Basic DOS security for BBS operators - Roy Wilson 1:107/201@fidonet After going over Scott Raymond's excellent TGSEC10 security package for Telegard, I saw the need to explain some basic DOS functions and tricks that do much the same thing. As I'm a registered user of 4DOS, and it will no longer run under my current configuration, the package by Scott is rather useless to me. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿³ ³³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿³³ ³³³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿³³³ ³³³³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿³³³³ ³³³³³ !!!!! BEFORE YOU BEGIN !!!!! ³³³³³ ³³³³³ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ³³³³³ ³³³³³ ³³³³³ ³³³³³ CREATE A BOOTABLE FLOPPY AND COPY YOUR AUTOEXEC.BAT, ³³³³³ ³³³³³ CONFIG.SYS, AND COMMAND.COM TO IT !!!! ³³³³³ ³³³³³ ³³³³³ ³³³³³ You may find that you've locked yourself out of some ³³³³³ ³³³³³ program, such as Telegard, and you will need to ³³³³³ ³³³³³ restore your old drive letters for a few moments, in ³³³³³ ³³³³³ order to reconfigure another program. ³³³³³ ³³³³³ ³³³³³ ³³³³³ The ONLY program you MAY damage by using these hints ³³³³³ ³³³³³ is COMMAND.COM, and you can only damage that if you ³³³³³ ³³³³³ improperly save it from a hex editor. Editing your ³³³³³ ³³³³³ COMMAND.COM is ->NOT<- necessary, but it is a very ³³³³³ ³³³³³ good idea....... (hint, hint) ³³³³³ ³³³³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ³³³³ ³³³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ³³³ ³³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ³³ ³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ DOS 5.00.333 USERS: ³ ³ ³ ³ You may have noticed that a LOT of the commands that 4DOS entertains ³ ³ are now available to you, such as sorted directory listings. I've ³ ³ also found that Control-T from a DOS prompt gives you a listing that ³ ³ looks a hell of a lot like an alias table.... and of course it isn't ³ ³ documented.... if anyone finds out how to enter aliases, please let ³ ³ me know, and I'll be sure to incorporate it into the package. ³ ³ ³ ³ You may also wish to edit COMMAND.COM and change the calling name of ³ ³ the TRUENAME function. TRUENAME is also NOT documented, but it's ³ ³ function is to return the TRUENAME of a drive/directory that has been ³ ³ MAPped, SUBSTituted, ASSIGNed, or JOINed. While a user would actually³ ³ have to get to the DOS level of your machine to use the function, why ³ ³ take chances. ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ³ ³ SECTOR EDITING FILES ³ ³ ³ ³ I use NU.EXE for sector editing, there are several other ³ ³ good editors out there. ³ ³ ³ ³ You don't _have_ to sector edit any file, but your system ³ ³ security will increase drastically if you do. ³ ³ ³ ³ ³ ³ MODERATE SECURITY ³ ³ ³ ³ First, edit COMMAND.COM, and change all instances of ³ ³ AUTOEXEC to something else - I used EXECAUTO here as an ³ ³ example. ³ ³ ³ ³ MAXIMUM SECURITY ³ ³ ³ ³ Next, for maximum security, search COMMAND.COM for the ³ ³ string that looks like this: .COM.EXE.BAT (it's at the end³ ³ and change the .BAT to something else - I kept it as .BAT ³ ³ for this example file. ³ ³ ³ ³ IF YOU DO THIS YOU MUST RENAME ALL .BAT FILES ³ ³ ON YOUR SYSTEM ! ³ ³ You will also have to edit Telegard's BBS.