Secure the .rhosts and hosts.equiv Files to Avoid Linux Hacks
Linux — and all the flavors of UNIX — are file-based operating systems. Securing the .rhosts and host.equiv files will help you protect against hackers. Practically everything that’s done on the system involves the manipulation of files. This is why so many attacks against Linux are at the file level.
Hacks that use the .rhosts and hosts.equiv files
If hackers can capture a user ID and password by using a network analyzer or can crash an application and gain root access via a buffer overflow, one thing they look for is what users are trusted by the local system. That’s why it’s critical to assess these files yourself. The /etc/hosts.equiv and .rhosts files list this information.
The $home/.rhosts files in Linux specify which remote users can access the Berkeley Software Distribution (BSD) r-commands (such as rsh, rcp, and rlogin) on the local system without a password. This file is in a specific user’s (including root) home directory, such as /home/jsmith. An .rhosts file may look like this:
tribe scott tribe eddie
This file allows users Scott and Eddie on the remote-system tribe to log in to the local host with the same privileges as the local user. If a plus sign (+) is entered in the remote-host and user fields, any user from any host could log in to the local system. The hacker can add entries into this file by using either of these tricks:
Manually manipulating the file
Running a script that exploits an unsecured Common Gateway Interface (CGI) script on a web-server application that’s running on the system
This configuration file is a prime target for a malicious attack. On most Linux systems, these files aren’t enabled by default. However, a user can create one in his or her home directory on the system — intentionally or accidentally — which can create a major security hole on the system.
The /etc/hosts.equiv file won’t give away root access information, but it does specify which accounts on the system can access services on the local host. For example, if tribe were listed in this file, all users on the tribe system would be allowed access.
As with the .rhosts file, external hackers can read this file and then spoof their IP address and hostname to gain unauthorized access to the local system. Hackers can also use the names located in the .rhosts and hosts.equiv files to look for names of other computers to attack.
Countermeasures against .rhosts and hosts.equiv file attacks
Use both of the following countermeasures to prevent hacker attacks against the .rhosts and hosts.equiv files in your Linux system.
A good way to prevent abuse of these files is to disable the BSD r-commands. This can be done in two ways:
Comment out the lines starting with shell, login, and exec in inetd.conf.
Edit the rexec, rlogin, and rsh files located in the /etc/xinetd.d directory. Open each file in a text editor and change disable=no to disable=yes.
In Red Hat Enterprise Linux, you can disable the BSD r-commands with the setup program:
Enter setup at a command prompt.
Choose System Services from the menu.
Remove the asterisks next to each of the r-services.
A couple of countermeasures can block rogue access of the .rhosts and hosts.equiv files:
Block spoofed addresses at the firewall.
Set the read permissions for each file’s owner only.
.rhosts: Enter this command in each user’s home directory:
chmod 600 .rhosts
hosts.equiv: Enter this command in the /etc directory:
chmod 600 hosts.equiv
You can also use Tripwire to monitor these files and alert you when access is obtained or changes are made.