Re: Enabling telnet, ftp, pop3 for root...

Ertugrul Soeylemez wrote:

matt_left_coast <not@xxxxxxxxxx> (06-04-06 03:44:23):

... and authenticating. Your fault, if you allow root login without
authentication.

Where did I say ANYTHING about not using authentication.

You're presenting it like direct root login would be a total security
hazard and allow everyone to get in trivially.

That is BS and YOU KNOW IT.



I have seen nothing from you that shows HOW they would get in!

I'm not saying that it's trivial. But in your configuration an attacker
has a place to start with at least.

No, they don't. In YOUR configuration, they know the USER. Mine they DON'T.
It is YOUR configuration they have a starting point.

They know, what to do to get it.

No, they don't.

In fact, only the time needed to do it, makes an attack not very
practical.

BS. 3 failed attempts on a account and the account is disabled. 5 from an IP
address and the IP address is blacklisted. THEY DON"T HAVE THE TIME.

Sure, you're not likely to use weak passwords, and your SSH
port is hidden (by knockd or whatever). But still, the attacker has a
point to start at.

What point?????? They DO NOT HAVE A USER ID, THE DON"T HAVE A PASSWORD, THEY
DON'T have access to the port. WHAT



In most cases, it's not that hard to guess valid usernames.

In combination with the valid password from OUTSIDE the system? You're
joking right?

We were talking about usernames. Again you present it to be impractical
to get to know valid usernames.

You have not shown that it is PRACTICAL to guess a valid user name and
password on a remote system.

That's not true. And you fully rely on
security by obscurity.

You don't know what I have in place.

Knowledgable people will agree that 'direct'
security is much better. With 'direct' security I mean the following.

I Have direct security.


My machine's hostname is [kill.mine.nu] and my SSHd is running on port
58369. I moved it from port 22 to overcome useless bruteforce attacks
by script-kiddies and worms, not to hide my SSHd.

I'm not about to try to break in. But you DO have a starting point, an OPEN
PORT. I don't have the starting point of an open port.

Try to break in.

Try to get access to my ssh, if you can.

Do
you need more informations about my system?

Nope.

I'll provide them; just
ask. You will still fail to break in.

All I would need is to catch a buffer overflow venerability that I can use
before you have it patched and I am in. That is why I don't open the port
unless it is being used.

You won't even get the
opportunity to bruteforce, because password authentication is disabled.

You would not be able to use blunt force on my system because you would
never be able to connect. AND you would not be able to exploit a buffer
overflow because the port is closed.

Are you going to steal my hard-disk? No bother, just do. It's
encrypted and I have backups.

But what if someone hacked your console login and planted root kit?

That's direct security.


No need. I don't need a hard disk to exploit a buffer overflow venerability.



Looking over one's shoulders,

That limits things to just a FEW possible people, easily stopped by
looking to see who can see over your shoulder.

A little camera installed somewhere, when you're absent, would do as
well.

Dude, they would have to put it in my tie! Get fucking real.

A camera would not help in my case, because even if you get to
the passphrase of my key, you don't get to the key itself, rendering the
passphrase useless.

With the camera, I could gain access to your login password, plant what ever
I need to get the key.

Get fucking real.



capturing traffic,

The traffic is encrypted.

If it's encrypted in a switched ethernet network, then read about ARP
poisoning and 'man in the middle' attacks.

Ever actually USE ssh? I would get a warning.

Encryption is useless in
those networks, without signatures (implicitly provided by 'proper'
authentication).

BS.



intercepting dialogues,

The ssh account is only used for remote login. It is not used in
unencypted dialogs. It also is set up to make virtually impossible to
do anything other than su, so adding a keystroke monitor would not be
possible.

I'm not talking about network dialogues, but non-electronic
conversations. You certainly don't encrypt them, unless you have some
kind of microprocessor built into your brain.

Dude, what I use as a user name and password on ssh logins would never be
said in a conversation.

You have lost touch with reality.



asking Google, whatever.

Wouldn't be found in google. It is relatively simple to make a user ID
and password that are not based on things easily guessed or found.

Using the 'wrong' newsreader or browser may well be enough to offer that
information to the open world wide web.

The user ID and password would never be mentioned, nor would anything that
would give anyone a clue.

You have lost touch with reality.



And you didn't consider that many attackers are not totally unknown
persons.

Yes, I have. That is why I don't use my everyday user name or password
for an ssh login account. That is why the user ID an passwords are not
even based on WORDS much less based on anything in my life.

Again, that's security by obscurity. I'm telling you (nearly)
everything about my system configuration. You still won't get in.

Unless I can exploit a buffer overflow before you get it patched. By leaving
your port open, you leave yourself vulnerable to such an attack regardless
of your encryption.



If someone wants to get to your system, then he has a reason to do
so, i.e. he already has some informations about you.

That does not mean they can guess the user name and password I have
used for ssh logins.

Sure, but maybe he does.

Take as many guess as you want. Then try to connect to my system!

I prefer to assume the worst case, and thus be
prepared against it.

Then you would not want to leave you ssh port open in case of buffer
overflow attacks that happen before you have a chance to patch it. That is
why I keep the port closed.



They must then figure out how to get to root.

Logging into root directly via proper authentication mechanisms and
disallowing normal users to become root appears more secure to me.

Good thing you don't work on any of MY systems. Logging into the USER
via "proper authentication" then requiring a SECOND authentication is
more secure. Two layers of "proper authentication" is better than ONE!

Still, the system is only as secure as the first authentication required
(assuming that it provides shell access). And you are repeating, what I
have said. You are talking about 'proper authentication'. First,
passwords don't count here, because there are some problems about them
(see above). Second, by using 'proper authentication', you just don't
have the need for an intermediate login. So why make things
unnecessarily more complicated?

Wrong, wrong, wrong. A system is more secure IF IT DOES NOT EVEN ALLOW A
CONNECTION unless specifically authorized. If the port is not open, as mine
is not, then nobody can exploit a buffer overflow vulnerability. And they
can't even get to the point where authorization is required.



As of yet, you have not shown how you would get my login and password,
much less get TO my system since I use various methods to prevent even
the ssh port from being seen by ANYONE.

I don't say that it's easy to get into your system. I say, that you
rely on security by obscurity,

Nope. I rely on not allowing connections unless authorized. That prevents
hacking at the service.

and that I think, this is bad. You have
to keep secrets secret to ensure system security. If someone asked you,
"what is your username?", you would answer: "I won't tell you that".
That's the difference. I don't have or need to have any secrets (except
my passphrases of course). Even intercepting my passphrases (however)
or stealing my hard-disk wouldn't give you access to my system. What a
deal! So what's better?


Unless they knew how to get to my SSH port, they would not even be
able to TRY my password.

By the way, _if_ you use something like knockd, then discovering the
secret to get to your SSH port is as easy as sniffing.

Since the combo changes with each login, you are wrong. You may, if lucky,
get a combo, but it would no longer be valid.



You are switching context here. I'm talking about network security,
but you're talking about bubblegums.

I am talking about TOTAL security, if that is "switching context" by
your standards, then you don't know security.

There is no TOTAL security.

specially if you don't think securing your console is important.

As long as anyone can get into a system
(including legitimate access),

That is why I prevent them from connecting.

it can theoretically be compromised. The
trick is to require the knowledge of a secret,

I do have that, with my randomly generated password, obscure ssh user ID and
CLOSED PORTS that can only be opened with a single use combination.

and making the discovery
of that secret impractical to attackers.

Then I meet your requirements. I even go a bit further. I keep my ports
closed so remote exploits like

--


.