From owner-freebsd-questions Thu Nov 8 7:24:16 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157]) by hub.freebsd.org (Postfix) with ESMTP id 751D537B422 for ; Thu, 8 Nov 2001 07:24:10 -0800 (PST) Received: (from kutulu@localhost) by pr0n.kutulu.org (8.11.6/8.11.6) id fA8FNud10331; Thu, 8 Nov 2001 10:23:56 -0500 (EST) (envelope-from kutulu) Date: Thu, 8 Nov 2001 10:23:56 -0500 From: Kutulu To: Anthony Atkielski Cc: Giorgos Keramidas , freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <20011108102356.B10218@pr0n.kutulu.org> Mail-Followup-To: Anthony Atkielski , Giorgos Keramidas , freebsd-questions@FreeBSD.ORG References: <15330.6606.417524.41024@guru.mired.org><002b01c1635f$5a5f4300$0a00000a@atkielski.com> <15330.14419.809266.281360@guru.mired.org> <007e01c1636e$97016d10$0a00000a@atkielski.com> <20011108021537.E79276@hades.hell.gr> <002801c1682c$818807b0$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002801c1682c$818807b0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 08, 2001 at 09:08:08AM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 08, 2001 at 09:08:08AM +0100, Anthony Atkielski wrote: > Giorgos writes: > > > I let people login as normal users on my workstation > > from places like New Zealand, Australia or Canada ... > > Via telnet or SSH? > > Is there any danger in allowing telnet login of unprivileged users on a system, > apart from the possibility of compromise of the user's own account? That is, There is a danger in letting *any* users log into a system. There are typically many more ways to exploit programs if you have a local account and can execute commands, than if you were limited to what packets could get past the various levels of router/firewall/closed sockets that can drop remote traffic. It's also unfortunately the case that, quite often, admins tend to lag behind in fixing 'local exploit' problems because they tend not to trigger things like IDS or firewall systems, and don't get as much 'peer press' as remote exploits. This doesn't mean not to allow anyone on your machine ever, but it is a good argument against letting "everyone" on your machine, as in your anonymous guest account. And, of course, it means you will have to be that much more secure and vigilant with your system. --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message