Date: Thu, 8 Nov 2001 09:01:54 +0100 From: "Anthony Atkielski" <anthony@atkielski.com> To: "Giorgos Keramidas" <charon@labs.gr>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <002501c1682b$a542b7a0$0a00000a@atkielski.com> References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com> <20011108022328.F79276@hades.hell.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Currently I have telnetd turned off, and only sshd is running. I also have all incoming telnet and ssh traffic blocked at the router, and I only log in from my tiny LAN. So I should be safe logging in directly as root, although I might reconsider if I ever need to log into the system from a remote location. ----- Original Message ----- From: "Giorgos Keramidas" <charon@labs.gr> To: "Anthony Atkielski" <anthony@atkielski.com> Cc: <freebsd-questions@FreeBSD.ORG> Sent: Thursday, November 08, 2001 01:23 Subject: Re: Re[2]: Tiny starter configuration for FreeBSD > On Fri, Nov 02, 2001 at 06:29:27AM +0100, Anthony Atkielski wrote: > > > And note that "massively inadequate" is *not* the same > > > thing as "massively insecure". > > > > Point taken. In practice, however, administrators tend to drift towards > > "massively insecure" as they try to overcome "massively inadequate." > > > > For example, one change I made to my system was to allow root logins > > from remote terminals. I'd prefer to limit remote logins to root to > > my other machine, which is on the LAN, but I'm not aware of an > > option to force that, so I had to open root logins to the world. > > Thus, in order to obtain needed functionality, I had to compromise > > security far more than I would have liked. > > Don't do what `most administrators tend to do'. Disable root logins > over the network again :) > > Use only su(1) to become root, as shown below: > > % su - > Password: ******** > # > > This has the extra feature of having the fact that someone became > root written at your logs: > > Nov 8 02:19:40 hades su: someuser to root on /dev/ttyp1 > > Then use SSH to connect to your FreeBSD box, instead of Telnet. > It does not let passwords and other sensitive data travel unencrypted > over the wire, and the entire SSH session is encrypted too. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002501c1682b$a542b7a0$0a00000a>