Date: Sat, 26 May 2001 10:42:24 -0400 From: Bill Moran <wmoran@iowna.com> To: david@banning.com Cc: questions@FreeBSD.ORG Subject: Re: security question Message-ID: <3B0FC0D0.28E01292@iowna.com> References: <200105260324.f4Q3OrH00551@d.tracker>
next in thread | previous in thread | raw e-mail | index | archive | help
David Banning wrote: > > I am setting up a small network of Windows desktops that are > accessing the net through a FreeBSD server. If I disable telnet, ftp, > and everything in inetd.conf leaving only http open, what are my > risks? Your risks are that someone will crack through your http server(s). All you need to do at this point it monitor security alerts for whatever web server your running and keep it up to date. > I have webadmin running. DO NOT run webmin over the internet via http. You are absolutely begging for trouble if you do that. Install it to run over https if you want to access it via the Internet (I believe there's a how-to with the installation). If you only want to use webmin internally, be sure to block port 901 from the outside. > I'd would *like* telnet and shell (rshd) to run, so I can telnet > in. I can't imagine how someone could break in to a system, so > I am pretty lost in assessing this risk. If you're only using telnet/ftp internally you have a very low risk. However, if you are using telnet/ftp over the Internet the risk is VERY HIGH. Here is a common scenerio of what might happen. Cracker mananges to compromise one of your ISPs firewalls/routers or any other intermediate machine between your telnet client and telnet server. He runs a traffic sniffing script that is filtering out useful data like telnet passwords and emailing it to him regurlaly. You log in one day and su to root to make some minor config change on the system. The cracker now has full access to your network, and will likely use it as a jump point for other attacks (if he has no interest in it directly) So even if he doesn't bother to hurt you, he has used you to further compromise the internet as a whole. A similar scenerio could occur with webmin or ftp. If you'd like to see a demonstration, I'd be happy to arrange it, I've done it for other folks to scare them into sanity. > I know SSH is better for telneting in to the server, but then > it has to be on every machine that you telnet in from. Weigh the cost vrs. risk here. A free windows ssh client like putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) makes you a fool not to use ssh. > When I hear "don't use telnet unless you have to", I > wonder. I know several sites that have telnet where I can login, > and those places are alot bigger that my little'ol place. This is exactly why it is so dangerous. Large numbers of systems are already compromised, each one of these can be used to sniff passwords, etc. Remember those highly publicized attacks on yahoo and other not long ago. Those attacks required hundreds of cracked computers to execute. If you're wondering why someone would bother to attack you, then ask yourself this: why would someone bother to cripple yahoo's servers? There was no financial gain involved. No credit card numbers were stolen. At the very least, you don't want to be one of the people who gets a call the next time. "Mr. Banning, it appears your server has been cracked and is being used as part of a large scale denial of service attack, could you please take the necessary steps to stop this attack and re-secure your server." (Generally means, shutdown your machine and reinstall, change every password - since there's no other way to guarantee the security after that.) > If I use telnet, is there really such a risk? Yes. I was victim of it recently. > I'm going all over the place here. Maybe someone could reccomend a good > place to learn about this topic? > I started with the FreeBSD Security How-to which is a good starter. www.rootprompt.org generally has good articles on this topic. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B0FC0D0.28E01292>