Date: Thu, 22 Feb 2001 23:22:24 +1000 From: "Doug Young" <dougy@bryden.apana.org.au> To: <cjclark@alum.mit.edu>, "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: "Macrolosa" <edvard@post.omnitel.net>, <freebsd-questions@FreeBSD.ORG> Subject: Re: login-MODEM Message-ID: <00cb01c09cd2$84442ea0$847e03cb@apana.org.au> References: <00dd01c09c49$494b6f40$847e03cb@apana.org.au> <004701c09cad$b8c88c40$1401a8c0@tedm.placo.com> <20010222013718.G89396@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't profess to be any kind of guru, so the easiest workable solution I could implement was to remove all non-essential services from mission critical machines, lock those boxes down as much as possible given my ability (or lack thereof) & then allow regular users shell access to what Ted described as "kiddy playpens" or somesuch. Thats worked far better than the previous system where all & sundry had access of some kind to the more mission critical machines. At least we haven't been hacked since then whereas it used to be a regular occurrence, albeit only once or twice a year. I've been considering building some OpenBSD systems for the gateways ... some seem to believe they are a better solution than FreeBSD for that purpose. ----- Original Message ----- From: "Crist J. Clark" <cjclark@reflexnet.net> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: "Doug Young" <dougy@bryden.apana.org.au>; "Macrolosa" <edvard@post.omnitel.net>; <freebsd-questions@FreeBSD.ORG> Sent: Thursday, February 22, 2001 7:37 PM Subject: Re: login-MODEM > On Thu, Feb 22, 2001 at 12:59:10AM -0800, Ted Mittelstaedt wrote: > > [snip] > > > There's nothing to running a shell server as long as you take a few simple > > precautions. > > *boggle* > > It is pretty much assumed that if a user can get local, he can get > root. For recent FreeBSD examples, take the /proc holes (and there are > probably more) used to get the webserver. OpenBSD had some chpass and > others publicized back in October. And this is my favorite, pretty > much EVERY SINGLE Solaris BOX IN THE WORLD has a particular local root > exploit that has no reasonable work around or vendor patch. > > > Your way overstating the security risks here. What risks?! There's nothing > > that a user can do on a shell server that they can't do already by setting > > up a > > UNIX system and dialing into us, except for screwing other users on that > > server, > > And everytime some kiddie nukes the server and uses your bandwidth to > scan half the Internet for portmap, you have to fix it and get all of > the hate mail. > > > Rubbish - your making things way hard for yourself. UNIX already has > > excellent security for this - you just need to understand it. > > UNIX does not have strong security. It was not originally designed for > security. That's not to say it is not as strong or stronger than the > other extremely popular operating systems of today, but those are very > weak too. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00cb01c09cd2$84442ea0$847e03cb>