[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] ssh stopped working and can't login as root
- Subject: Re: [cobalt-users] ssh stopped working and can't login as root
- From: "Jelmer Jellema" <cobalt@xxxxxxxxxxxxxxx>
- Date: Fri Mar 8 19:37:49 2002
- Organization: Spin in het Web (www.spininhetweb.nl)
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi, took a while to read this one (500 e-mails to go...).
FTP is a security hole but clients need it. So this is what I did:
- made a new ipchains chain called "allowedftp". All source-ip's in that
chain are allowed to connect to our ftp server
- disallowed all other connections to the ftp-port
- going to make a cgi-script (quite dangerous ofcourse) in the admin site,
secured by https and a siteadmin password. When users press a button, there
*current* ip is added to the ipchains allowedftp chain, so they can use ftp
- every X hours, a crontab entry flushed the allowedftp chain, so no one can
ftp untill they used the script again.
One can make this more sophisticated by using more chains for different time
windows etc, or use this same chain to openup sshd or telnet for these users
(as a safety backdoor for yourself).
Maybe this is a good idea for all these people who just have to offer ftp
access but don't want to open it up fully.
Jelmer
> Most of us don't have that luxury; our users need to upload via ftp.
> Every daemon that allows connection from the outside world is another
> "hole" that can be exploited. If you want a secure RaQ, just disconnect
> the ethernet cable <wry grin>. Of course it won't be very useful then.
>
> Security is always a tradeoff between security and usability.
>
> > How much am I gaining in security by keeping it off.
>
> Some. In my opinion, not enough to cause my customers the inconvience
> of not having 24/7 ftp access to their sites.
>
> > I see a number of
> > anonymous FTP attempts when it is on in my logs and, as always, lots of
> > probes to port 21 at all times. Since getting hacked (by the bind deal
about
> > a year ago) I've been probably a bit "paranoid" about security.. some
would
> > say to obsession, am I ganing anything by keeping FTP server off most of
the
> > time?
>
> Yes you are. The question has to be how much, and at what cost. I
> consider proftpd to be relatively secure, and I leave it on all the
> time. I also use it to run ftp.nobaloney.net, and I find it's
> implementation of anonymous ftp to be quite secure (it doesn't use
> outside programs for ls or for anything else; it uses it's own code
> entirely for these functions).
-----------------------------------------------------------------
Jelmer Jellema - Spin in het Web
www.spininhetweb.nl
Spin in het Web: Alle Touwtjes In Handen
-----------------------------------------------------------------
Spin in het Web is de producent van:
www.visinhetnet.nl: Niet Het Laatste Nieuws
Geleidelijke Invoer Identificatieplicht
Er komt een algehele identificatieplicht in Nederland. Dat heeft het kabinet
vanmiddag besloten. Volgens premier Kok is dit echter nogal een operatie:
"De mensen moeten er aan wennen altijd hun paspoort mee te nemen, en
politieagenten moeten bedenken wie en wanneer ze controleren." Kok pleit
daarom voor een geleidelijke invoer: "Vanaf april geldt de
identificatieplicht voor alle Nederlanders wiens achternaam met een A.
begint. In mei komt de B. erbij enzovoort, net zolang tot we over iets meer
dan twee jaar de Z. gehad hebben."
www.visinhetnet.nl