Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: One Question about security
Special Forums Cybersecurity One Question about security Post 302074189 by hegemaro on Sunday 21st of May 2006 08:23:27 AM
Old 05-21-2006
I have been supporting a dialup BBS -- yes they still exist -- for five years now. Telnet itself is not an inherently insecure protocol nor are most daemon implementations any more buggy than, say, FTP. Stay current with patches and you'll be fine on that point. There are two issues that you must consider:

1 ) Transmission of account and password information in plain text
Since the server is Internet facing, it is quite possible that someone could intercept a valid user's account/password information and use it for nefarious activities. Depending on your server configuration, that account may also grant the intruder access to through other services such as FTP or mail.
2 ) Shell access to the server.
Unlike HTTP which can more readily be limited to specific areas of the system, shell access throws open the floodgates to your system and any weaknesses in configuration. Using restricted shells does little as there are numerous ways to bypass that limited security.
Here are some ideas:

As System Shock suggested, Secure Shell can completely address Issue #1 by encrypting not only the data stream once logged in but also the account information as the user logs in. It is freely available from http://www.openssh.org/. It is moderately complex to compile and configure but it will integerate seamlessly with your existing application; it is simply a replacement for Telnet not the application already running on the system.

The down-side is that it requires your users to use an SSH client to connect to your server. Telnet and Hyperterminal will no longer work. This can be a deal-breaker.

The second issue can be addressed with a "change root" jail in which the user is locked into a subdirectory structure of the entire file system. I have no direct experience myself but the http://www.jmcresearch.com/projects/jail/ reference has been suggested. There may be issues integrating with your application but I can not say what they would be.

So, what to do?

The most important thing is to harden your server to the point of paranoia. There are many documents on how this can be achieved but here are a few general suggestions.
  • Disable ALL unnecessary network services ideally leaving Telnet only.
  • Lock all system accounts except root, of course, restricting root access to the console only.
  • Enforce a strict password policy with an 8-character minimum length and frequent password changes.
  • Isolate your server from the rest of your network. Firewalls work fine but physical isolation is not susceptible to configuration errors. To simplify periodic access to the server, a second interface can be added with a cross-over connection to another server. On your Internet facing system, the interface can be left up while on the cross-over server, bring down the interface when not in use.
  • PATCHES!! Stay on top of all security patches for your environment. This is most important and most overlooked.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

PostFix security question

I have a Postfix mail server running on my eMac, and been looking at /var/log/mail.log. I am new to administrating a mail server. I notice some servers tried to relay messages to unkown recipients in my server, and my Postfix denied access. The "from" and "rcpt to" look very phony. I did a... (3 Replies)
Discussion started by: fundidor
3 Replies

2. UNIX for Dummies Questions & Answers

UNIX Security Question

Can other users delete / replace this file if the directory and file have the following permissions /test drwxrwxrwx /test/file _rw_r__r__ I guess what I really want to know is what the security riskis of having teh directory completely open when the access to a particular file is... (3 Replies)
Discussion started by: OBCCBIP
3 Replies

3. UNIX for Dummies Questions & Answers

security question

I just wanted to know when dealing with key loggers, What would be a normal routine for searching them out. I really don't know what I am looking for other than odd process. Also packet sniffers. What are signs? (0 Replies)
Discussion started by: blanks
0 Replies

4. UNIX for Dummies Questions & Answers

Question: Unix Security

question deleted, because answered (2 Replies)
Discussion started by: kasa
2 Replies

5. Solaris

Java / SunOS Security question

Hi, I have a question about the Java that comes with the Solaris 9/10 OS. All my boxes are servers, only ssh allowed, no x windows, hardened, firewaled, etc... Their purpose is Oracle DB's and Sun One Dir servers. None of which use the OS version of Java as far as know. Question IS, can... (1 Reply)
Discussion started by: BG_JrAdmin
1 Replies

6. UNIX for Dummies Questions & Answers

Security Question

In an effort to adapt to best security practices, it has been suggested that a number of scripts that are going to be distributed to multiple machines across an internal network use be modified to replace instances of rsh and rcp with openSSH ssh and scp. Since there are so many references to rsh... (1 Reply)
Discussion started by: jasondj
1 Replies

7. Cybersecurity

Security question.

