From owner-freebsd-security Thu Mar 14 10: 0:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 0CB0737B42A for ; Thu, 14 Mar 2002 09:59:56 -0800 (PST) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g2EHxsK19168; Thu, 14 Mar 2002 11:59:54 -0600 (CST) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id LAA09907; Thu, 14 Mar 2002 11:59:54 -0600 (CST) Message-ID: <3C90E4F9.A4CA41CA@centtech.com> Date: Thu, 14 Mar 2002 11:59:21 -0600 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "N. J. Cash" Cc: FreeBSD Security Subject: Re: telnet / ipfw question References: <003501c1cb81$2e12faa0$e8cede18@xeno> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why do you need telnet so badly? The rules are fine, but those won't matter when someone sniffs your plain text password and source ip, then spoofs it and logs in as you. Eric "N. J. Cash" wrote: > > I have telnet enabled on my system running 4.5-stable and have it hidden > behind very strick ipfw rules so that the only IP that has access to the box > on port 23 is my home static IP, everything else is denied by the firewall. > I'm well aware of the risks of having telnet open and how insecure it can be > so, i'm just looking for some input here if this sounds like a safe way to > have the daemon running on a system. Would there still be security risks > involved > that i'm not aware about running it this way? > > Here's basically what's going on in ipfw for port 23. > > ipfw add 1400 allow log tcp from x.x.myip.x.x to any 23 > ipfw add 09000 deny log ip from any to any > > Look safe ? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology If at first you don't succeed, sky diving is probably not for you. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message