Re: Debian 2.2 and security - SecurityPortal article
On Wed, Aug 30, 2000 at 02:47:44PM +0200, Thomas Guettler wrote:
> On Wed, Aug 30, 2000 at 11:55:57AM +0200, Leszek Gerwatowski wrote:
> > On SecurityPortal there is an article about Debian 2.2 security:
> >
> > http://www.securityportal.com/closet/closet20000830.html
> >
> > Just read it and tell me what you think about it.
>
> The Author (Kurt Seifried) makes the newbie believe Debian2.2
> is not secure, but you should look at it more close.
>
>
> quote: "The next default that really ticks me off is the password encryption scheme -
> the default is to use crypt. "
>
> A half year ago I installed debian-potato and I newer heard of MD5 before,
> but the displayed text informed me very well on what to choose. If you are
> too lazy to read these lines, you shouldn't try to set up a secure system.
> BTW, potato stores passwords in /etc/shadow, so that you need to be root
> to read the encrypted passwords (except you use NIS)
>
>
> quote: "Discard, daytime, time, shell, login, and exec (r services) are all
> enabled by default"
>
> The first three are enabled, but I think that is no security problem.
> But shell, login, exec are not enabled on my system, at least on my system.
> Has someone a fresh installation to tell us what the default is?
>
Giving out the time that your system has is often considered a security problem.
Also Off the top of my head:
I'm machine C. I spoof a connect from the time port on machine B to machine A on the time port. I also do the opposite at the same time.
So B sends data to A for my spoof packet. A sends data to B for my other spoof packet. They both are now reopening each others ports.
Next step, change A and B to broadcast address for network.
It has been done with the chargen port. I would also think this may be possible with other services that blindly reply to connections ignoring
input.
As for discard I'm stumped.
We routinely turn off everything that isn't required on our systems.
Reply to: