At 11:03 PM 7/6/2000 -0400, Kenneth E. Lussier wrote:
>Benjamin Scott wrote:
> > Hmmm. AFAIK, simply having telnet open isn't insecure. It is
> > using telnet -- specifically, logging in with your password in
> > the clear -- that makes you vulnerable to sniffed passwords. SSH
> > will help prevent that.
>
i'd like to point out that the "sploit" is available from a lot of
places...if i recall its in its source form at rootshell.org i think...if
you have half a brain and have worked with *nix enough you should be able
to compile it...
Keene State College's sites were owned that way....though the telnet
daemon....funny thing is...they still have it open....look at additron.org
for a mirror of the hacked page. I think that its still there...
>Actually, this isn't always true... Some telnet and ftp daemons
>can have remote exploits and buffer overflows. To my knowledge,
>this is rare, since people don't usually muck with the code for
>them. And, in all fairness, SSH did have an issue with the rsa
>reflib, which is the reason that I use OpenSSH from outside of
>the US.
most telnet and ftp deamons have buffer overflows......off the top of my
head wuFTP was a bad one....i think that they have a lot of that cleaned up
now...but i still wouldn't use wuFTP if you paid me :-)
> > However, simple SSH session encryption won't protect against
> > man-in-the-middle attacks, and it is still vulnerable to brute
> > force attacks and weak passwords.
when we have a user who wants a shell...we have password criteria that his
password has to meet....and they are required to change their password
every 6 months.......that's going to get a lot tougher when we install
OpenBSD too :-)
>That's easy to fix... don't use passwords ;-)
>
> > Only SSH with mutual public/private key authentication is truly
> > secure against all known attacks.
>
>This I have to agree with. Public key authentication is really
>the best way to go for any system. Not to mention that it's a lot
>easier than remembering a ton of passwords.
>
>
>Kenny
>
>
>**********************************************************
>To unsubscribe from this list, send mail to
>[EMAIL PROTECTED] with the following text in the
>*body* (*not* the subject line) of the letter:
>unsubscribe gnhlug
>**********************************************************
Kurth Bemis - Senior Linux Network/Systems Administrator, USAExpress.net
[EMAIL PROTECTED]
http://www.usaexpress.net/kurth
ICQ - 6624050
Call Sign - N1TYW
PGP key available - http://www.usaexpress.net/kurth/pgp
Fight Weak Encryption! Donate your wasted CPU cycles to Distributed.net
(http://www.distributed.net)
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
