
190
|
Chapter 8: Local Network Services
For instance, even after you have disabled Tom Adelstein’s password, he can get on
another computer somewhere and run a command such as:
$ ssh -f -N -L8000:intranet.yourcompany.com:80 my.domain.com
This forwards traffic to port 80 (the port on which a web server usually listens) on
your internal server.
Obviously, if your system offers SSH, you should remove authorized keys from the
appropriate directories (e.g., ~tadelste/.ssh or .~tadelste/.ssh2) in order to stop the
user from regaining access to his account this way:
$ cd .ssh
:~/.ssh$ ls
authorized_keys known_hosts
:~/.ssh$ rm authorized_keys
:~/.ssh$ ls
known_hosts
:~/.ssh$
Likewise, look for .shosts and .rhosts files in the user’s home directory (for example,
~tadelste/.shosts and ~tadelste/.rhosts).
Also, check to see if the user still has any processes running on the system. Such pro-
cesses might act as a backdoor to allow the user into your network. The following
command will tell you if a user currently has any running processes:
# ps aux |grep -i ^tadelste
Some other questions a system administrator might ask about a personal user who
has left the company include:
• Could the user execute CGI scripts from his home directory or on one of the
company’s web servers?
• Do any email forwarding files such as ~tadelste/.forward exist? Users can use for-
warders to send mail to their accounts and cause programs ...