From owner-freebsd-questions  Sat May 26  7:43:47 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112])
	by hub.freebsd.org (Postfix) with ESMTP id F344437B424
	for <questions@FreeBSD.ORG>; Sat, 26 May 2001 07:43:42 -0700 (PDT)
	(envelope-from wmoran@iowna.com)
Received: from iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38])
	by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f4QEeWk08480;
	Sat, 26 May 2001 10:40:33 -0400 (EDT)
Message-ID: <3B0FC0D0.28E01292@iowna.com>
Date: Sat, 26 May 2001 10:42:24 -0400
From: Bill Moran <wmoran@iowna.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: david@banning.com
Cc: questions@FreeBSD.ORG
Subject: Re: security question
References: <200105260324.f4Q3OrH00551@d.tracker>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

David Banning wrote:
> 
> I am setting up a small network of Windows desktops that are
> accessing the net through a FreeBSD server. If I disable telnet, ftp,
> and everything in inetd.conf leaving only http open, what are my
> risks?

Your risks are that someone will crack through your http server(s). All
you need to do at this point it monitor security alerts for whatever web
server your running and keep it up to date.

> I have webadmin running.

DO NOT run webmin over the internet via http. You are absolutely begging
for trouble if you do that. Install it to run over https if you want to
access it via the Internet (I believe there's a how-to with the
installation). If you only want to use webmin internally, be sure to
block port 901 from the outside.

> I'd would *like* telnet and shell (rshd) to run, so I can telnet
> in. I can't imagine how someone could break in to a system, so
> I am pretty lost in assessing this risk.

If you're only using telnet/ftp internally you have a very low risk.
However, if you are using telnet/ftp over the Internet the risk is VERY
HIGH. Here is a common scenerio of what might happen.
Cracker mananges to compromise one of your ISPs firewalls/routers or any
other intermediate machine between your telnet client and telnet server.
He runs a traffic sniffing script that is filtering out useful data like
telnet passwords and emailing it to him regurlaly. You log in one day
and su to root to make some minor config change on the system. The
cracker now has full access to your network, and will likely use it as a
jump point for other attacks (if he has no interest in it directly) So
even if he doesn't bother to hurt you, he has used you to further
compromise the internet as a whole.
A similar scenerio could occur with webmin or ftp. If you'd like to see
a demonstration, I'd be happy to arrange it, I've done it for other
folks to scare them into sanity.

> I know SSH is better for telneting in to the server, but then
> it has to be on every machine that you telnet in from.

Weigh the cost vrs. risk here. A free windows ssh client like putty
(http://www.chiark.greenend.org.uk/~sgtatham/putty/) makes you a fool
not to use ssh.

> When I hear "don't use telnet unless you have to", I
> wonder. I know several sites that have telnet where I can login,
> and those places are alot bigger that my little'ol place.

This is exactly why it is so dangerous. Large numbers of systems are
already compromised, each one of these can be used to sniff passwords,
etc. Remember those highly publicized attacks on yahoo and other not
long ago. Those attacks required hundreds of cracked computers to
execute.
If you're wondering why someone would bother to attack you, then ask
yourself this: why would someone bother to cripple yahoo's servers?
There was no financial gain involved. No credit card numbers were
stolen.
At the very least, you don't want to be one of the people who gets a
call the next time. "Mr. Banning, it appears your server has been
cracked and is being used as part of a large scale denial of service
attack, could you please take the necessary steps to stop this attack
and re-secure your server." (Generally means, shutdown your machine and
reinstall, change every password - since there's no other way to
guarantee the security after that.)

> If I use telnet, is there really such a risk?

Yes. I was victim of it recently.

> I'm going all over the place here. Maybe someone could reccomend a good
> place to learn about this topic?
> I started with the FreeBSD Security How-to which is a good starter.

www.rootprompt.org generally has good articles on this topic. 

-Bill

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message