Re: root login with telnetd
On Sat, 2007-03-10 at 22:52 +0100, Wojciech Puchar wrote: can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ? with sshd and rshd it can be set, with telnetd - no success. My reasons for this being a bad idea isn't so much from concerns about attack from outside, but it's more an issue of accountability. When I ran a computing facility at a University we had some paid student assistance, as well as faculty, that were reasonably entitled to have the root password on various machines. Inevitably, the root password would find it's way to some other student or some faculty member's assistant and they'd get on the machine and do something as root. In all cases they were trying to help, but in getting the features they were interested in getting to work, they unknowingly mucked something else up. We did not allow any frontline root logins so they had to sign in on one of the user's accounts and then su to root. Of course su logs this in the log files. So, we would take a look at the log files to see which users had su'd about the time the problem started occurring to ask them what they had done, or were trying to do. A couple of times that particular user was out of town and these machines weren't on the internet nor did they have a modem, so it was clear that user had given his account and root passwords to another person to work on their project when they were gone. By the way, faculty were the worst offenders at this. Some of them consider SysAdmin below them and would hand those tasks off to some student, but that's a whole different discussion. Anyway, there was never anything nefarious going on, but having root accesses logged in the log files was very helpful in allowing us to build a history of what might have been done on the machine, and who did it, to cause the failure. If you allow front line logins via telnet and friends you won't have that accountability, because you'll have no idea who it may have been that logged in so you can't ask them what they might have been up to. By the way once everyone involved realized that we weren't going to take them out back and have some thugs beat them up for giving out the root passwords everyone was very helpful and we got things fixed much faster then we would have if we had tried to blindly figure things out on our own. By the way, restricting su to wheel group is something I've always liked about the BSD's. Again, it helps with the accountability factor on a machine. I was flabbergasted when I first logged into a Linux box and created a user and then su'ed to root from that user without ever adding him to a wheel type group, I think Linux has a root group. This doesn't really apply to this topic that much, but it irks me so much, that Linux allows just any old user to su, I just wanted to vent a little bit about it. Maybe they do it in a different way that I just haven't needed to figure out yet. So, I would argue that you really don't want to allow frontline logins not so much for security reasons as for accountability reasons. Thanks Chris Kottaridis([EMAIL PROTECTED]) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
On Saturday 10 March 2007 22:14, Wojciech Puchar said: with sshd and rshd it can be set, with telnetd - no success. That is a REALLY BAD idea. Why don't you just publish your address and set the root password to nothing. It's only going to take a cracker a couple of minutes or less to own your server once they find you (and they will). another stupid one not answering the question. could you describe how you get my password in a couple of minutes if you are so intelligent? There are and have been many known exploits through telnet. The most recent one a couple of weeks ago affects SunOS where you can, using telnet, get root privileges without even logging in as root. Telnet does everything in clear text including passwords. All that's needed is to get in and install some network sniffing and the first time root logs in they would have the password. For a valid normal user on the LAN, it would be even easier. If you're looking for ease of login look into ssh and keys, that way you don't even need a password. Details are in the handbook. Even works from windows. I don't know anyone that still uses telnet except for testing on a totally closed network. An ISP I worked for disabled it and firewalled the port more than five years ago. Beech -- --- Beech Rintoul - Port Maintainer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.freebsd.org/releases/6.2R/announce.html --- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
On 11/03/07, Wojciech Puchar [EMAIL PROTECTED] wrote: with sshd and rshd it can be set, with telnetd - no success. That is a REALLY BAD idea. Why don't you just publish your address and set the root password to nothing. It's only going to take a cracker a couple of minutes or less to own your server once they find you (and they will). another stupid one not answering the question. could you describe how you get my password in a couple of minutes if you are so intelligent? Oh, it's really simple: *If* the machine you're trying to configure root access via telnet is connected to the internet - in other terms the telnet port on the machine is accessible from the internet - one can actually brute force his/her way in. And in days of broadband connection several hundred different passwords can be guessed in a matter of seconds. There are tools like john that can do a bruteforce or dictionary attacks against password files, but there are similar tools that can do this over the network. To answer the question who should be able to snort you: Some script kiddies who don't understand what's actually going on, but who want to have some fun. This is why you've been told that configuring root access via telnet is a bad idea, just as any other here on this list is being told that it is a bad to configure root login via ssh - for the very same reason. And people asked you for your IP so that they could take care of your host. Since we can't know the IP adress of your host we had to ask. ;) But people who want to crack other machines don't need specific IP adress, they just scan entire networks. As most list members can tell you there are constant attacks against open ssh ports are going on. So this isn't stupidity really. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
if you are so intelligent? There are and have been many known exploits through telnet. The most recent one a couple of weeks ago affects SunOS where you can, using telnet, get root privileges without even logging in as root. Telnet does it affect FreeBSD? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
Oh, it's really simple: *If* the machine you're trying to configure root access via telnet is connected to the internet - in other terms the telnet port on the machine is accessible from the internet - one can actually brute force his/her way in. so please crack me 83.18.148.142 or 2001:4070:101:1::2 through telnetd ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
Hello... I see you issues about telenet... I use the inetd+telnet for more than 20 years and using BSD with RSA, and obviiously with a good password. I have never been cracked down... and I have 10 of my /etc/ttys entries setted to secure ttyp0 nonenetwork off secure ttyp1 nonenetwork off secure ttyp2 nonenetwork off secure ttyp3 nonenetwork off secure ttyp4 nonenetwork off secure ttyp5 nonenetwork off secure ttyp6 nonenetwork off secure ttyp7 nonenetwork off secure ttyp8 nonenetwork off secure ttyp9 nonenetwork off secure ttypa nonenetwork off secure ttypb nonenetwork off secure ttypc nonenetwork off secure in my /etc/master.passwd. root:*:0:0::0:0:Charlie :/root:/bin/csh a kill -1 1 would allow root do dial in I block the root account in /etc/master.passwd by put a * as md5hash and setted up an supper account. pw adduser x -d /root -s /usr/local/bin/bash -u 0 -g 0 -h 0 Than is done... All the cracking I have seen is from someone that is INSIDE the machine (http using php,pop,imap, ssh,...) that is you have yet allowed him to come in, you gave them the password (in the case of ssh), or in http... A normal FreeBSD 6.2 or an OpenBSD, is incredible solid... You must know the superuser login AND the password choose a password with letters and numbers, or something in portuguese (only 7 countries speak that): biruta22, pezinho12, 45pinheiiros, tovazioagora, batatinha744, 45canastra96. I tested in an security system and it says is have good security... (pgp)... Besides.. using brute force in a word like itacolomi using a 1 second delay would result forever Besides, BSD have the ability to force a new password once it is too old... a new password every 3 months is a good choice and you must stilll pass through RSA . Thanks for sharing the experience... now I know I am not the one that uses telenet ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd The FINAL SOLUTION
So. resuming: 1) change some lines in /etc/ttys to: ttyp0 nonenetwork off secure ttyp1 nonenetwork off secure ttyp2 nonenetwork off secure ttyp3 nonenetwork off secure ttyp4 nonenetwork off secure ttyp5 nonenetwork off secure ttyp6 nonenetwork off secure ttyp7 nonenetwork off secure ttyp8 nonenetwork off secure ttyp9 nonenetwork off secure ttypa nonenetwork off secure ttypb nonenetwork off secure ttypc nonenetwork off secure 2) signal init to read it : kill -1 1 3) make sure inetd is running see the /etc/rc.conf must have inetd_enable=YES 4) remove the # at the line telnet in inetd.conf 5) make inetd run /etc/rc.d/inetd restart 6) change root password echo mysecretpassword | pw usermod root -h 0 7) telnet to your server should now allow root login Sergio ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd The FINAL SOLUTION
works fine. thank you very much (point 6 wasn't needed) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
Wojciech Puchar wrote: Err, sure; and for completeness, be sure and send the IP back to this list, and publish it on the front page of your website/blog/whatnot. and what if i will? do you know my root password? OK, cynicism aside, why on earth would you want to do this? That's a fool's errand in today's world. Or, are you on a 2-machine network via crossover if you can't answer the question, just shut up. EOT I am.. amazed by your aggressive attitute towards everyone else and being ironic and calling everyone VIM's. What you fail to realize is the dumbness of what you're trying to do, there are no nice words I can use to explain it. We were being ironic with you so that you could understand just how bad what you're trying to achieve is. You are being ironic with us because you think there's nothing wrong with logging in as root with telnet. There are a thousand ways I could go about explaining how bad it is and why it is bad, but in the end you'd just say I'm a VIM, so I won't even bother. Oh well, your server, your password. Just don't say you were not warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
