Re: Security problem - inetd.conf has rsh/rlogin/rexec "ON" as a default
On Thu, June 11 1998, Scott Ellis <storm@gate.net> wrote:
|On Thu, 11 Jun 1998, Amos Shapira wrote:
|
|> The rsh/rlogin/ident/rexec services are active by default in the
|> inetd.conf file. Even though I keep removing them (I delete their
|> lines altogether since that way it's much easier to notice a change)
|> they seem to keep popping up after updating any software related to
|> this file.
|
|If you comment them out with a single "#", they won't be re-enabled by
|updated packages.
OK, I'll get back to doing that. I used to do that until I got fed up
with having to comment the lines in the first place and look for the
uncommented lines periodically, instead of just deleting all but 2-3
lines and being able to watch them at a glance.
|> I'd like to suggest that these services will be "off" by default and
|> the user should be given a chance to stop the system before it
|> reactivates them.
|
|Many people do administration remotely. They would probably be very
|disapointed to have their login services yanked out from under them.
I do a lot of remote administration too (actually, almost exclusively)
using ssh. I know that ssh is not freely distributable with debian
(due to the crypto limitations) but having these services opened as a
default, and being re-opened after closed, looks like a risk to me (I
mean - how many people are really aware of the risk? How many would
bother to install ssh if they were aware of the risk and the (easy,
IMHO) secure alternative?).
|They're easy enough to disable and only truely a security hole if you have
|.rhosts or hosts.equivs files laying around. Even then, tcpwrappers makes
They are easy enough to disable indeed, but it's another administative
point to keep looking at in case things changed. Also the hosts.equiv
and .rhosts files are another administrative "trace point". Not that
I don't have to watch these files anyway, but watching them and
finding them to be OK is much less alarming than watching them and see
that everything is activated.
|them significantly harder to spoof than on a traditional UNIX environment.
You can't trust the DNS these days, not until secure DNS becomes more
common. Also all passwords and sessions passed across the network are
wide open to anyone on the net to read. So a cracker can either:
1. hack the DNS or fake a reply when the wrappers or rshd try to
reverse-map the host.
2. watch the first TCP packet passed from the client to the server -
the password is right there as plain text.
I may sound paranoid and bitching, but I used to be relaxed about
these things ("who's gona care about some tiny ISP at the end of the
world, really?") until I was bitten hard by a cracker (he sounded like
the interviews with the Analyzer, maybe it was him). Since then I
live and work under the assumption that the cracker is there, watching
every move I make on any machine and the net. And finding that
rsh/rexec/rlogin where again enabled this morning on my home machine
didn't help much to my happiness.
|> I'm not on the list (finals period) so please CC to me any response to
|> this message.
|
|CC sent.
Thanks.
--Amos
--Amos Shapira | "Of course Australia was marked for
133 Shlomo Ben-Yosef st. | glory, for its people had been chosen
Jerusalem 93 805 | by the finest judges in England."
ISRAEL amos@gezernet.co.il | -- Anonymous
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: