Re: sshd / ftpd break-in attempts

Unruh wrote:

Nathan Keel <nat.k@xxxxx> writes:

Grant wrote:


Don't use username/password ftp, use scp instead.  Ftp was never
secure as passwords are sent in the clear

Of course, someone would have to have some type of control or access
to your network, connection, or root access on your system or the
server you're connecting to, or some such thing where you're screwed
anyway,
for passwords being sent in clear text to really pose a threat. It's
really not as big of a deal as some people make it out to be, but true
that it's safer to use a secure protocol and if someone was able to
gain that type of access (where you're pretty much screwed anyway and
they don't need a password to do any damage), then they at least can't
know the password, especially with all of the people that recycle the
same passwords for different services and providers. Otherwise,
there's really nothing wrong with FTP, other than it being another
service with a potential for an exploit like anything else.


False.

False to say false.

There are loads of password sniffing programs out there--

You can't just run a "password sniffing program" against a server and
think you're going to magically have portions of text pop up.

programs whose purpose is to look for words like "Password " and
record the next few KB of traffic to grab the password.

Only if you have super user access on the source of target system or the
network, or the connection between them.

It may a root
kit on one of your computers or on some computer that is on the
network,and can see the network traffic on the network you are on.

If they have some type of access like that on the system or network,
yes, and that's what I said. But, for a lot of people on dialup, dsl,
cable, unless someone has control of your router/switch or your system,
it's pretty wildly unlikely someone would have such control over the
ISP or the backbone to the system you're connecting to online.
Certainly a data center could have their network compromised, or the
system you're connecting to, but then all bets are off anyway because
any of those scenario's no one would need to hunt down people's
passwords passing over in clear text, since they already have control
over the system or network anyway (they no longer need the password).
Simply put, unless one of those things happens, then the only other way
it would protect you, is from someone attaching a physical device on or
near your connection.

With ssh that is useless.

Not if they control the system or network. They can have your SSH
session connect to anywhere (luckily it will warn you of the
fingerprint or IP change though), but they still own your ass.

The only times my set of machines were
broken into was when I did not run ssh,

SSH very unlikely has *** all to do with your systems being broken
into.

and the passwords of some of
my users were sniffed when
they visited Korea.

That's irrelevant to the system itself being broken into. Do you mean
their accounts being broken into? If so, fair enough. Indeed, IF you
travel, use a laptop or a public terminal/cafe or something, then yes,
though you're still at the mercy of the physical security of the
system, I would agree that it's good to be safe against untrusted
networks, in which case plain text is a risk.

(and one time when one of my users used
passwordless ssh and they tunneled back that was into my system after
breaking into a machine a few continents away, and following back a
passwordless ssh chain.)

Of course that's another topic.
.

Loading