[svlug] vsftpd now working

Karsten M. Self kmself at ix.netcom.com
Sun Nov 30 22:37:08 PST 2003


on Sun, Nov 30, 2003 at 02:14:42PM -0800, Gianni Mariani (gianni at mariani.ws) wrote:
> dfox wrote:
> 
> >Somebody scribbled about [svlug] vsftpd now working
> > 
> >
> >>in an xterm window and it will let you make changes. I found if I
> >>clicked on FTP it would open that up. I did and it did. I also
> >>opened up telnet...:-)
> >>   
> >>
> >
> >Please don't run telnetd. Especially if you are connected to the net 
> >on that machine. I got rootkitted that way (several years ago, 
> >running redhat 5.x something). First thing I did and continue to do 
> >is not even have any telnetd service running on this thing. 
> >
> >And if you have sshd working you can get into the Linux machine from 
> >Windows by using putty - then there's no need to have both sshd and 
> >telnetd running on the system. Then there's the issue about educating 
> >potential users of your system, in that telnet is not secure and sshd 
> >is. 
>
> I got rooted running sshd, does that mean we should not run sshd as
> well ?

You got rooted through sshd by a bug in implementation, _or_ poor
password management and allowing password authentication.  In the former
case, likely also not staying on top of your updates.

The difference between SSH and Telnet is that Telnet is insecure by
design.  SSH _may_ be insecure by implementation, but if so, it's a bug,
it's a highly audited, closely watched, widely used, and broadly exposed
piece of code (there are tons of publicly accessible sshd servers for
black hats to hammer on).

> 
> telnet is not secure because the packets can be sniffed for passwords 
> and other security critical information

...or sessions hijacked, or servers impersonated, or users
impersonated...

> that's why it's not a good idea to run telnet (or any other plain text
> protocols) with security critical info across open wires.

Unsecure protocols have their place.  It's with unauthenticated
services.  Email, web, and DNS are unauthenticated (OK, the first can be
both authenticated and encrypted, the latter's got SSL, and the last
gives me cold sweats...). 

The evil transect is authorized services over insecure protocols.
AnonFTP, over a server robust enough to protect the host, is fine, so
long as traffic analysis isn't a concern.  It's passwords-in-the-clear
which are a particularly pernicious malfeature.  Session-based
authentication (OTP, etc.) are probably overall preferable.


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Verio webhosting?  Guaranteed downtime:
     http://www.wired.com/news/politics/0,1283,57011,00.html
     http://www.dowethics.com/r/environment/freedom.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20031130/2f6f147c/attachment.bin


More information about the svlug mailing list