From owner-freebsd-questions@FreeBSD.ORG Sun Mar 11 16:31:54 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 304A316A403 for ; Sun, 11 Mar 2007 16:31:54 +0000 (UTC) (envelope-from hugo@barafranca.com) Received: from mail.barafranca.com (mail.barafranca.com [67.19.101.164]) by mx1.freebsd.org (Postfix) with ESMTP id AA9D813C4B7 for ; Sun, 11 Mar 2007 16:31:53 +0000 (UTC) (envelope-from hugo@barafranca.com) Received: from localhost (localhost [127.0.0.1]) by mail.barafranca.com (Postfix) with ESMTP id 4BF54C4956; Sun, 11 Mar 2007 16:55:19 +0000 (UTC) Received: from mail.barafranca.com ([67.19.101.164]) by localhost (mail.barafranca.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29697-07; Sun, 11 Mar 2007 16:54:41 +0000 (UTC) Received: from [192.168.0.1] (a213-22-26-111.cpe.netcabo.pt [213.22.26.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.barafranca.com (Postfix) with ESMTP id 46621C4A54; Sun, 11 Mar 2007 16:54:40 +0000 (UTC) Message-ID: <45F42EEF.9070002@barafranca.com> Date: Sun, 11 Mar 2007 16:31:43 +0000 From: Hugo Silva User-Agent: Thunderbird 1.5.0.7 (X11/20061007) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20070310224946.K10353@chylonia.3miasto.net> <200703101338.22384.beech@alaskaparadise.com> <20070311081332.G66000@chylonia.3miasto.net> <14989d6e0703110143i53b3d0bfh65d0e4092993e82e@mail.gmail.com> <20070311110809.O84473@chylonia.3miasto.net> <1173622192.1208.21.camel@localhost> In-Reply-To: <1173622192.1208.21.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at barafranca.com X-Spam-Status: No, score=0 tagged_above=-1 required=4 tests=[none] X-Spam-Score: 0 X-Spam-Level: Cc: Sergio Lenzi Subject: Re: root login with telnetd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2007 16:31:54 -0000 Sergio Lenzi wrote: > Hello... > > I see you issues about telenet... > > I use the inetd+telnet for more than 20 years and using BSD > with RSA, and obviiously with a good password. > > I have never been cracked down... > and I have 10 of my /etc/ttys entries setted to "secure" > > ttyp0 none network off secure > ttyp1 none network off secure > ttyp2 none network off secure > ttyp3 none network off secure > ttyp4 none network off secure > ttyp5 none network off secure > ttyp6 none network off secure > ttyp7 none network off secure > ttyp8 none network off secure > ttyp9 none network off secure > ttypa none network off secure > ttypb none network off secure > ttypc none network off secure > > in my /etc/master.passwd..... > root:*:0:0::0:0:Charlie &:/root:/bin/csh > > > a "kill -1 1" would allow root do dial in > > I block the root account in /etc/master.passwd by put a "*" as md5hash > and setted up an "supper" account..... > You could have just changed it's name, and the end result is exactly the same. If you have other services running in this server, there are various ways to figure out who has uid 0. Changing root's account or adding another uid 0 won't make it any harder. > pw adduser xxxxxxxxx -d /root -s /usr/local/bin/bash -u 0 -g 0 -h 0 > > Than is done... > > All the cracking I have seen is from someone that is INSIDE the machine > (http using php,pop,imap, ssh,...) that is you have yet allowed him to > come in, > you gave them the password (in the case of ssh), or in http... > > A "normal" FreeBSD 6.2 or an OpenBSD, is incredible solid... Indeed, that's exactly why it comes with sshd instead of telnetd and they both DO NOT allow root logins by default. > You must know the "superuser" login AND the password.... > With sshd and root logins off, you need to know your username's password/passphrase for DSA/RSA, you need to be in the right group so you can even attempt to become root, and you need the root password too. Ontop of all that, everything's encrypted. Please do not even TRY to compare. > choose a password with letters and numbers, or something in > portuguese (only 7 countries speak that): biruta22, pezinho12, > 45pinheiiros, > tovazioagora, batatinha744, 45canastra96..... > Spoken in: Angola, Brazil, Mozambique, Portugal, and several other CPLP countries Total speakers: Native: 210 million Total: 230 million Brilliant. > I tested in an security system and it says is have good security... > (pgp)... > I won't comment this. > Besides.. using brute force in a word like "itacolomi" using a 1 second > delay > would result ,,,, "forever" > Besides, BSD have the ability to force a new password once it is too > old... > a new password every 3 months is a good choice.... and you must stilll > pass through RSA . > > > Thanks for sharing the experience... now I know I am not the one that > uses "telenet" > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >