security blather Re: [techtalk] login restriction
Susannah D. Rosenberg
indrani at mindspring.com
Fri Jul 7 14:36:36 EST 2000
"Fan, Laurel" wrote:
>
> Susannah D. Rosenberg, indrani at mindspring.com, said:
> > yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> > you say "telnet to port 25", boys and girls?
> >
> > gaping security flaws are /bad/.
>
> Taking out rlogind and telnetd won't close port 25. And I'm assuming a
> mail server would like to leave the smtp port open.
yep. but there's a difference between being able to /telnet/ to port 25,
and opening an smtp connection to port 25.
granted, the best way to really make sure that packets heading for
specific ports are properly formatting is to do really intense,
packet/socket filtering via firewall (Checkpoint's Firewall-1 can do
this, as I believe can a few others), but the less services you have
running the less chance you have for this kind of attack.
telnetd (and to a lesser extent) rlogind are /bad/. without using them
in the intended manner, they can be used to gather lots of information
about target systems, and to attack and exploit them. there are much
better methods of logging in remotely (ssh!), and telnet especially can
be used in all kinds of information gathering, attacks, exploits, etc,
etc. everyone knows what a horrible security hole finger is, right?
telnet and rlogin are just as risky. there's absolutely no reason to
leave them running. (then again, blind trust in ssh is foolish as well,
but properly administered it's much better than telnet. the trick is the
whole "trusted hosts" bit, but that's always a weak point in crypto,
anyway)
(btw: am i the /only/ one who turns off nearly everything in
/etc/inetd.conf by default? is people's general security consciousness
this bad? if you haven't already edited your default inetd.conf, try
portscanning yourself sometime [nmap's a good tool for this --
www.insecure.org if your distro doesn't have it standard]. you'd be
amazed to see the kind of things that a default install of, say, redhat,
leaves flapping in the wind. mmm. port 6000! even scarier, try doing a
/UDP/ scan on yourself. if the scan comes up with a good eight, nine,
ten services you don't even /use/ coming back -- be scared. be /very/
scared.)
More information about the Techtalk
mailing list