From owner-freebsd-questions Thu Feb 22 2:26: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 577AA37B491 for ; Thu, 22 Feb 2001 02:26:02 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f1MAPV722923; Thu, 22 Feb 2001 02:25:31 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: Cc: "Doug Young" , "Macrolosa" , Subject: RE: login-MODEM Date: Thu, 22 Feb 2001 02:25:30 -0800 Message-ID: <005e01c09cb9$c8493e60$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 In-Reply-To: <20010222013718.G89396@rfx-216-196-73-168.users.reflex> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark > Sent: Thursday, February 22, 2001 1:37 AM > To: Ted Mittelstaedt > Cc: Doug Young; Macrolosa; freebsd-questions@FreeBSD.ORG > Subject: Re: login-MODEM > > > On Thu, Feb 22, 2001 at 12:59:10AM -0800, Ted Mittelstaedt wrote: > > [snip] > > > There's nothing to running a shell server as long as you take a > few simple > > precautions. > > *boggle* > > It is pretty much assumed that if a user can get local, he can get > root. For recent FreeBSD examples, take the /proc holes (and there are > probably more) used to get the webserver. OpenBSD had some chpass and We don't run a webserver on the shell server. > others publicized back in October. And this is my favorite, pretty > much EVERY SINGLE Solaris BOX IN THE WORLD has a particular local root > exploit that has no reasonable work around or vendor patch. > > > Your way overstating the security risks here. What risks?! > There's nothing > > that a user can do on a shell server that they can't do already > by setting > > up a > > UNIX system and dialing into us, except for screwing other users on that > > server, > > And everytime some kiddie nukes the server and uses your bandwidth to > scan half the Internet for portmap, you have to fix it and get all of > the hate mail. > Ah - how are they going to do that when the server is behind a firewall, as I stated before was one of the requirements. The firewall isn't there to protect the shell server from the bad outside - it's there to protect the outside (and our net) from the shell server. It's also simple enough to limit bandwidth use off the shell server through the same firewall. In our case we use a router port off a Cisco and do it in there, but you could easily put in a FreeBSD system and use dummynet. Besides that, not a lot of kiddies have credit cards which is another requirement before getting an account on the shell server. As I mentioned there's no webserver on it nor ftp server - if they want to get files on it they can use an FTP clinet. All this gets into what is the point of a shell server. Well, many people feel the shell is a more pleasant environment to read news with rn, or mail with Pine, and play Rogue if they so choose to do. You supply those applications and if someone wants something added it's easy enough for them to e-mail root and ask that it be added to the system. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message