* files, and ³ ³ all instances of .BAT to the new extension. ³ ³ ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Notice that the LASTDRIVE command is set to Z in the CONFIG.SYS file. This is for the SUBST commands in the EXECAUTO.BAT file. DOS will not allow you to FORMAT or RECOVER a SUBSTituted device. Neat trick, eh? This prevents most of your basic formatters from accessing your drives. I set all the Telegard defaults to Z:\BBS, which makes it that much harder for an intruder to find things. I'm leaving the command as SUBST here in the file for clarity. It's an external DOS command, usually SUBST.EXE. I renamed it on my system to a name that nobody would manage to puzzle out, and I suggest you do the same once you are comfortable with it. At the end of this document is a section on restoring SUBSTituted drives back to their true names. If you reconfigure Telegard to the SUBST drive letters, even if a user manages to get to DOS and undo the substitutions, Telegard will lockup and drop carrier on them -- and as soon as your system reboots, the substitutions will be re-enabled! You'll notice that I write complex batch files. Don't worry about it, they work (usually.....grin). I'm going to explain what each step (label) in the files do at the end of each file. I'm including here edited samples of my: CONFIG.SYS - Sets up the system parameters EXECAUTO.BAT - Autoexec file - see above about the name RUNDB.BAT - Starts up the mailer Needless to say, I actually use different drive letters and paths on my own system, and I've edited out all my FidoNet Hub batch sections - after all, it's pretty dumb to write a 'How to Protect Your System' file, and give people a detailed 'How to Kill' map of my own system........ ******************************** The CONFIG.SYS file: ******************************** FCBS=100,30 FCBS, or File Control Blocks, is an old CP/M compatibility kludge which still remains in DOS. It controls the available number of open file handles. I've found that it helps considerably for programmers, or anyone else who may have a LOT of files open at any given moment. FILES=50 BUFFERS=50 Set these according to what works best on your system. BREAK=ON This allows DOS to read a Ctrl-C or Ctrl-Break more often than it normally checks for it. LASTDRIVE=Z Sets the highest drive letter allowed to 'Z:' See the EXECAUTO.BAT label 'SAFETY' for _why_ this should be set to 'Z'. DEVICE=Z:\DRIVERS\x00.sys 1 E B,1,19200 Turns on the FOSSIL communications driver, and locks the serial port. DEVICE=Z:\DRIVERS\gateway2.sys -f -2 GATEWAY2 is my remote DOS redirection device. You may use doorway, doormaster, or some other such device. I've found this one to work the best on my system. DEVICE=Z:\DRIVERS\zansiega.sys ZANSIEGA.SYS is a version of ZANSI that has been optimized for EGA / VGA displays. It's file requestable from 1:107/323, Fabian Gordon, the person who made the modifications. It's very fast. ******************************** The 'EXECAUTO.BAT' file: ******************************** :TOP PROMPT EXECAUTO$G This sets the system prompt to EXECAUTO>, so I know where I broke out of the batch in local mode. Verify off Since the DOS VERIFY command doesn't really verify, I suggest you turn this off. You may notice a slight speed increase in floppy drive writes. :SAFETY SUBST X: C:\PROTOCOLS SUBST W: C:\ARCHIVERS SUBST Z: C:\ SUBST Y: D:\ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ SUBST C: Z:\IDIOTS ³ ³ SUBST D: Z:\IDIOTS ³ Build a directory structure off one of ³ SUBST E: Z:\IDIOTS ³ your drives that looks like this: ³ SUBST F: Z:\IDIOTS ³ ³ SUBST G: Z:\IDIOTS ³ C:\IDIOTS ³ SUBST H: Z:\IDIOTS ³ ³ ³ SUBST I: Z:\IDIOTS ³ ÀÄÄ BBS ³ SUBST J: Z:\IDIOTS ³ ³ SUBST K: Z:\IDIOTS ³ In the IDIOTS directory, put a garbage ³ SUBST L: Z:\IDIOTS ³ AUTOEXEC.BAT, CONFIG.SYS, and COMMAND.COM ³ SUBST M: Z:\IDIOTS ³ I renamed a GIF file COMMAND.COM for mine,³ SUBST N: Z:\IDIOTS ³ I'd love to see someone pipe THAT! ³ SUBST O: Z:\IDIOTS ³ Fill the BBS directory with garbage named ³ SUBST P: Z:\IDIOTS ³ STATUS.DAT, USERS.LST, BBS.EXE, etc ³ SUBST Q: Z:\IDIOTS ³ ³ SUBST R: Z:\IDIOTS ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ SUBST S: Z:\IDIOTS SUBST T: Z:\IDIOTS SUBST U: Z:\IDIOTS SUBST V: Z:\IDIOTS The