From owner-freebsd-questions Thu Nov 8 0: 2:14 2001 Delivered-To: freebsd-questions@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id 39C1B37B405 for ; Thu, 8 Nov 2001 00:02:08 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA881KB18148; Thu, 8 Nov 2001 09:01:21 +0100 (CET) Message-ID: <002501c1682b$a542b7a0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Giorgos Keramidas" , References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com> <20011108022328.F79276@hades.hell.gr> Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Date: Thu, 8 Nov 2001 09:01:54 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Currently I have telnetd turned off, and only sshd is running. I also have all incoming telnet and ssh traffic blocked at the router, and I only log in from my tiny LAN. So I should be safe logging in directly as root, although I might reconsider if I ever need to log into the system from a remote location. ----- Original Message ----- From: "Giorgos Keramidas" To: "Anthony Atkielski" Cc: Sent: Thursday, November 08, 2001 01:23 Subject: Re: Re[2]: Tiny starter configuration for FreeBSD > On Fri, Nov 02, 2001 at 06:29:27AM +0100, Anthony Atkielski wrote: > > > And note that "massively inadequate" is *not* the same > > > thing as "massively insecure". > > > > Point taken. In practice, however, administrators tend to drift towards > > "massively insecure" as they try to overcome "massively inadequate." > > > > For example, one change I made to my system was to allow root logins > > from remote terminals. I'd prefer to limit remote logins to root to > > my other machine, which is on the LAN, but I'm not aware of an > > option to force that, so I had to open root logins to the world. > > Thus, in order to obtain needed functionality, I had to compromise > > security far more than I would have liked. > > Don't do what `most administrators tend to do'. Disable root logins > over the network again :) > > Use only su(1) to become root, as shown below: > > % su - > Password: ******** > # > > This has the extra feature of having the fact that someone became > root written at your logs: > > Nov 8 02:19:40 hades su: someuser to root on /dev/ttyp1 > > Then use SSH to connect to your FreeBSD box, instead of Telnet. > It does not let passwords and other sensitive data travel unencrypted > over the wire, and the entire SSH session is encrypted too. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message