From owner-freebsd-questions  Tue Feb  3 19:42:11 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA03490
          for questions-outgoing; Tue, 3 Feb 1998 19:42:11 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from cs1.cityscope.net (cs1.cityscope.net [206.222.183.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA03396
          for <freebsd-questions@FreeBSD.oRG>; Tue, 3 Feb 1998 19:41:49 -0800 (PST)
          (envelope-from bahwi@cityscope.net)
Received: from cs1 (pm1-90.cityscope.net [209.16.48.90]) by cs1.cityscope.net (8.8.8/8.6.9) with SMTP id VAA06148 for <freebsd-questions@FreeBSD.oRG>; Tue, 3 Feb 1998 21:45:23 -0600
Message-Id: <199802040345.VAA06148@cs1.cityscope.net>
Comments: Authenticated sender is <bahwi@mail.cityscope.net>
From: "bahwi" <bahwi@cityscope.net>
To: sporkl@dti.net
Date: Tue, 3 Feb 1998 21:37:05 +0000
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: Security
Reply-to: bahwi@technologist.com
In-reply-to: <Pine.BSF.3.96.980203222617.5335A-100000@mental>
X-mailer: Pegasus Mail for Win32 (v2.54)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG
X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe questions"

> If I were to let other people have telnet access to my machine, what
> would be a prudent number of security precautions to take?

Big question. (IMO)

1. Change the root password weekly, or every couple of days.

2. Disable the r* services, don't let people do that to you.

3. Shadow the password file(Can you do that in FreeBSD? I wonder)

4. Run a password cracking utility on YOUR own password file(NEVER on someone 
else's without their written permission) Make sure your users don't have simple 
passwords. Even the best security on a password file cannot prevent someone 
else from getting the file.

5. Check out http://www.rootshell.com/ and find everything you can.

6. Diallow rlogin and rsh and the other r* services.

7. Runs COPS(a port is available) and SATAN(SANTA for those who find it 
offensive)

8. Become Paranoid.

Perhaps I overdid it a bit, but I am paranoid without running a server(yet). 
Hope this helps.
-bahwi
email- bahwi@technologist.com
ICQ Name: bahwi                 UIN: 3328936
iChat Name: bahwi
-EOF