DOS SUBSTitute command allows you to exchange paths for virtual drive letters. You also can NOT either FORMAT or RECOVER a SUBSTituted device. Also, I'd reccommend you delete RECOVER.COM from your hard disks. You'll probably never need it, and it's dangerous. Renaming your FORMAT command is a good idea as well. By setting all the SUBSTitutes above, a user uploading to or changing to any of the above drive letters always ends up in \IDIOTS. I had a user trying so hard to crash me, I turned DSZ's RESTRICT command off, just to see what he was trying to upload. He kept on trying to run his little trojan, (DEATH.ZIP) all to no avail! COMSPEC=Z:\COMMAND.COM /E:2048 /P This sets the COMSPEC, which tells DOS where to find COMMAND.COM whenever it needs it. The /E:2048 tells it to use 2k of memory for environment space, to store all the settings I make in my EXECAUTO.BAT, and for the massive prompt string I use. The /P means 'Make this PERMANENT', or, 'IGNORE ANY OTHER COMMAND.COM'. Notice that the Permanent copy is on virtual drive 'Z:', which doesn't really exist. It's really a substitution of 'C:', which you'll see in the 'SECURITY' section. By doing this, anyone attempting to either pipe (|) or redirect (><) command.com from C: will end up attempting to run the renamed .GIF file in the \IDIOTS directory. :SET ENVIRONMENT PATH=Z:\;Z:\DOS;Z:\UTILS;Z:\BELFRY;Z:\QEDIT;Z:\BBS;..; This is my PATH setting, to tell DOS where to find things. I left \BBS named here so you can see that it should be PATHed. Rename your BBS directory! The ..; on the end tells DOS that if you can't find it anywhere else, look back one directory from where you currently are. This is an EXTREMELY useful feature, and I suggest that everyone use it. SET ZIPCOMNT=Z:\logo.asc This sets the file LOGO.ASC as the default comment for all the ZIP files that are on my system. SET DSZLOG=Z:\DB\LOGS\xfer.log This is REQUIRED for DSZ to run properly. You can set it to any path you like, but it must be SET. :VACCINE CALL Vshield VSHIELD is a memory-resident virus scanner which McAffee Associates distributes. It's caught several attempts by people attempting to infect my system. I highly reccommend it. :SET_FOSSIL XU LOCK:1:19200 This tells my FOSSIL driver (x00.sys) to lock COM2 at 19,200 baud. Use this with High-speed modems. XU PORT:1:ON Tells x00 to enable FIDO on COM2 :START_MAILER @PROMPT $e[s$e[2;0f$e[K$e[1;0f$e[1;32;40m$e[K $d$e[1;65f$e[31m$t$e (continued) [1;30f$e[33m$p$e[u$e[36m$g This is a really neat prompt string. It only works on color monitors, and only if ANSI.SYS is enabled. Give it a try. Z:\BELFRY\RUNDB.BAT This exits EXECAUTO.BAT, and calls the batch file which actually starts up the mailer (D'Bridge, in my case). I keep all my BAT's in the \BELFRY.... grin ************************************* The 'RUNDB.BAT' file ************************************* :PROTECT ATTRIB +R Z:\execauto.bat ATTRIB +R Z:\config.sys ATTRIB +R Z:\BBS\bbs.exe ATTRIB +R Z:\BBS\bbs.ovr ATTRIB +R Z:\BBS\logoff.bat ATTRIB +R Z:\BBS\logon.bat This sets all the above files to READ ONLY. If you don't currently have a LOGOFF.BAT and/or a LOGON.BAT file, create them. I'd suggest just putting something like 'CLS' or 'DIR' in them. By setting the files to READ ONLY, you prevent anyone from overwriting them with something nasty. :NODELIST IF NOT EXIST Z:\DB\FILES\NODELIST.* GOTO NODEDIFF COPY Z:\DB\FILES\NODELIST.* Z:\DB\NODE\NODELIST.* DEL Z:\DB\FILES\NODELIST.* :NODEDIFF IF NOT EXIST Z:\DB\FILES\NODEDIFF.* GOTO RUN_D'BRIDGE IF EXIST Z:\DB\DIFFS\NODEDIFF.* DEL Z:\DB\DIFFS\NODEDIFF.* COPY Z:\DB\FILES\NODEDIFF.* Z:\DB\NODE\NODEDIFF.* DEL Z:\DB\FILES\NODEDIFF.