benjamin j snyder <[EMAIL PROTECTED]> wrote:
>
> I am running ip_masq, and everything is working fine, but a friend of
> mine tried to telnet to the box and got a prompt. Is this bad?
>From a security standpoint, it's not good. Unless you wanted your
friend to get a prompt. :)
> Is there a way I can allow ftp in and telnet in, but still keep it
> secure enough that I should have no serious worries?
I turn off access to ftp, telnet, and most other common services on my
system, unless the incoming request is from a small list of "trusted"
networks. I feel safer that way.
> Is this info in the ipfwadm howto? I looked and looked, but I think
> this is either obscure enough that there was nothing there, or I am an
> idiot and asking a question with an obvious answer that I cannot see.
You're looking in the wrong FAQ. You want to read the IP Firewalling
Howto.
> I know it is bad if someone were to be able to hack into one of the
> shell accounts and then su to root, but other than that? Not to ask a
> question off topic from ip_masq, but is there a way to disable the su
> command?
"su" is the "front door". Most breakins occur through a "back door",
where a hacker manipulates a service in some way that it doesn't expect,
sending more data than it can use, and crashing it or causing it to
overflow its stack and accept commands that it shouldn't. That's what
you should really be worried about.
Just cut off access to any service you think no one should be getting
to. Or better yet, cut off all access, and then specifically ALLOW
access to services that you know people need to connect to. That's the
safest type of firewall. Also the one that's hardest to manage. :)
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
