Date: Thu, 8 Nov 2001 02:23:28 +0200 From: Giorgos Keramidas <charon@labs.gr> To: Anthony Atkielski <anthony@atkielski.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <20011108022328.F79276@hades.hell.gr> In-Reply-To: <002b01c1635f$5a5f4300$0a00000a@atkielski.com> References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 02, 2001 at 06:29:27AM +0100, Anthony Atkielski wrote:
> > And note that "massively inadequate" is *not* the same
> > thing as "massively insecure".
>
> Point taken. In practice, however, administrators tend to drift towards
> "massively insecure" as they try to overcome "massively inadequate."
>
> For example, one change I made to my system was to allow root logins
> from remote terminals. I'd prefer to limit remote logins to root to
> my other machine, which is on the LAN, but I'm not aware of an
> option to force that, so I had to open root logins to the world.
> Thus, in order to obtain needed functionality, I had to compromise
> security far more than I would have liked.
Don't do what `most administrators tend to do'. Disable root logins
over the network again :)
Use only su(1) to become root, as shown below:
% su -
Password: ********
#
This has the extra feature of having the fact that someone became
root written at your logs:
Nov 8 02:19:40 hades su: someuser to root on /dev/ttyp1
Then use SSH to connect to your FreeBSD box, instead of Telnet.
It does not let passwords and other sensitive data travel unencrypted
over the wire, and the entire SSH session is encrypted too.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108022328.F79276>