From owner-freebsd-questions Sat Jan 19 11:48:17 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.mango-bay.com (mail.mango-bay.com [208.206.15.12]) by hub.freebsd.org (Postfix) with ESMTP id EAFEF37B416 for ; Sat, 19 Jan 2002 11:48:10 -0800 (PST) Received: from gateway ([63.70.155.32]) by mail.mango-bay.com (Post.Office MTA v3.5.3 release 223 ID# 0-52377U2500L250S0V35) with SMTP id com; Sat, 19 Jan 2002 14:51:16 -0500 From: "Joe & Fhe Barbish" To: "Alfatrion" Cc: "FBSD Questions" Subject: RE: telnet/ftp security Date: Sat, 19 Jan 2002 14:48:07 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <14920284908.20020119173205@cybertron.tmfweb.nl> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I only access the FBSD/gateway/ipfw box from ms/windows machines. You implied the SSH(v2) and sftp are the equivalent encrypted versions of telnet & ftp. Are these windows clients, and if so where do I get them from? I read the man skey and it's assocated other commands man pages. As usual these man pages lacks any how to setup and use info. Is there any how-to-use infor you can point me to? Thanks Joe -----Original Message----- From: Alfatrion [mailto:alfatrion@cybertron.tmfweb.nl] Sent: Saturday, January 19, 2002 11:32 AM To: Joe & Fhe Barbish Cc: FBSD Questions Subject: Re: telnet/ftp security Hello Joe, Saturday, January 19, 2002, 5:08:57 PM, you wrote: JFB> I have telnet & FTP ID/PW access to my FBSD gateway/ipfw JFB> box from the internet. Are there any security holes in JFB> these two applications that would allow breaking into my system? The biggest security holes in those application is the lack of security. Both application send the usernames, passwords and the data unencrypted. All one has to do is sniff the username and passwords to gain access to the system. SSH(v2) and sftp are the equivalent encrypted versions. (a lot of other procolls are unsave to, like pop3, smtp, ect.) I have my machine set up so that it can not be reached from the internet with telnet, but did leave other procols untouched. To compromis for this i installed the use of one-time-use password, for certain users. You can check 'man skey' for this. -- Best regards, Alfatrion mailto:alfatrion@cybertron.tmfweb.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message