* The above two sections check to see if this week's nodelisting or update came in, move it to the correct directory if it did, and skip to the next label if it didn't. :RUN_D'BRIDGE Z: CD Z:\DB db.exe CLS ECHO. This is what actually starts up the mailer software. ************************************* Configuration...... ************************************* Now that you've changed all your drive letters, nothing will run properly..... Here's some basic things that you need to change: 1) Go into the Telegard 'P' configuration screen and change all the drive letters. 2) Go into the Telegard File Base Editor, and change all the drive letters. 3) Go into your BLUEWAVE directory, and delete *.CTL. 4) In your BLUEWAVE directory, type BWUTILS UPDATE. 5) Find all the .BAT files on your drives, and change the drive letters/pathnames that you are calling in them. 6) If you called any DOORS in Telegard, you will need to change the drive letters for them in your menu editor. 7) Any programs you may use which have configuration files, i.e.; .CFG, .DAT, .CTL, etc, should be reconfigured. If you still have problems ( and you probably will for a few days ) don't worry - it's just that you missed changing a drive letter in one of your programs. ************************************* UN - SUBSTituting ************************************* 1) Just type SUBST at a DOS prompt. It will display a list of SUBSTituted drives. 2) Locate the drive / directory you wish to un-substitute. 3) Type SUBST (subst drive letter) /d 4) The drive you specified is now unSUBSTituted ************************************* Stuff...... ************************************* 1) Transfer Protocols You may have noticed that I substituted X: for my \PROTOCOLS directory, and that it is NOT in the DOS path. There is a very good reason for this: If I call your system, and upload the file DSZ.BAT, which is a trojan, and then attempt to DOWNLOAD from the same directory, it will run the trojan. This is prevented very simply by adding the Drive:\Path to each of the entries in the Protocol Editor. By reassigning the \PROTOCOLS path to X:, I only need add X:\ to each protocol: X:\dsz.exe p%P s19200 rb @F This makes sure that the only DSZ that runs is the one _I_ want to run. 2) Archivers As in the protocols section above, don't PATH your archivers. By substituting W: for \ARCHIVERS, you just add: W:\pkzip.exe To your Telegard Archive Configuration, and this will prevent any 'new' versions from being uploaded and run on your system. Replace the 'ZIP INTEGRITY CHECK' commandline with batch file in this format: Z:\BELFRY\ZIPPER.BAT The batch file should contain something like this: @echo off W:\pkzip.exe -d %1 pkzip.* W:\pkzip.exe -d %1 pkunzip.* W:\pkzip.exe -d %1 arc.* W:\pkzip.exe -d %1 lharc.* W:\pkzip.exe -d %1 dsz.* W:\pkzip.exe -d %1 command.* W:\pkzip.exe -d %1 user.* W:\pkzip.exe -d %1 status.* W:\pkzip.exe -d %1 bbs.* W:\pkzip.exe -d %1 runme.* W:\pkzip.exe -d %1 autoexec.* W:\pkzip.exe -d %1 config.sys W:\pkzip.exe -d %1 logoff.bat W:\pkzip.exe -d %1 logon.bat W:\pkzip.exe -d %1 ^.bat W:\pkzip.exe -t %1 exit This is just a listing of files that you definitely DON'T want in a .ZIP file on your system. Add as many as you know of, and I'd appreciate a copy of you listing to add to mine. The '-d' option deletes the file out of the zip without decompressing the file. -----------------*****><*****--------------- -----------------*****><*****--------------- I really hope that you've found these hints useful, and, if you aren't already a user on my system, please feel free to call in and become a member. I've got a special file section up that contains nothing but batch files I've written, including a 3000 line file that checks just about any program for returned ERRORLEVELS - it's what I used to find the 'errorlevel 11' code in MPSITES. Roy Wilson MORDOR BBS (516) 957-1465 FidoNet 1:107/201