From owner-freebsd-isp Thu Jan 17 11: 7:13 2002 Delivered-To: freebsd-isp@freebsd.org Received: from router.windsormachine.com (windsormachine.com [206.48.122.28]) by hub.freebsd.org (Postfix) with ESMTP id 8D41D37B404 for ; Thu, 17 Jan 2002 11:07:09 -0800 (PST) Received: from localhost (mdresser_b@localhost) by router.windsormachine.com (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id OAA26356; Thu, 17 Jan 2002 14:07:02 -0500 Date: Thu, 17 Jan 2002 14:07:02 -0500 (EST) From: Mike Dresser To: Jim Flowers Cc: Andrew Houghton , Subject: Re: How to secure telnet? In-Reply-To: <200201171849.g0HInAV01755@lily.ezo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 17 Jan 2002, Jim Flowers wrote: > set up a sacrificial host and allow only telnet through your firewall to it. > Allow only ssh -2 from it to your server that has the shell accounts and > firewall out access from it to any of your other machines. Optionally > include a portsentry scanner and keep an eye on the logs. One problem is if you're using telnet and then ssh, and type your passphrase or password in, if someone is sniffing the line at this point they now have access to the shell server using your account. Additionally, I haven't seen anyone touch on the fact the machine the user connects from may be compromised already, giving an attacker your passwords/passphrases/email to your loved ones from a keylogger or similar. Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message