The finger and whois services look up information about users and sites on the Internet. They are the closest thing we have to real services for finding out information about people on the Internet at large.
The finger service looks up information about users. This information may include the person's real name, username, and information about when they most recently logged in and where they logged in from. finger can also be used to show the list of all users currently logged into a host. finger is designed to allow people to find each other, but it gives out more information than you probably want to make available. Intruders find it invaluable; it will tell them what the valid usernames on the host are, which of them are not in use, and when people are logged in who are likely to notice their activity.
We recommend that you limit incoming finger requests to a bastion host, and that you run a replacement finger server on that host. Chapter 5 discusses how to construct and install a replacement finger server.
Outgoing finger requests are also mildly problematic. The finger protocol has no command channel to the client, so command channel attacks are nonexistent, but data-driven attacks are possible. Most common finger clients do no filtering on the data they receive from the server. The attacks possible through this data channel are mostly annoyances; the nasty finger server sends back immense amounts of data or makes your terminal beep 400 times and start displaying black letters on a black background. Some of them are more serious. There are terminals that are programmable with control characters, so that a finger server can send back data that reprograms the "e" key so that it executes the command "rm -rf/*" or a command that mails your password file off. Such terminals are not particularly widespread these days (the most popular terminal emulators don't support this kind of thing), but they still exist, and so do terminal emulators that are overly faithful and reproduce these behaviors. If you are using intelligent terminals, or terminal emulators set up to emulate mainframe terminals with programmable function keys, you may be vulnerable.
In general, data-driven attacks on finger are not a major concern, but if your users frequently use finger to external sites - particularly universities, which have lots of people who still think making your terminal beep 400 times is amusing - you may want to run a replacement finger client that filters out control characters and limits the amount of returned data it will accept. [27]
[27] This will prevent you from appreciating the cleverness of people who have managed to put animations in their .plan files using only VT100 control sequences, but that's not a major loss.
A modified finger with an extended protocol is available from the GNU Project. This version of finger supports some useful features for large sites (for example, it lets one machine keep track of the most recent login times for an entire network, so that users are not constantly complaining that they're incorrect), but it does not include any security enhancements on either the server or the client ends. Several pieces of information it makes available are clearly undesirable to provide to attackers (for example, it will provide a list of machines that are idle and/or have no users logged in). The security implications of the extended protocol it uses are unclear.
finger is a TCP-based service. Servers use port 79. Clients use ports above 1023.
Direc- | Source | Dest. | Pro- | Source | Dest. | ACK | |
---|---|---|---|---|---|---|---|
tion | Addr. | Addr. | tocol | Port | Port | Set | Notes |
In | Ext | Int | TCP | >1023 | 79 | [28] | Incoming query, client to server |
Out | Int | Ext | TCP | 79 | >1023 | Yes | Outgoing response, server to client |
Out | Int | Ext | TCP | >1023 | 79 | [28] | Outgoing query, client to server |
In | Ext | Int | TCP | 79 | >1023 | Yes | Incoming response, server to client |
[28] ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
SOCKS provides a modified finger client for UNIX, and finger clients on other platforms should be easy to modify to use SOCKS. Some finger servers support the notation finger user@host@proxying-host, which sends the request to the proxying host and from there to the destination host. If this form of proxying is available, however, it will work equally for external and internal users. External users will be able to use it to reach your internal hosts, which you may find undesirable.
Limit incoming finger requests to a bastion host.
Run a replacement finger service on the bastion host.
Permit outgoing finger requests, but consider running a replacement finger client.
whois is another information-lookup protocol, much like finger. It is commonly used to obtain public information about hosts, networks, domains, and the people who manage them from various Network Information Centers (NICs, such as rs.internic.net). Sites generally don't provide their own whois server; they merely access the whois servers at the NICs. People don't expect other sites to run whois servers (in fact, the user doesn't ordinarily specify a server when he runs whois; instead, the program uses a server that was specified when it was compiled).
The data that is available via whois is not necessarily of much interest to normal users. Although long-time Internet users may believe otherwise, whois provides data about only a fraction of the people on the Internet. Unless you're looking for information about somebody who runs a site, whois probably isn't going to tell you anything useful, and what it does tell you may not be up to date. At most sites, the only people who have any use for it are system and network administrators. Many NICs also make much of this data available via other methods, such as the World Wide Web.
On the other hand, there have been no known security problems with whois clients and any that occurred would have to be data-driven. (All that a whois server can do to a client is to return data.) Because whois is almost never used with arbitrary servers, in order to do any real damage somebody who manages to find a data-driven bug in a whois client would have to compromise, subvert, or forge packets from the most frequently used and most secure machines on the Internet. Furthermore, while finger shows data that was entered by random users, whois pulls its information from a central database. Therefore, if your users want to use whois clients, there's no reason to prevent them. If they don't have any particular desire to use whois, there's no reason to make it available.
whois is TCP-based. Servers use port 43. Clients use random ports above 1023.
Direc- | Source | Dest. | Pro- | Source | Dest. | ACK | |
---|---|---|---|---|---|---|---|
tion | Addr. | Addr. | tocol | Port | Port | Set | Notes |
Out | Int | Ext | TCP | >1023 | 43 | [29] | Outgoing query, client to server |
In | Ext | Int | TCP | 43 | >1023 | Yes | Incoming response, server to client |
[29] ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.
SOCKS does not provide a modified whois client, and TIS FWTK does not provide a whois proxy server. Because whois is a straightforward single-connection protocol with plenty of user-specified data, it would be trivial to modify whois clients for SOCKS, and relatively simple to write a modified-procedure proxy server for it. Because most whois connections are to a single host (rs.internic.net), you could use the TIS FWTK plug-gw program on your bastion host to relay all connections to the whois port on the bastion host on to rs.internic.net.
You don't need to run an externally visible whois server.
Don't allow incoming whois queries unless you put a server up.
Allow outgoing whois queries, at least from the machines your system and network administrators are likely to use.