From owner-freebsd-security Wed Dec 13 22:10:28 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 22:10:24 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 110E637B400 for ; Wed, 13 Dec 2000 22:10:24 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (2878 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 14 Dec 2000 00:09:55 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 14 Dec 2000 00:09:54 -0600 (CST) From: James Wyatt To: Terry Zink Cc: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! In-Reply-To: <5.0.0.25.0.20001213132136.00a2c7b0@mail.metrocon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh, service access can easily be controlled with ipfw, tcp-wrappers, or ipfilter. Ssh has the sshd_config file as well. These tools and others in it's arsenal make FreeBSD an excellent bastion host OS. (But we all know that here, right? (^_^) Firewalls are to prevent harm to hosts (incl. workgroups) that can not always be trusted or even hardened enough to let remain unprotected. Groups of boxes running SMB/Sun RPCs (ala Windows file shares, NFS, NIS, etc...) , applications with weak authentication (open POP3, rsh, etc...), or old versions (ancient sendmail, some wuftpds, etc...) are easier to put behind a firewall than make secure enough to allow "in public". A single FreeBSD host with an admin who watches alerts does not need an extra point of failure between it and The Net or the cost and overhead of an extra firewall. For several of my smaller customers, it *is* the firewall as well as the application server. If your users are all using POP and telnet on the local net, cool, but what do you do when they *need* ssh or telnet from "anywhere" and pick a dumb password? Nothing technical can fix that. If they don't need anything but the local LAN, FreeBSD's access controls are as good as any firewall. Or have I had too much to think tonight? - Jy@ On Wed, 13 Dec 2000, Terry Zink wrote: > Rather easily. If the outsider cannot get into the proper services (ssh > most likely) to log in, then he cant crack. > > Most crackers use telnet, or pop. But if he finds the pop pass he cant do > much if telnet and ssh are closed to all but the internal network. [ ... ] > At 10:09 AM 12/13/00 -0700, Brett the Glass wrote: > >Pardon me if I'm missing something here, but how would a firewall > >prevent someone from cracking a guessable password on a legitimate > >user account? > >At 09:18 AM 12/13/2000, Robert McCallum wrote: > > >My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > > >the server 'yet'. But I do see that they have obtained access to a user > > >account. It apears they cracked a users account which I found out that one > > >of my users did not adhere to our security policy and set a password that > > >was not in accordance to our password policy. [ ... ] > > >In conclusion, I need to setup a firewall on that particular host ASAP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message