Date: Wed, 1 Aug 2001 08:40:09 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Mike Meyer" <mwm@mired.org> Cc: <questions@FreeBSD.ORG> Subject: RE: URGENT - Seems like i've been hacked... what to do now? Message-ID: <005601c11aa0$3edc5080$1401a8c0@tedm.placo.com> In-Reply-To: <15206.42047.35149.695150@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: Mike Meyer [mailto:mwm@mired.org] >Sent: Tuesday, July 31, 2001 5:28 AM > >That's certainly true - I'm much more lax about security behind a >firewall I trust. I thought we were talking about machines that were >being access from the internet - which I consider to be a hostile >network. > We were - that's just an example though. I'd consider a college dorm net much more hostile than the Internet, though. SSH does a great job of protecting against sniffing - but just because you have a sshd daemon running on a system doesen't increase the security on that system. It just blocks people from eavesdropping on traffic to and from it. If you want to extend this to say that it protects the system then that's fine, but it really isn't doing that, it's protecting the channels to the system, and the fact that this enhances system security is a byproduct. On the Internet, there's really not that much chance that a hacker is going to gain access to a specific datastream. Oh sure, they might be able to crack into a router here or there, but due to the way that BGP handles routing on the Internet, a connection that they are sniffing that's passing though a router they have cracked might suddenly shift due to a route change and be no longer passing through the compromised router. That's why I said that the stories of people "sniffing" connections on the Internet are silly. If they are sniffing they are doing it on shared networks that are CONNECTED to the Internet, but are located within campuses or other organizations. They aren't doing it on the high-speed circuits that are really what the Internet is. Where the Internet is hostile is that it provides a channel for people to crack your machines. But those attacks are mostly centered on the machines themselves, not the streams of data to and fro the machine. SSH doesen't protect against those kinds of attacks. >Well, I can understand the argument, but I don't agree with >it. Opening up a machine to people who don't have physical access to >it just because there's no physical security is foolish. Did you >actually go through with this and not bother with setting a root >password on the machines? > Yes and no. No, because I always set a password. Yes, because in some cases I set the root's password to the word "password" which I consider to be equivalent to no password. These are cases where the system is an internal router that has multiple NIC's in it and is just serving as a network router. The idea here is that if I get crunched in a car wreck and 5 years later when I've been long forgotten and someone needs to log into that router, they can guess the password. This kind of thing is regularly done on network devices. For example take those LinkSys routers that are selling hand-over-fist. Most people do not change the defualt password on them. Since they can only be accessed from the "inside" interface this is a minimal security risk. But I see lots of small companies with 20 or so people using them on DSL lines. >> To do the security thing right it's either an all or nothing proposition. > >Now you're contradicting yourself. Earlier, you said: > > Security is all about weighing risks. > >which I agree with. You weigh the risks, and decide whether or not the >worst risks outweigh the costs of eliminating them. > I should have clarified that. Basically, while I feel that most people are "doing security" wrong, by not taking care of everything, that's not to say that a system with security done wrong has absolutely no security value. It does - but I feel that what benefits there are, are totally overweighed by the false sense of security that the wrongly done benefits provide. >> Either you lock the entire thing down, disable Telnet and only run SSH, >> physically secure it and control access to it and to the network, > >That's not "all". That's what I consider "minimal security for a >machine exposed to a hostile network." "All" means you put the machine >in a faraday cage, and don't allow anyone in the cage without a >security clearance and a physical search. that's what I was talking about. If you've got to expose a >machine to the network, you use ssh to encrypt the challenge-response >from a system that uses a physical tool to generate the response, so >that breaking in over the network involves having the users password >*and* their response generator. > >> or you just consider the system already compromised and make sure >> that there's nothing of value on it. Doing a half-assed job like >> your advocating to where you secure some things and not others just >> leaves gaping holes and a false sense of security. > >The same thing could be said about the half-assed job that you're >advocating. Both statements are have equal validity - none. The >problem is that you're not weighing the risks, you're simply assuming >that all risks have an equal weight. This is an invalid assumption, so >the conclusions isn't valid. > No, actually what I'm assuming is that the system is only as strong as the weakest link. >> >You wouldn't set >> >the machines to not have a root password just because they have poor >> >physical security. >> This is just annother example of what I'm talking about. A FreeBSD system >> with an unaged root password that has poor physical security is >IDENTICAL to a >> FreeBSD system that has no root password. Without physical security anyone >> can come by and reboot the system into single user mode and reset the root >> password to their own password in just a few minutes. > >This is only true if physical access to the machine is as cheap for >the attacker as a telnet connection to the machine. That's not true >even if the machine is sitting on blocks on the front lawn. The cost >of physically getting to the machine is higher than the cost of a >telnet connection. Putting it behind a locked door - even if a simple >physical B&E will get you to the machine - raises the stakes >considerably. > It depends on who the attacker is. A locked door is no barrier to a member of the cleaning staff - or someone dressed up to look like a member of the cleaning staff who has a lockpick. >While I can't evaluate the case you described, the cost of installing >ssh and disabling telnet, or at least blocking internet access to >telnet, is nearly the same as setting a root password. Since a >security system is only as good as the weakest element, it may be that >the physical security at the site was the weakest link even if >everyones used telnet to access the machines from the internet. That >doesn't seem very likely, though. > Most of the security argument revolves around whether the data is valuable or not. While you may consider security measures to be basic things like setting passwords on accounts, I don't really regard basic stuff like that as any real security, it's just administrative tasks. For example, I've seen some sites where everyone has the same password on their accounts. Steps such as this are equivalent to locking your door during the day while you run up to the store - it prevents the casual thief who's just walking by from shaking the doorknob and walking off with your TV - but to anyone who seriously wants to get in, it's no barrier as they will just kick in the door or go through the window. It's the same for machines. A system without the cage and the logged access and all that is simply insecure, whether you make yourself feel good by running ssh on it or not. Anyone really determined to get in can do so. As such, I don't see that SSH benefits you in this instance unless you have a specific problem your using it to solve - such as you regularly access it from a network that's regularly sniffed for passwords (like a dormotory network) Otherwise, just taking the regular admistrative steps such as putting passwords on the accounts (which may be unguessable to a stranger, but well-known and unchanged internal to the organization) is not real security. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005601c11aa0$3edc5080$1401a8c0>