This may seems simple but I am unaware of this. Is there anyway to fetch the date & time of a user ID created on AIX? (actually I need answer for HP-UX,Solaris & Linux as well. But AIX is what I am most interested in.) I use ls command but it does not show the creation date. It just shows the... (2 Replies)
Discussion started by: raj100
2 Replies

8. Cybersecurity

Question on a security package on linux

Hello everyone , I want to implement a new firewall, detection system on my network composed of some 200 computers as follows: The fire wall would be a linux box with router, L7 iptable and also snort as IDPS system. These are my questions: 1. Is there any security consideration regarding... (0 Replies)
Discussion started by: ahmedkamel
0 Replies

9. Cybersecurity

Web hosting security question

Hi, Recently my has been hacked. A .pl script has been uploaded in the root of the directory, which uploaded lot of unwanted files and changed their file permission to 777. I have no clue how did they upload that .pl file in my hosting. Website is in shared hosting. Could they access my web... (3 Replies)
Discussion started by: agriz
3 Replies

10. AIX

AIX IP security question

Recently the network auditor found a security hole at port 50000. The port 50000 is used by db2. When I enter command "netstat -Aan |grep 50000", it showed some established connections and are all db2 processes. I have asked the application team and they answered that the port 50000 connection... (2 Replies)
Discussion started by: skeyeung
2 Replies

LEARN ABOUT SUNOS

asadmin-update-connector-security-map

asadmin-update-connector-security-map(1AS)			   User Commands			asadmin-update-connector-security-map(1AS)

NAME

       asadmin-update-connector-security-map, update-connector-security-map - updates the security map for the named connector connection pool

SYNOPSIS

       update-connector-security-map  --user  admin_user  [--password admin_password][--host localhost] [--port 4848][--secure|-s] [--passwordfile
       filename] [--terse=false] [--echo=false] [--interactive=true]
	--poolname connector_connection_pool_name [--addprincipals principal-name[, principal-name]*]| [--addusergroups user-group[, user-group]*]
       [--removeprincipals  principal-name[,  principal-name]*	]  [--removeusergroups	user-group[,  user-group]*]  [--mappedusername	user_name]
       [[--mappedpassword password]] mapname

       Modifies a security map for the named connector connection pool. You must have first created a connector connection pool using the  create-
       connector-connection-pool command.

       This command is supported in remote mode only.

OPTIONS

       --user		       authorized domain application server administrative username.

       --password	       password to administer the domain application server.

       --host		       machine name where the domain application server is running.

       --port		       port number of the domain application server listening for administration requests.

       --secure 	       if true, uses SSL/TLS to communicate with the domain application server.

       --passwordfile	       file containing the domain application server password.

       --terse		       indicates that any output data must be very concise, typically avoiding human-friendly sentences and favoring well-
			       formatted data for consumption by a script. Default is false.

       --echo		       setting to true will echo the command line statement on the standard output. Default is false.

       --interactive	       if set to true (default), only the required password options are prompted.

       --poolname	       connector connection pool name for which the security map that is to be updated or created belongs to.

       --addprincipals	       a comma separated list of backend EIS principals to be added.

       --addusergroups	       a comma separated list of the enterprise information system usergroups to be added.

       --removeprincipals      a comma separated list of the enterprise information system principals to be removed.

       --removeusergroups      a comma separated list of the enterprise information system usergroups to be removed.

       --mappedusername        the enterprise information system username.

       --mappedpassword        the enterprise information system password.

OPERANDS

       mapname		       name of the security map to be updated.

       Example 1: Using update-connector-security-map

       It is assumed that the connector pool has already been created using the create-connector-pool command.

       asadmin> update-connector-security-map --user admin --password adminadmin
       --poolname connector-pool1 --addprincipals principal1, principal2,
       --addusergroups usergroup1, usergroup2 --removeprincipals principal3, principal4
       --removeusergroups usergroup3, usergroup4 securityMap1
       Command update-connector-security-map executed successfully

EXIT STATUS

       0		       command executed successfully

       1		       error in executing the command

       asadmin-create-connector-security-map(1AS), asadmin-delete-connector-security-map(1), asadmin-list-connector-security-maps(1AS)

J2EE 1.4 SDK							    March 2004				asadmin-update-connector-security-map(1AS)
All times are GMT -4. The time now is 12:44 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy