Anonymizing VOS

We have gotten a number of requests for information on how to change the login and FTP banners so that they do not identify the type of system and the specific release. It appears that this identification is now a check box on at least some system auditing lists. The idea being that once the OS and release are known the universe of possible exploits, default user names and passwords, and vulnerabilities is also known; so providing this information to anyone who connects to the system without first authenticating is not a good idea.

There are, however, other applications that also provide this information to unauthenticated users. I think the auditors just haven't realized this yet.

This document provides information on how to change STCP Simple Network Management Protocol (SNMP), EMANATE (SNMP) for VOS, Network Time Protocol, and Apache Web Server. I also include the VOS login banner, and TCP_OS and STCP FTP banners just for completeness.

You could argue that the STCP SNMP and EMANATE for VOS connections are not unauthenticated since the requests must include the SNMP community string. However, the default community string "public" is well known and since it is not encrypted in the packet anyone with a network analyzer will be able to see what it is; so I've included them.

VOS login banner:

This process was originally described in >system>doc>cac_newsletter_0012 (search for "Please login") but it now slightly out of date. The new process is

1) copy >system>error>error_codes.tin to >system>error>error_codes.tin.backup (just in case)

2) edit the >system>error>error_codes.tin file to null out the m$login_banner message, changing:

/    =num   3488
     =name  m$login_banner
     =text  '&a1&, &a2&, Module &a3&'
     =category os_message_codes

to:

/    =num   3488
     =name  m$login_banner
     =text  ''
     =category os_message_codes

3) execute the command update_codes.cm (this will take a while)

4) rename >system>error_codes.text to >system>error_codes.text.old

5) Move the newly created error_codes.text file to >system as error_codes.text.

6) logging in now gives

Please login  09:58:33

Instead of

System/32, VOS Release 14.2.3ab, Module %phx_cac_j14#m14
Please login  09:57:44

TCP_OS FTP banner:

Note that when you do this it will not be possible for FTP clients to recognize that they are connected to a VOS system. This will prevent the "type sequential" command from working when the FTP client is another VOS system and may prevent certain Windows based GUI clients from working correctly. Removing the host name may also cause applications running on the module from working correctly. This just depends on how the application is written. If it causes a problem, restoring the host name creates less of a security issue then the FTP banner itself (assuming that the host name doesn't identify the type of system).

1) Use the command get_external_variable to check the value of the version string in ftpd.pm

get_external_variable version -in >system>tcp_os>command_library>ftpd.pm -type char
OS TCP/IP`00

2) Use the set_external_variable command to change the first word to 0. Note that you cannot do this while the ftpd.pm is executing.

set_external_variable version -in >system>tcp_os>command_library>ftpd.pm -to 0 -type integer

3) Double check by doing another get_external_variable

get_external_variable version -in >system>tcp_os>command_library>ftpd.pm -type char
`00`00`00`00CP/IP`00

4) Now set the host name to NULL with the sethost command

sethost -hostname ' '

Current hostname is
Current hostid is 0

5) Connecting to the module via FTP now returns a 220 banner that looks like:

220	FTP server () ready.

Instead of

220 athena FTP server (OS TCP/IP) ready.

STCP FTP banner:

1) Use the command get_external_variable to check the value of the version string in ftpd.pm

get_external_variable version -in >system>stcp>command_library>ftpd_ch.pm -type char
FTP 1.0 for Stratus STCP`00`00

2) Use the set_external_variable command to change the first word to NULL. Note that you cannot do this while the ftpd_ch.pm is executing.

set_external_variable version -in >system>stcp>command_library>ftpd_ch.pm -to 0 -type integer

3) Double check by doing another get_external_variable

get_external_variable version -in >system>stcp>command_library>ftpd_ch.pm -type char
`00`00`00`001.0 for Stratus STCP`00`00

4) Use the command get_external_variable to check the value of the compat_vers string in ftpd.pm

get_external_variable compat_vers -in >system>stcp>command_library>ftpd_ch.pm -type char
OS TCP/IP`00

5) Use the set_external_variable command to change the first word to NULL. Note that you cannot do this while the ftpd_ch.pm is executing.

 
set_external_variable compat_vers -in >system>stcp>command_library>ftpd_ch.pm -to 0 -type integer

6) Double check by doing another get_external_variable

get_external_variable compat_vers -in >system>stcp>command_library>ftpd_ch.pm -type char
`00`00`00`00CP/IP`00

7) set the hostname to null.

hostname ' '

ready  13:37:07

8) Connecting to the module via FTP now returns a 220 banner that looks like:

 220 FTP server () ready. (Compatible with )

Instead of

 220 Athena_S FTP server (FTP 1.0 for Stratus STCP) ready. (Compatible with OS 
 +TCP/IP)

STCP Simple Network Management Protocol

The SNMP variable SysDescr is currently coded to default to the string "Streams-based TCP/IP (STCP) for VOS". Starting in release 17 the default will change to the release string from the kernel. Any one who knows the SNMP community string, aka password, can query the SNMP agent for this variable. The default community string is "public" (this is a well known default and should be changed).

