From owner-freebsd-security Fri Aug 17 14:22:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from nyc.rr.com (nycsmtp1fb.rdc-nyc.rr.com [24.29.99.76]) by hub.freebsd.org (Postfix) with ESMTP id 64F6737B403; Fri, 17 Aug 2001 14:22:38 -0700 (PDT) (envelope-from jslivko@4evermail.com) Received: (apparently) from equinox ([24.168.44.136]) by nyc.rr.com with Microsoft SMTPSVC(5.5.1877.357.35); Fri, 17 Aug 2001 17:22:23 -0400 Message-ID: <007901c12762$d3ac7ea0$8701a8c0@equinox> From: "Jonathan M. Slivko" To: "Nate Williams" , "Matt Piechota" Cc: "Carroll, D. (Danny)" , , References: <98829DC07ECECD47893074C4D525EFC311561F@citsnl007.europe.intranet><20010817165323.F4969-100000@cithaeron.argolis.org> <15229.34962.653064.226276@nomad.yogotech.com> Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 17:23:13 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Which just brings me to another point, why not just turn ssh on by default and turn telnetd off by default, given the latest exploit. Thanks for bringing up a point that I wanted to bring to the security team for awhile. -- Jonathan M. Slivko 4EverMail Hosting Services http://www.4evermail.com "Are YOU ready for the new Internet?" -- ----- Original Message ----- From: "Nate Williams" To: "Matt Piechota" Cc: "Carroll, D. (Danny)" ; Sent: Friday, August 17, 2001 5:11 PM Subject: RE: Silly crackers... NT is for kids... > > Even for authentication? > > > > I can understand using a telnet client to manually test SMTP servers or > > other protocols, but I cannot understand why you *need* telnet. > > Mind you I am against using pop3 as well, unless it's encrypted. > > Example 1: > You're on an internal heavily firewalled corporate LAN, where none of your > information is hidden between employees. So you don't care, and you don't > have to worry about installing ssh on every PC's desktop, and teaching > cluon-deprived people to use it. Agreed, but given the recent telnetd exploit, I'm not sure you want it on by default. Even in our heavily-firewalled environment, we don't want *ALL* of the users to have root access on our FreBSD boxes. :) Having the users enable it by default makes them more aware of what's going on. (Although, one could argue that all the folks who are still infected with CodeRed initially enabled it, and have done nothing since...) > Example 2: You're running realtime applications, or applications that > need all available processing power for performance reasons. The > extra overhead of encrypting and decrypting the ssh traffic may drop > your performance. Then don't telnet into the box. If you need to monitor a box over an insecure network, then encryption/decryption is a necessity, IMHO. > Let's not forget that until the recently done work of the OpenSSH team, > you couldn't use SSH in a commercial environment with out paying for it. > And besides, sniffing passwords isn't that terribly easy if you're using > switched Ethernet anyways. Actually, it is. See the archives of how easy it is to blow the switch out of the water. :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message