Sergio Lenzi wrote: Hello... I see you issues about telenet... I use the inetd+telnet for more than 20 years and using BSD with RSA, and obviiously with a good password. I have never been cracked down... and I have 10 of my /etc/ttys entries setted to secure ttyp0 nonenetwork off secure ttyp1 nonenetwork off secure ttyp2 nonenetwork off secure ttyp3 nonenetwork off secure ttyp4 nonenetwork off secure ttyp5 nonenetwork off secure ttyp6 nonenetwork off secure ttyp7 nonenetwork off secure ttyp8 nonenetwork off secure ttyp9 nonenetwork off secure ttypa nonenetwork off secure ttypb nonenetwork off secure ttypc nonenetwork off secure in my /etc/master.passwd. root:*:0:0::0:0:Charlie :/root:/bin/csh a kill -1 1 would allow root do dial in I block the root account in /etc/master.passwd by put a * as md5hash and setted up an supper account. You could have just changed it's name, and the end result is exactly the same. If you have other services running in this server, there are various ways to figure out who has uid 0. Changing root's account or adding another uid 0 won't make it any harder. pw adduser x -d /root -s /usr/local/bin/bash -u 0 -g 0 -h 0 Than is done... All the cracking I have seen is from someone that is INSIDE the machine (http using php,pop,imap, ssh,...) that is you have yet allowed him to come in, you gave them the password (in the case of ssh), or in http... A normal FreeBSD 6.2 or an OpenBSD, is incredible solid... Indeed, that's exactly why it comes with sshd instead of telnetd and they both DO NOT allow root logins by default. You must know the superuser login AND the password With sshd and root logins off, you need to know your username's password/passphrase for DSA/RSA, you need to be in the right group so you can even attempt to become root, and you need the root password too. Ontop of all that, everything's encrypted. Please do not even TRY to compare. choose a password with letters and numbers, or something in portuguese (only 7 countries speak that): biruta22, pezinho12, 45pinheiiros, tovazioagora, batatinha744, 45canastra96. Spoken in:Angola, Brazil, Mozambique, Portugal, and several other CPLP countries Total speakers:Native: 210 million Total: 230 million Brilliant. I tested in an security system and it says is have good security... (pgp)... I won't comment this. Besides.. using brute force in a word like itacolomi using a 1 second delay would result forever Besides, BSD have the ability to force a new password once it is too old... a new password every 3 months is a good choice and you must stilll pass through RSA . Thanks for sharing the experience... now I know I am not the one that uses telenet ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd The FINAL SOLUTION
--On March 11, 2007 11:22:42 AM -0300 Sergio Lenzi [EMAIL PROTECTED] wrote: 7) telnet to your server should now allow root login What do you gain by allowing telnet access to your hosts that you don't get with ssh? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: root login with telnetd
On Sun, 11 Mar 2007 16:20:03 + Hugo Silva [EMAIL PROTECTED] wrote: [...] Oh well, your server, your password. Just don't say you were not warned. I believe the following sums up my feeling on the matter. It is not the OS's job to stop you from shooting yourself in the foot. Rather, if you so choose to do so, then it is the OS's job to deliver Mr. Bullet to Mr. Foot in the most efficient manner possible. -- Gerard The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location ... and I'm not even too sure about that one Dennis Huges, F.B.I. signature.asc Description: PGP signature
Re: root login with telnetd
I believe the following sums up my feeling on the matter. It is not the OS's job to stop you from shooting yourself in the foot. boom... i'm dead.. at least for 4 years :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
On Sun, 11 Mar 2007 21:46:50 +0100 (CET) Wojciech Puchar [EMAIL PROTECTED] wrote: I believe the following sums up my feeling on the matter. It is not the OS's job to stop you from shooting yourself in the foot. boom... i'm dead.. at least for 4 years :) Sorry to hear that! ... ;; ;; :; ;:' :; ;:; ;. ,:' ; OOO\ ::; ; O\ ;:; ; ,;::; ;' / OOO ;:`. ,,,;./ / DOO .';:;, / / D ,::;::;, / /DOOO ;`::`'::;;;: ,#/ / DOOO :`:::`;::;;::: ;::# /DOOO ::`:::`; ;# / DOO `:`:::`;:: ;::#/ DOO :::`:::`;; ;:##OO `:::`;;:::#OO `:`;'`:;::#O `:`;' / / `:# ::`:;' / / `# -- Gerard Don't crush that dwarf, hand me the pliers! Firesign Theatre signature.asc Description: PGP signature
Re: root login with telnetd
... ;; ;; :; ;:' :; ;:; ;. ,:' ; OOO\ ::; ; O\ ;:; ; ,;::; ;' / OOO ;:`. ,,,;./ / DOO .';:;, / / D ,::;::;, / /DOOO ;`::`'::;;;: ,#/ / DOOO :`:::`;::;;::: ;::# /DOOO ::`:::`; ;# / DOO `:`:::`;:: ;::#/ DOO :::`:::`;; ;:##OO `:::`;;:::#OO `:`;'`:;::#O `:`;' / / `:# ::`:;' / / `# nice to meet you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