Currently the sysDescr variable is NOT documented in the Streams TCP/IP Administrators Guide (R419). A request to document it has been made in bug doc-3835. However, you can change it by adding a line in the >system>stcp>snmpconf file and then restarting the snmpd process. The line should look something like:

sysDescr = No description available

Querying the SNMP agent for the sysDescr value will now return

    "No Description available"

Instead of

    "Streams-based TCP/IP (STCP) for VOS"

EMANATE (Simple Network Management Protocol) for VOS:

The SNMP variable SysDescr is defined in the >system>vsnmpmgr>conf>snmpd.cnf file to return a string indicating the VOS operating system and the release name.

# Entry type: sysDescr
# Entry format: octetString
sysDescr  "VOS release:VOS Release 16.1.0aa version:Tue Sep 19 17:18:58 UTC 2
+006 machine:i786"

To remove this information add the comment character to the existing line and add another line defining sysDescr to whatever is appropriate.

# Entry type: sysDescr
# Entry format: octetString
# sysDescr  "VOS release:VOS Release 16.1.0aa version:Tue Sep 19 17:18:58 UTC 2
+006 machine:i786"
sysDescr  "No description available"

Querying the SNMP agent for the sysDescr value will now return

    "No description available"

Instead of

    "VOS release:VOS Release 16.1.0aa version:Tue Sep 19 17:18:58 UTC 2006 machine:i786"

Network Time Protocol

The network time protocol daemon in response to a READVAR request will send information about the time server including the operating system name and release that it is running under. This request can be made from any system with the ntpq command installed.

To prevent this add 2 restrict commands to the end of the >system>ntp>ntp.conf file and then stop and restart ntpd. The restrict command restricts the server's response to the identified hosts based on the flags that follow the IP address and optional netmask (the word default to refer to all hosts can also be used).

For Example

# server directives indicate where to get time from.
server 10.1.77.248
server 172.16.77.249

# Home for the logile.  Pick a good relative path - VOS absolute
# pathnames can't be parsed correctly.
logfile >system>ntp>ntp.logfile

# Home for the driftfile.
driftfile >system>ntp>ntp.drift

restrict default noquery
restrict 127.0.0.1

The first restrict command prevents the server from responding to all hosts for any query asking for information other than the time. The second restrict command, because it has no flags, allows any type of query but only from the local host. This access overrides the restriction from the first restrict command.

The result is that a query will not return anything

ntpq -n 192.168.77.34
ntpq> rv
192.168.77.34: timed out, nothing received
***Request timed out
ntpq>

Intsead of returning

ntpq -n 192.168.77.34
ntpq> rv
status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,
version="ntpd 4.2.0@1.1161-r Wed Oct  4 15:12:50 edt 2006 (1)",
processor="i786", system="VOS/VOS Release 15.3.0az", leap=00, stratum=5,
precision=-22, rootdelay=94.558, rootdispersion=222.904, peer=2972,
refid=10.1.77.248,
reftime=cd35ce1d.c2f65372  Thu, Feb  5 2009 13:44:13.761, poll=7,
clock=cd35ce7d.f5788f20  Thu, Feb  5 2009 13:45:49.958, state=4,
offset=8.693, frequency=3.348, jitter=30.311, stability=0.053
ntpq>

Apache Web Server:

The default server string that is returned in response to most requests includes the version of the apache server as well as the OpenSSL version and an indication that the Operation System is VOS. This is controlled by the ServerTokens directive in the >system>apache2>conf>httpd.conf file

# ServerTokens
ServerTokens Full

The minimum information that can be returned is just the string "apache". To configure apache to return just this minimum comment out the existing line and add a new ServerTokens line setting the directive to Prod

# ServerTokens
# ServerTokens Full
ServerTokens Prod

The result is that the server string will be

	Apache

Instead of

	Apache/2.0.55 (VOS) mod_ssl/2.0.55 OpenSSL/0.9.7e

This page was last modified on 09-02-06

Send comments and suggestions
to noah.davids@stratus.com