sometimes I send mails in HTML format, sorry for that, mail.com has this by default..
so the PDF also states that the "admin" user had /sbin/nologin for shell ------------------ http://man.openbsd.org/OpenBSD-current/man5/sshd_config.5 AllowTcpForwarding Specifies whether TCP forwarding is permitted. The available options are yes (the default) or all to allow TCP forwarding, no to prevent all TCP forwarding, local to allow local (from the perspective of ssh(1)) forwarding only or remote to allow remote forwarding only. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. ------------------ -->> Note that disabling TCP forwarding does not improve security unless users are also denied shell access so having AllowTcpForwarding=NO would help. Why is it yes by default? someone requested it to be yes? does anybody know? Thanks. Sent: Tuesday, October 18, 2016 at 10:46 AM From: "Christian Gruhl" <cgr...@uni-kassel.de> To: misc@openbsd.org Subject: Re: SSHowDowN On 10/18/2016 10:41 AM, Sol��ne Rapenne wrote: > Le 2016-10-18 10:35, Peter Janos a ��crit : >> shouldn't the default be "no" for the AllowTcpForwarding? Why is an >> insecure option "yes" by default? >> https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshow down-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pd f >> >> Thanks. > > from sshd_config(5) > > AllowTcpForwarding > Specifies whether TCP forwarding is permitted. The available > options are yes (the default) or all to allow TCP > forwarding, no > to prevent all TCP forwarding, local to allow local (from the > perspective of ssh(1)) forwarding only or remote to allow > remote > forwarding only. Note that disabling TCP forwarding does not > improve security unless users are also denied shell access, as > they can always install their own forwarders. > Also the article states that "We checked our factory-defaulted device and noticed that the ���admin:admin��� credential pair allows us to connect to the web-based configuration interface." Using such a weak password is more likely the problem, than the enabled TCP forward. [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]