Re: Remote telnet through firewall failing

• Previous message: Bela Lubkin: "Re: OpenServer 5.0.6 hardware raud 73gb drives"
• In reply to: John: "Re: Remote telnet through firewall failing"
• Next in thread: Mike Brown: "Re: Remote telnet through firewall failing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 23 Dec 2004 23:25:01 GMT

In article <xMSdnTl5_7zEflfcRVn-rw@rogers.com>,
John <ibis.john@rogersdotcom> wrote:
>Mike Brown wrote:
>> I have not found internet telnet to be the worst of the various security
>> risks. I have help at sites with modem/internet access that unbelievable
>> had NO root
>> password. I was amazed that after months on the internet ( directly to
>> boot, no firewall ) there was no discernible problems.
>>
>> One adjustment you can make is scoadmin -> system -> terminal manager ->
>> options, and set "maximum unsuccessfull attempts before locking terminal"
>> to a lower number and increasing delay time between login attempts. This
>> may cause a denial of service on the pseudo ttys for telnet, but then
>> maybe the site owner will
>> take notice and put back your firewall. I have used 5 for the maximum
>> failed login attempts.

>> Another, but fairly pricey, solution is to use the Watchguard
>> Firebox as the firewall. It has a web server feature with a
>> Java applet that allows a remote user to first web browse to
>> the firewall and authenticate, then the firewall will open a
>> port for that particular remote IP while the Java applet is
>> running. It can be used to open ports for telnet, ssh, ftp,
>> smtp and pop for remote users while keeping the wonders of the
>> internet away from all the internel machines.

>I have one remote SCO box and one remote HP-UX box under my
>management, both accessed by telnet for (compelling) identical
>reasons. I know of four other similar ones where I have provided
>application SW and admin support on subcontract, and on those I
>know admin access as root is commonly used despite warnings, and
>three have no firewall.

If a system is properly secured and running know services with
nothing outside what is needed, you can run 'net connected with no
firewalls. Look at the number of ISPs out there.

> At least one of these has been on the internet for over 15
>years.

That's sort of hard to do as the internet as we know it has only
existed since about 1995, when the government turned of funding to
the old ARPA/DARPA net. That was the landmark year when commercial
adverting was first permitted. There was to be no advertising on
the government funded links.

> Add on three FreeBSD servers doing NAT, email and http. None
>has ever been hacked (which in my view has encouraged dangerous
>complacency), but a Red Hat Linux system used to firewall a
>completely different network I did subcontract application SW
>support on was hacked by Romanians to use as a chat server about
>a week from when it first went up.

I've seen this before.

>The consensus theory among those of us who knew about that
>incident was that vulnerability is proportional to OS popularity.
>An OS like Windows or RHLinux is perceived by hackers as worth
>building tools and scanning for, but less common ones like SCO,
>HP-UX, FreeBSD are not worth the effort when easier pickings
>abound. Possibly true, but dangerous to rely on.

Saying 'vulnerability is proportional to OS popularity' shows that
the people who say that really don't know how the underling OSes
work.

A few years back the Lion bug/worm/virus/whatever was used
to attack Linux systems, and you could gain root access when that
was cracked. However on a FreeBSD system when the attack was
tried the only thing that would happen is that the named daemon
would stop running.

Back in mid to late '90s I had the DNS services stop unexpectedly
and was at a loss to figure it out, until the Lion started getting
more widespread. I always was running two nameservers and it was
the primary one that got nicked - naturally.

There is a reason why people like Verio and those like them
have over 250,000 BSD machines for their hosting services.

Verio in Germany is in the process of moving to FreeBSD. The
biggest complaint I see in the BSD newsgroups is that it's not a
desktop OS, though it runs the same GUI interfaces as Linux. It
just doesn't install all that by default.

Any OS is vulnerable if you don't keep up with the security
notices. Because once the word is out it's a relatively short time
before there are viruses out there taking advantage of those holes.

And sloppy admins can make any system wide open. One time
I was curious as to how the people admining some machines I used to
take care of were going with their migration to Linux. I was
curious as to the OS version and just tried a simple telnet
to the IP. I was quite suprised and exited quickly when I found
that there was no login, no password prompt, but I was sitting
in the root home directory with a root prompt and privledges.

And this week one of the e-newsletters had a report on OS
vulnerabilities. The only Linux example they gave was RH,
but they had found that unpatched MS machines would be broken in a
matter of hours, and the quickest I recall was about 20 minutes.
OTOH the RH machines usually survived at least a month.

It's the design/structure of the MS oriented machines with every
machine handling all the underlying services in the same way, while
in the *n*x environment it's not that way.

Bill

-- 
Bill Vermillion - bv @ wjv . com

• Previous message: Bela Lubkin: "Re: OpenServer 5.0.6 hardware raud 73gb drives"
• In reply to: John: "Re: Remote telnet through firewall failing"
• Next in thread: Mike Brown: "Re: Remote telnet through firewall failing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]