Date: Sat, 30 Mar 2002 11:36:20 -0400 From: "N. J. Cash" <ncash@pei.eastlink.ca> To: "Fernando Gleiser" <fgleiser@cactus.fi.uba.ar>, "Jesper Wallin" <z3l3zt@phucking.kicks-ass.org> Cc: <security@FreeBSD.ORG> Subject: Re: SSH or Telnet? Message-ID: <004101c1d800$a4a71ee0$6401a8c0@router.unknown.ca> References: <20020328201100.E6672-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_003E_01C1D7DF.1D16D900
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I would also recomend that you restrict access to ssh using =
/etc/hosts.allow if you would like some added security to just who all =
can ssh to your box.
Also, if you're going with ssh *which you should* I would only enable =
protocol 2 and restrict user access to ssh using /etc/ssh/sshd_config as =
well.
AllowUsers user1 user2 user3 etc...
DenyUsers root nobody etc...
At least if you're really parioned about sshd those steps will let you =
sleep a little better at night! : )
N. J. Cash
ncash@pei.eastlink.ca
----- Original Message -----=20
From: Fernando Gleiser=20
To: Jesper Wallin=20
Cc: security@FreeBSD.ORG=20
Sent: Thursday, March 28, 2002 7:42 PM
Subject: Re: SSH or Telnet?
On Thu, 28 Mar 2002, Jesper Wallin wrote:
> Hey!
>
>
> I've heard and seen alot of security problems related to SSH =
(OpenSSH) and
> many of my friends have been playing with alot of 0day exploits for =
it..
> Right now I'm running the latest port version of it on a =
non-standard port
> and hope to be secured with it.. I don't accualy see the reason to =
not use
> Telnet.. All I know tells me it's old and recommend me running =
OpenSSH
> instead..
Telnet also had some remote root vulnerabities.
Every program has bugs. You need to keep them up to date and apply all =
the
security fixes.
Also, having sshd runing in a non standard port doesn't buy you much.
There are scanners which try to verify which service is which port and
they will find out it's ssh even if it is listening in port 31337. =
=3D0)
>
> What is the best solution? Ofcause peoples are able to attack me =
with
> brute-force attacks and it's not encrypted.. well, all the peoples =
who've
> shell/ssh access are trusted and I think they know what they do..
The people may be trusted, but are you sure you can trust the networks =
they are
loging in from?
Besides sniffing, ssh protects you against other threats:
1. ssh has some protection against IP spoofing.
2. ssh has stronger authentication methods.
3. ssh protects you against session hijacking.
4. ssh lets you authenticate the server to the client.
5. ssh lets you tunnel an insecure protocol (POP, IMAP) through an =
encrypted
connection
You can use an SSL enabled telnet or IPSec for the first four, but I =
find
ssh easier to set up if all you need is remote login/shell/file =
transfer.
Fer
>
>
> Anyone have any idea/suggestion?
>
> //Jesper aka Z3l3zT
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
------=_NextPart_000_003E_01C1D7DF.1D16D900
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2713.1100" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2>I would also recomend =
that=20
you restrict access to ssh using /etc/hosts.allow if you would like =
some=20
added security to just who all can ssh to your box.</FONT></DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2>Also, if you're going =
with ssh=20
*which you should* I would only enable protocol 2 and restrict user =
access to=20
ssh using /etc/ssh/sshd_config as well.</FONT></DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2>AllowUsers user1 user2 =
user3=20
etc...<BR>DenyUsers root nobody etc...</FONT></DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2>At least if you're =
really parioned=20
about sshd those steps will let you sleep a little better at night! :=20
)</FONT></DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2>N. J. Cash</FONT></DIV>
<DIV><FONT face=3D"Lucida Sans Unicode" size=3D2><A=20
href=3D"mailto:ncash@pei.eastlink.ca">ncash@pei.eastlink.ca</A></FONT></D=
IV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dfgleiser@cactus.fi.uba.ar=20
href=3D"mailto:fgleiser@cactus.fi.uba.ar">Fernando Gleiser</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dz3l3zt@phucking.kicks-ass.org=20
href=3D"mailto:z3l3zt@phucking.kicks-ass.org">Jesper Wallin</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A =
title=3Dsecurity@FreeBSD.ORG=20
href=3D"mailto:security@FreeBSD.ORG">security@FreeBSD.ORG</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, March 28, 2002 =
7:42=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: SSH or =
Telnet?</DIV>
<DIV><BR></DIV>On Thu, 28 Mar 2002, Jesper Wallin wrote:<BR><BR>>=20
Hey!<BR>><BR>><BR>> I've heard and seen alot of security =
problems=20
related to SSH (OpenSSH) and<BR>> many of my friends have been =
playing with=20
alot of 0day exploits for it..<BR>> Right now I'm running the =
latest port=20
version of it on a non-standard port<BR>> and hope to be secured =
with it..=20
I don't accualy see the reason to not use<BR>> Telnet.. All I =
know=20
tells me it's old and recommend me running OpenSSH<BR>>=20
instead..<BR><BR>Telnet also had some remote root =
vulnerabities.<BR>Every=20
program has bugs. You need to keep them up to date and apply all=20
the<BR>security fixes.<BR><BR>Also, having sshd runing in a non =
standard port=20
doesn't buy you much.<BR>There are scanners which try to verify which =
service=20
is which port and<BR>they will find out it's ssh even if it is =
listening in=20
port 31337. =3D0)<BR><BR>><BR>> What is the best solution? =
Ofcause peoples=20
are able to attack me with<BR>> brute-force attacks and it's not=20
encrypted.. well, all the peoples who've<BR>> shell/ssh access are =
trusted=20
and I think they know what they do..<BR><BR>The people may be trusted, =
but are=20
you sure you can trust the networks they are<BR>loging in =
from?<BR><BR>Besides=20
sniffing, ssh protects you against other threats:<BR><BR>1. ssh has =
some=20
protection against IP spoofing.<BR>2. ssh has stronger authentication=20
methods.<BR>3. ssh protects you against session hijacking.<BR>4. ssh =
lets you=20
authenticate the server to the client.<BR>5. ssh lets you tunnel an =
insecure=20
protocol (POP, IMAP) through an encrypted<BR> =20
connection<BR><BR>You can use an SSL enabled telnet or IPSec for the =
first=20
four, but I find<BR>ssh easier to set up if all you need is remote=20
login/shell/file =
transfer.<BR><BR><BR><BR><BR><BR>Fer<BR>><BR>><BR>>=20
Anyone have any idea/suggestion?<BR>><BR>> //Jesper aka=20
Z3l3zT<BR>><BR>><BR>><BR>> To Unsubscribe: send mail to <A =
=
href=3D"mailto:majordomo@FreeBSD.org">majordomo@FreeBSD.org</A><BR>> =
with=20
"unsubscribe freebsd-security" in the body of the=20
message<BR>><BR><BR><BR>To Unsubscribe: send mail to <A=20
=
href=3D"mailto:majordomo@FreeBSD.org">majordomo@FreeBSD.org</A><BR>with=20
"unsubscribe freebsd-security" in the body of the=20
message<BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_003E_01C1D7DF.1D16D900--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004101c1d800$a4a71ee0$6401a8c0>