Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 May 2001 00:39:23 -0500
From:      David Banning <sky_tracker@yahoo.com>
To:        Bill Moran <wmoran@iowna.com>
Cc:        david@banning.com, questions@FreeBSD.ORG
Subject:   Re: security question
Message-ID:  <20010527003923.A1691@yahoo.com>
In-Reply-To: <3B0FC0D0.28E01292@iowna.com>; from wmoran@iowna.com on Sat, May 26, 2001 at 10:42:24AM -0400
References:  <200105260324.f4Q3OrH00551@d.tracker> <3B0FC0D0.28E01292@iowna.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 26, 2001 at 10:42:24AM -0400, Bill Moran wrote:
> David Banning wrote:
> > 
> > I am setting up a small network of Windows desktops that are
> > accessing the net through a FreeBSD server. If I disable telnet, ftp,
> > and everything in inetd.conf leaving only http open, what are my
> > risks?
> 
> Your risks are that someone will crack through your http server(s). All
> you need to do at this point it monitor security alerts for whatever web
> server your running and keep it up to date.
> 
> > I have webadmin running.
> 
> DO NOT run webmin over the internet via http. You are absolutely begging
> for trouble if you do that. 

OK, OK, I won't.

>Install it to run over https if you want to
> access it via the Internet (I believe there's a how-to with the
> installation). If you only want to use webmin internally, be sure to
> block port 901 from the outside.

I will look into that.

> 
> > I'd would *like* telnet and shell (rshd) to run, so I can telnet
> > in. I can't imagine how someone could break in to a system, so
> > I am pretty lost in assessing this risk.
> 
> If you're only using telnet/ftp internally you have a very low risk.
> However, if you are using telnet/ftp over the Internet the risk is VERY
> HIGH. Here is a common scenerio of what might happen.
> Cracker mananges to compromise one of your ISPs firewalls/routers or any
> other intermediate machine between your telnet client and telnet server.
> He runs a traffic sniffing script that is filtering out useful data like
> telnet passwords and emailing it to him regurlaly. You log in one day
> and su to root to make some minor config change on the system. The
> cracker now has full access to your network, and will likely use it as a
> jump point for other attacks (if he has no interest in it directly) So
> even if he doesn't bother to hurt you, he has used you to further
> compromise the internet as a whole.
> A similar scenerio could occur with webmin or ftp. If you'd like to see
> a demonstration, I'd be happy to arrange it, I've done it for other
> folks to scare them into sanity.
How does the demonstration go?

> 
> > I know SSH is better for telneting in to the server, but then
> > it has to be on every machine that you telnet in from.
> 
> Weigh the cost vrs. risk here. A free windows ssh client like putty
> (http://www.chiark.greenend.org.uk/~sgtatham/putty/) makes you a fool
> not to use ssh.

OK - I've got it, I've been using the telnet side. I'm just trying 
to fugure out how to use SSH.

> 
> > When I hear "don't use telnet unless you have to", I
> > wonder. I know several sites that have telnet where I can login,
> > and those places are alot bigger that my little'ol place.
> 
> This is exactly why it is so dangerous. Large numbers of systems are
> already compromised, each one of these can be used to sniff passwords,
> etc. Remember those highly publicized attacks on yahoo and other not
> long ago. Those attacks required hundreds of cracked computers to
> execute.
> If you're wondering why someone would bother to attack you, then ask
> yourself this: why would someone bother to cripple yahoo's servers?
> There was no financial gain involved. No credit card numbers were
> stolen.
> At the very least, you don't want to be one of the people who gets a
> call the next time. "Mr. Banning, it appears your server has been
> cracked and is being used as part of a large scale denial of service
> attack, could you please take the necessary steps to stop this attack
> and re-secure your server." (Generally means, shutdown your machine and
> reinstall, change every password - since there's no other way to
> guarantee the security after that.)

Yikes-
> > place to learn about this topic?
> > I started with the FreeBSD Security How-to which is a good starter.
> 
> www.rootprompt.org generally has good articles on this topic. 

Bill, your message has been very informative and helpful.
Thanks.


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010527003923.A1691>