint you by connecting to port 22 of your IP to verify that you are using the same machine as some other previous IP, either at your ISP or over VPN.
On both operating systems, you should be able to regenerate new ssh host keys with the commands:
[root@machine ~/dir]# ssh-keygen -t rsa -f ssh_host_key.pub
[root@machine ~/dir]# ssh-keygen -t rsa -f ssh_host_rsa_key.pub
[root@machine ~/dir]# ssh-keygen -t dsa -f ssh_host_dsa_key.pub
On Mac OS, these commands should be issued while you are in the /etc directory, and you should use a sudo before them. On Linux, run them as root in the /etc/ssh directory. Use no password for the keys.
ssh login attempts reveal information about your machine only if you have created ssh private keys and the ssh client attempts to use them to log in to the remote host. Password-based login leaks no information about the client other than the IP address.
Realistically, even the scenarios for proving a client's identity via an ssh key exchange are very unlikely. In the case of unsuccessful private key attempts, the only way it could be done is if the attacker's ssh exchange were logged, and then the attacker's private key was seized and demonstrated to provide the same signature as given to the remote host. To do this would require an obscene amount of data collection at the remote host end, just waiting for the attacker to connect. However, if an attacker logged in successfully via an ssh key, all that would need to be shown is that the ssh key existed on your machine to prove you were the attacker. Your local username is never sent as part of the ssh key exchange, even if it is a part of the public key.
Terminal Services/rdesktop
By default, both rdesktop (for Linux) and Microsoft's Terminal Services Client (mstsc.exe) will send your hostname and username to the machine you connect to. In rdesktop, you can override the username with the -u switch, and the hostname with the -n switch. In the MS Terminal Services Client, you can change your username in the "Options" button, but it's not clear that there is any way to avoid transmitting your machine name. Again, in Windows you can change your hostname via either NewSid or via the registry.
SMB/NMBD
Machines running windows file serving broadcast their computer name and description in SMB Master Browser Elections. You probably don't want this traffic spewing across your network connection if you wish to be anonymous. This is how you turn it off in Windows.
In general, it's a good idea not to name your machine something like "Bob Fnord's Evil Hacking Box of Doom", or "JoeSmithsLinuxBox".
Under Mac OS, these services can be turned off under the "Sharing" icon in System Preferences. I would turn just about all of those off if I were you.
Under Linux, you can either remove smbd and nmbd from /etc/rcN.d/ or you can run chkconfig smbd off and chkconfig nmbd off. Note that this just prevents the services from starting. To shut them off, run /etc/init.d/smbd stop (and again for nmbd).
FIXME_WIN32: Server and TCP/IP netbios helper? Is netbios EPM?.. Also check snmp.
mDNSResponder (Bounjour/Rendezvous/ZeroConf)
mDNSResponder is Apple's implementation of ZeroConf, which is used to configure your computer on a network automatically. It also can be used to announce information about your iTunes, iPhoto, and iChat profiles. Obviously this may be undesirable. To turn it off:
[user@machine ~/dir]$ sudo /System/Library/StartupItems/mDNSResponder/mDNSResponder stop
And to re-enable it:
[user@machine ~/dir]$ sudo /System/Library/StartupItems/mDNSResponder/mDNSResponder start
To permanently disable it, you can erase or move the mDNSResponder directory from the StartupItems folder.
It should be noted there is also an mDNSResponder installed by default on some Linux systems. You probably want to remove it from /etc/rcN.d, or run chkconfig mDNSResponder off. Don't forget you also have to stop it with /etc/init.d/mDNSResponder stop, since chkconfig only removes it from bootup.
An mdnsresponder.exe is also installed with the Windows version of iTunes. You probably want to remove it/rename it so it is not started. You can check with Task Manager or Process Explorer to see if you have a copy running.
UPNP
UPNP is Microsoft's half-assed attempt at a ZeroConf protocol. It basically does the same thing ZeroConf does, and probably should be disabled. Here is a utility to turn it off. Note that you don't need their utility to turn it off. You can go into Control Panel->Administrative Tools->Services and first STOP and then DISABLE the "Universal Plug and Play Device Host" service. Do the same with "SSDP Directory Services"..
Comments
Post a Comment