[olug] Unix Tip: LOCK DOWN TELNET OR FTP

Jeff Hinrichs jlh at cox.net
Sun Feb 23 16:47:31 UTC 2003


----- Original Message -----
From: "Nick Walter" <waltern at iivip.com>
To: <olug at olug.org>
Sent: Sunday, February 23, 2003 5:34 AM
Subject: Re: [olug] Unix Tip: LOCK DOWN TELNET OR FTP


> I use telnet waaaaaaay more than I use ssh.  I've got tons of older *nix
> boxes (mostly UnixWare) hanging around at work, all still faithfully doing
> their tasks.  I've even got a few system running AT&T Unix on hotrod 80386
> processors.  To interface with all the legacy stuff, I gotta telnet.  And
> since all the newer Linux boxes have telnet also I just telnet for
> everything instead of having to stop and think about which tool to use for
> which system.
>
> Having said all that, I still am a firm believer in disabling just about
> everything, including telnet, on a *nix server connected directly to the
> internet.  Some firewalling is usually good too :)

Sometimes, you have to do, what you have to do. The problem is, in terms
of security, you've got a nice hard shell but an extremely gooey interior.
Most networks are like this and are quite vulnerable to insider hacking
and compromised trusted machines. M$ and the ATM network both got
slapped not because of unprotected/unpatched machines on the DMZ,
but because a VPN'd machine was running $QL server's step brother,
MSDE that got slammed.  The infected machine then spread across
the intranet over the VPN and infected unpatched boxes on the inside.

If we all gave our internal nets half the security considerations we give
our obviously exposed equipment, these kinds of problems would
be less frequent.

Remember, the credit card insider job out east a few months ago?
And I wouldn't be surprised if the recent DPI credit card job was
an inside job at least partially.  As our external security gets better
the bad guys are going to shift their attention to the soft gooey
centers of our networks via social engineering and the like.  In fact,
recent events seem to indicate that this change in attack vectors
is already under way.

-Jeff




More information about the OLUG mailing list