Date: Thu, 14 Dec 2000 00:09:54 -0600 (CST) From: James Wyatt <jwyatt@rwsystems.net> To: Terry Zink <tzink@metrocon.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! Message-ID: <Pine.BSF.4.10.10012132040570.3064-100000@bsdie.rwsystems.net> In-Reply-To: <5.0.0.25.0.20001213132136.00a2c7b0@mail.metrocon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Uh, service access can easily be controlled with ipfw, tcp-wrappers, or ipfilter. Ssh has the sshd_config file as well. These tools and others in it's arsenal make FreeBSD an excellent bastion host OS. (But we all know that here, right? (^_^) Firewalls are to prevent harm to hosts (incl. workgroups) that can not always be trusted or even hardened enough to let remain unprotected. Groups of boxes running SMB/Sun RPCs (ala Windows file shares, NFS, NIS, etc...) , applications with weak authentication (open POP3, rsh, etc...), or old versions (ancient sendmail, some wuftpds, etc...) are easier to put behind a firewall than make secure enough to allow "in public". A single FreeBSD host with an admin who watches alerts does not need an extra point of failure between it and The Net or the cost and overhead of an extra firewall. For several of my smaller customers, it *is* the firewall as well as the application server. If your users are all using POP and telnet on the local net, cool, but what do you do when they *need* ssh or telnet from "anywhere" and pick a dumb password? Nothing technical can fix that. If they don't need anything but the local LAN, FreeBSD's access controls are as good as any firewall. Or have I had too much to think tonight? - Jy@ On Wed, 13 Dec 2000, Terry Zink wrote: > Rather easily. If the outsider cannot get into the proper services (ssh > most likely) to log in, then he cant crack. > > Most crackers use telnet, or pop. But if he finds the pop pass he cant do > much if telnet and ssh are closed to all but the internal network. [ ... ] > At 10:09 AM 12/13/00 -0700, Brett the Glass wrote: > >Pardon me if I'm missing something here, but how would a firewall > >prevent someone from cracking a guessable password on a legitimate > >user account? > >At 09:18 AM 12/13/2000, Robert McCallum wrote: > > >My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > > >the server 'yet'. But I do see that they have obtained access to a user > > >account. It apears they cracked a users account which I found out that one > > >of my users did not adhere to our security policy and set a password that > > >was not in accordance to our password policy. [ ... ] > > >In conclusion, I need to setup a firewall on that particular host ASAP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10012132040570.3064-100000>