[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to block telnet access.



Or Sagi wrote:

> > So if you don't trust your internal users - DON'T give them accounts. Going
> > from regular user to root is trivial and only a matter of time (even if
> > you're superadmin).
> 
> *every* computer connected to the net, or with users on it can be
> compromised.

That's misleading.

For any security discussion not to become silly, the relevant threat model
must be defined.  The threat model in this case, as I see it, has one main
assumptions, namely that attacks will only be carried out over the Internet.
Thus, we implicitly assume that the following are irrelevant:

	1) Physical access.  (This deals with all the armed guards related
	   arguments.)

	2) Specific identity and/or aggression of the attackers.  (This
	   deals with arguments like ``what if the CIA threatens to rape
	   and kill all your kids unless you tell them the root password'').

Given this, I do NOT agree that a system that is adequately protected from
the network and has TRUSTED users ``can be compromised''.  

``Adequately protected'', in this case, refers to allowing a very specific
(and minimal) set of services to be reachable from the network.  Because of
their small numbers, they can be inspected and secured.

> the question is how hard is it. Assuming a decent OS, a decent sysadmin
> (Keeping himself *very* updated with security alerts (Bugtraq advisories,
> etc ... (I'd say cert, but cert hasn't been releasing anything worth
> reading for quite some time)), and a good enough setup --- compromising
> the security (even from the inside), 

The question in this case was specifically about ``from the inside''.

So, in your scenario, what happens when someone exploits a newly announced
problem before the admin manages to fix it?

What happens when someone exploits a problem before it is even posted to
bugtraq and friends?  (You know, not everyone gets their information from
bugtraq and the CERT.  Especially hackers.)

> damage can be confined (Assuming you _do_ have other machines on your
> network).

Confined in what sense?  It's generally accepted that once attackers gain
root, you've lost.  (Even if root is gained in a jail of some sort.)

> > But why give them shell accounts? Give them FTP access if you need file
> > transfer. If they INSIST on having shell accounts, set up a special computer
> > for them which will be sacrificial.
> 
> Take for example a university setting. You need to give students accounts,
> and you most certainly don't trust them ..

Funny, I was about to write something about how the risks of untrusted users
can be minimized if they are so restricted that they become useless.  But
that isn't the case with students; they need to compile stuff, to use the
network, etc.

So in other words, university computers are not secure.  In real life, this
usually leads to one of the following scenarios:

	1) The university's network is Swiss cheese.

	2) The university's admins are constantly fighting hacker-related
	   fires.

	3) The university enforces strict usage rules (e.g., no external
	   logins) thus reducing the number of potential attackers.

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il