From owner-freebsd-questions  Sat May 26  1:25:42 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from blues.jpj.net (blues.jpj.net [204.97.17.146])
	by hub.freebsd.org (Postfix) with ESMTP id AB3BF37B422
	for <questions@FreeBSD.ORG>; Sat, 26 May 2001 01:25:38 -0700 (PDT)
	(envelope-from trevor@jpj.net)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (8.11.1/8.11.1) with ESMTP id f4Q8PaA24257;
	Sat, 26 May 2001 04:25:36 -0400 (EDT)
Date: Sat, 26 May 2001 04:25:36 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: <david@banning.com>
Cc: <questions@FreeBSD.ORG>
Subject: Re: security question
In-Reply-To: <200105260324.f4Q3OrH00551@d.tracker>
Message-ID: <20010526035526.T19318-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> I am setting up a small network of Windows desktops that are
> accessing the net through a FreeBSD server. If I disable telnet, ftp,
> and everything in inetd.conf leaving only http open, what are my
> risks?
>
> I have webadmin running.

Do you mean webmin?  I'm not familiar with it, but the ability to set up
accounts, Apache, DNS, and file-sharing sounds like something to be
cautious with.  If you don't truly need to be able to do these things from
outside the office, I'd suggest blocking outside access to it.  Otherwise,
using SSL with it would be the next best thing.

> I'd would *like* telnet and shell (rshd) to run, so I can telnet
> in. I can't imagine how someone could break in to a system, so
> I am pretty lost in assessing this risk.

Most implementations of telnet send your password and the contents of your
session in plain text (FreeBSD's has Kerberos).  Anyone who can intercept
the network traffic between the two computers can trivially read both.
With version 1 of the SSH protocol, this is (at least) difficult.  With
version 2 of the protocol, I think it is impractical.  I'm not sure
whether it is impractical for someone who has access to the secret keys
for both computers (say, a hostile person in your office who booted them
in single-user mode).  Someone who could do that could install a trojan
anyway.

> I know SSH is better for telneting in to the server, but then
> it has to be on every machine that you telnet in from.

If you have a file server, you could keep a copy on there.  There are SSH
clients for Windows:  check on http://www.openssh.com/windows.html if you
haven't already.  The ones I've seen are reasonably lightweight (<2 MB).

> When I hear "don't use telnet unless you have to", I
> wonder. I know several sites that have telnet where I can login,
> and those places are alot bigger that my little'ol place.

People make mistakes. :)

> I'm going all over the place here. Maybe someone could reccomend a good
> place to learn about this topic?
> I started with the FreeBSD Security How-to which is a good starter.

Maybe http://www.openssh.com/faq.html#1.2 or the sshd man page?
-- 
Trevor Johnson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message