Header Ads

Securing the hosts file.


Once upon a time, when the internet was still very young and just composed of a few hundred computers, DNS did not yet exist and name resolution was just peachy. The original TCP/IP specification implemented name resolution using a special file called “hosts” which was stored on every computer system on the internet. The hosts file contained a list of every computer on the internet matched to their corresponding system names. This was possible because as we have noted the internet was very small, furthermore there weren’t any rules yet about how to compose system/domain names. Then, anyone could name his computer anything as long as the name wasn’t already in use. A typical hosts file back then would have looked something like this:

201.52.6.65             mike
192.168.57.3           pc1
157.85.69.2             server
87.45.25.1               jons supermarket computer

Suppose your system wanted to access the system called mike, it looked up the name mike in the hosts file and then used the corresponding IP to contact mike. Every hosts file on every system on the Internet was updated every morning at 2 A.M. This worked fine until the internet grew and this method had to give way to DNS and Fully Qualified Domain Names (FQDN). But the hosts file didn’t go away, it is still present in every PC. To navigate to the hosts file in a windows PC go to \Windows\System32\Drivers\Etc while in Linux and OS X you can find it in the /etc folder. Below is a screen shot of my hosts file.



Even though the hosts file is rarely used, every operating system always looks first in the hosts file before anything else when attempting to resolve a name. This can lead to a potential security risk called Pharming. This is when Windows hosts file gets infected with malware, and its contents are changed by inserting redirects, so that when the user types the legitimate URL, the browser may then redirect to a malicious web site. The best way to mitigate this is by preventing hosts file modification using the following steps:

  1. Navigate to \Windows\System32\Drivers\Etc
  2. Right-click the hosts file, select Properties, and select the Read-only attribute; finally click OK (see Figure below).




No comments

Powered by Blogger.