Date: Sat, 26 May 2001 04:25:36 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: <david@banning.com> Cc: <questions@FreeBSD.ORG> Subject: Re: security question Message-ID: <20010526035526.T19318-100000@blues.jpj.net> In-Reply-To: <200105260324.f4Q3OrH00551@d.tracker>
next in thread | previous in thread | raw e-mail | index | archive | help
> I am setting up a small network of Windows desktops that are > accessing the net through a FreeBSD server. If I disable telnet, ftp, > and everything in inetd.conf leaving only http open, what are my > risks? > > I have webadmin running. Do you mean webmin? I'm not familiar with it, but the ability to set up accounts, Apache, DNS, and file-sharing sounds like something to be cautious with. If you don't truly need to be able to do these things from outside the office, I'd suggest blocking outside access to it. Otherwise, using SSL with it would be the next best thing. > I'd would *like* telnet and shell (rshd) to run, so I can telnet > in. I can't imagine how someone could break in to a system, so > I am pretty lost in assessing this risk. Most implementations of telnet send your password and the contents of your session in plain text (FreeBSD's has Kerberos). Anyone who can intercept the network traffic between the two computers can trivially read both. With version 1 of the SSH protocol, this is (at least) difficult. With version 2 of the protocol, I think it is impractical. I'm not sure whether it is impractical for someone who has access to the secret keys for both computers (say, a hostile person in your office who booted them in single-user mode). Someone who could do that could install a trojan anyway. > I know SSH is better for telneting in to the server, but then > it has to be on every machine that you telnet in from. If you have a file server, you could keep a copy on there. There are SSH clients for Windows: check on http://www.openssh.com/windows.html if you haven't already. The ones I've seen are reasonably lightweight (<2 MB). > When I hear "don't use telnet unless you have to", I > wonder. I know several sites that have telnet where I can login, > and those places are alot bigger that my little'ol place. People make mistakes. :) > I'm going all over the place here. Maybe someone could reccomend a good > place to learn about this topic? > I started with the FreeBSD Security How-to which is a good starter. Maybe http://www.openssh.com/faq.html#1.2 or the sshd man page? -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010526035526.T19318-100000>