From owner-freebsd-questions Wed Nov 7 16:34:51 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 2481E37B418 for ; Wed, 7 Nov 2001 16:34:44 -0800 (PST) Received: from hades.hell.gr (patr530-a214.otenet.gr [212.205.215.214]) by mailsrv.otenet.gr (8.11.5/8.11.5) with ESMTP id fA80Ye003378; Thu, 8 Nov 2001 02:34:40 +0200 (EET) Received: (from charon@localhost) by hades.hell.gr (8.11.6/8.11.6) id fA80NSo80333; Thu, 8 Nov 2001 02:23:28 +0200 (EET) (envelope-from charon@labs.gr) Date: Thu, 8 Nov 2001 02:23:28 +0200 From: Giorgos Keramidas To: Anthony Atkielski Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <20011108022328.F79276@hades.hell.gr> References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002b01c1635f$5a5f4300$0a00000a@atkielski.com> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 02, 2001 at 06:29:27AM +0100, Anthony Atkielski wrote: > > And note that "massively inadequate" is *not* the same > > thing as "massively insecure". > > Point taken. In practice, however, administrators tend to drift towards > "massively insecure" as they try to overcome "massively inadequate." > > For example, one change I made to my system was to allow root logins > from remote terminals. I'd prefer to limit remote logins to root to > my other machine, which is on the LAN, but I'm not aware of an > option to force that, so I had to open root logins to the world. > Thus, in order to obtain needed functionality, I had to compromise > security far more than I would have liked. Don't do what `most administrators tend to do'. Disable root logins over the network again :) Use only su(1) to become root, as shown below: % su - Password: ******** # This has the extra feature of having the fact that someone became root written at your logs: Nov 8 02:19:40 hades su: someuser to root on /dev/ttyp1 Then use SSH to connect to your FreeBSD box, instead of Telnet. It does not let passwords and other sensitive data travel unencrypted over the wire, and the entire SSH session is encrypted too. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message