Wojciech Puchar wrote: can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ? with sshd and rshd it can be set, with telnetd - no success. Err, sure; and for completeness, be sure and send the IP back to this list, and publish it on the front page of your website/blog/whatnot. OK, cynicism aside, why on earth would you want to do this? That's a fool's errand in today's world. Or, are you on a 2-machine network via crossover cable in a lockdown facility? Kevin Kinsey -- For those who like this sort of thing, this is the sort of thing they like. -- Abraham Lincoln ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
On Saturday 10 March 2007 12:52, Wojciech Puchar said: can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ? with sshd and rshd it can be set, with telnetd - no success. That is a REALLY BAD idea. Why don't you just publish your address and set the root password to nothing. It's only going to take a cracker a couple of minutes or less to own your server once they find you (and they will). Beech -- --- Beech Rintoul - Port Maintainer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.freebsd.org/releases/6.2R/announce.html --- pgpCv0tUzgXql.pgp Description: PGP signature
Re: root login with telnetd
Quoting Beech Rintoul [EMAIL PROTECTED]: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 10 March 2007 12:52, Wojciech Puchar said: can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ? with sshd and rshd it can be set, with telnetd - no success. That is a REALLY BAD idea. Why don't you just publish your address and set the root password to nothing. It's only going to take a cracker a couple of minutes or less to own your server once they find you (and they will). In fact, it's such a bad idea that there's a Snort rule for it (and a really old one at that): alert tcp $TELNET_SERVERS 23 - $EXTERNAL_NET any (msg:TELNET root login; flow :from_server,established; content:login|3A| root; classtype:suspicious-login; sid:719; rev:7;) Of course, if you really want to do this, I agree with everyone else -- just put your IP on this list, and we'll help you right on out. :-) Alex Kirk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
Err, sure; and for completeness, be sure and send the IP back to this list, and publish it on the front page of your website/blog/whatnot. and what if i will? do you know my root password? OK, cynicism aside, why on earth would you want to do this? That's a fool's errand in today's world. Or, are you on a 2-machine network via crossover if you can't answer the question, just shut up. EOT ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ? with sshd and rshd it can be set, with telnetd - no success. once again - can someone answer my question instead of giving very intelligent comments? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
On Mar 10, 2007, at 11:16 PM, Wojciech Puchar wrote: can it be set to make possible to login root to machine through telnet and without telneting to some user and then su - ? with sshd and rshd it can be set, with telnetd - no success. once again - can someone answer my question instead of giving very intelligent comments? Not sure. If I'm reading ttys(5) correctly though this is the section of interest: ``secure'' (if ``on'' is also specified) allows users with a uid of 0 to login on this line. The flag ``dialin'' indicates that a tty entry describes a dialin line, and ``network'' indicates that a tty entry pro- vides a network connection. Either of these strings may also be speci- fied in the terminal type field. The string ``window='' may be followed by a quoted command string which init(8) will execute before starting the command specified by the second field. So I think that the following would be valid (but possibly dangerous if you use other login daemons like rshd, sshd for logging in remotely); that may be fixable with a firewall though and specific rules to each daemon though. In ttys (near bottom), instead of: ttyp0 none network try: ttyp0 none network on secure and repeat for the rest of the ttys you wish to enable the option for. Why not use root login with telnet or standard getty through serial though :\? -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
alert tcp $TELNET_SERVERS 23 - $EXTERNAL_NET any (msg:TELNET root login; flow :from_server,established; content:login|3A| root; classtype:suspicious-login; sid:719; rev:7;) could you please tell me who will be snorting it on MY network? Of course, if you really want to do this, I agree with everyone else -- just put your IP on this list, and we'll help you right on out. :-) just answer my question, you VIM (very intelligent man). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: root login with telnetd
with sshd and rshd it can be set, with telnetd - no success. That is a REALLY BAD idea. Why don't you just publish your address and set the root password to nothing. It's only going to take a cracker a couple of minutes or less to own your server once they find you (and they will). another stupid one not answering the question. could you describe how you get my password in a couple of minutes if you are so intelligent? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
