root login with telnetd

Hugo Silva hugo at barafranca.com
Sun Mar 11 16:31:54 UTC 2007


Sergio Lenzi wrote:
> Hello...
>
> I see you issues about telenet...
>
> I use the inetd+telnet for more than 20 years and using BSD
> with RSA, and obviiously with a good password.
>
> I have never been cracked down...
> and I have 10 of my /etc/ttys entries setted to "secure"
>
> ttyp0   none                    network off     secure
> ttyp1   none                    network off     secure
> ttyp2   none                    network off     secure
> ttyp3   none                    network off     secure
> ttyp4   none                    network off     secure
> ttyp5   none                    network off     secure
> ttyp6   none                    network off     secure
> ttyp7   none                    network off     secure
> ttyp8   none                    network off     secure
> ttyp9   none                    network off     secure
> ttypa   none                    network off     secure
> ttypb   none                    network off     secure
> ttypc   none                    network off     secure
>
> in my /etc/master.passwd.....
> root:*:0:0::0:0:Charlie &:/root:/bin/csh
>
>
> a "kill -1 1"  would allow root do dial in
>
> I block the root account in /etc/master.passwd by put a "*" as md5hash
> and setted up an "supper" account.....
>   
You could have just changed it's name, and the end result is exactly the 
same. If you have other services running in this server, there are 
various ways to figure out who has uid 0. Changing root's account or 
adding another uid 0 won't make it any harder.
> pw adduser xxxxxxxxx -d /root -s /usr/local/bin/bash -u 0 -g 0 -h 0
>
> Than is done...
>
> All the cracking I have seen is from someone that is INSIDE the machine
> (http using php,pop,imap, ssh,...) that is you have yet allowed him to
> come in,
> you gave them the password (in the case of ssh), or in http...
>
>   
A "normal"  FreeBSD 6.2 or an OpenBSD, is incredible solid...

Indeed, that's exactly why it comes with sshd instead of telnetd and 
they both DO NOT allow root logins by default.
> You must know the "superuser" login AND the password....
>   
With sshd and root logins off, you need to know your username's 
password/passphrase for DSA/RSA, you need to be in the right group so 
you can even attempt to become root, and you need the root password too. 
Ontop of all that, everything's encrypted.

Please do not even TRY to compare.
> choose a password with letters and numbers, or something in 
> portuguese (only 7 countries speak that):  biruta22, pezinho12,
> 45pinheiiros,
> tovazioagora, batatinha744, 45canastra96.....
>   
Spoken in:    Angola, Brazil, Mozambique, Portugal, and several other 
CPLP countries
Total speakers:    Native: 210 million
Total: 230 million

Brilliant.
> I tested in an security system and it says is have good security...
> (pgp)...
>   
I won't comment this.
> Besides.. using brute force in a word like "itacolomi"  using a 1 second
> delay
> would result ,,,, "forever"  
> Besides, BSD have the ability to force a new password once it is too
> old... 
> a new password every 3 months is a good choice....  and you must stilll
> pass through   RSA .
>
>
> Thanks for sharing the experience...  now I know I am not the one that
> uses "telenet"
>   
>   
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>   



More information about the freebsd-questions mailing list