Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mira.net.au!yarrina.connect.com.au!news.mel.connect.com.au!munnari.OZ.AU!metro!metro!sunb.ocs.mq.edu.au!not-for-mail From: jont@mpce.mq.edu.au (Jonathon Earnshaw TIDSWELL) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: A Matter of Security Date: 11 Jan 1996 10:20:19 GMT Organization: Macquarie University, School of MPCE Lines: 103 Message-ID: <4d2o93$m0e@sunb.ocs.mq.edu.au> References: <4d0qav$9j0@gol2.gol.com> NNTP-Posting-Host: krakatoa.mpce.mq.edu.au X-Newsreader: TIN [UNIX 1.3 950726BETA PL0] Security is risk management, it is a series of tradeoffs (isnt all computing?). Before you get paranoid, consider what you have to lose: 1) a couple of hours reinstalling the OS from CDROM and a couple more hours restoring your local modifications extensions, mail, etc, from backups. [ You have tested your regular backup and restore procedures ? :-] 2) millions of dollars in law suits from venture capitilists whose confidential plans were leaked when an industrial spy broke in Depending on whether you answer 1 or 2 (there is no grey area in between :-) you decide how much time, money and effort its worth protecting your system. After youve done that, then (if its worth the time and effort :-) read on .. enjoy - JonT Doug (doug@gol.com) wrote: : Our system now allows members to make PPP connections via our new : Portmaster (which is working well, along with RADIUS, thanks to the help : of members of this group). I get the impression this is a ISP of sorts. If you are primarily offering PPP/SLIP connectivity and don't need user logins, then the best bet is to disable the extraneous (any you CAN do without) network daemons and run a special encrypting login daemon with one time passwords for remote administration purposes. You may also want to consider wrapping your required network daemons with tcp_wrappers or equivalent. You also want to run them in a chroot'd environment. : I noticed that unless I created a user account on the FreeBSD machine : for a user, he or she could not receive email. Well, that makes sense. How are the users expected to access their mail ? If the answer is with POP or samba or equivalent then see if you caqn avoid letting them log in at all via the techniques I mentioned above. : But I also noticed that any user can now Telnet into our FreeBSD : machine. Well you gave them accounts :-) : What's more, because of the default settings, any user can roam around : and see almost everything, including most of the contents of /etc. : : Questions! : : o Is this normal? Does everybody allow this? Unlike Windoze which only has one configuration (broken) Euniches systems offer so much configurability most admins get it wrong (broken :-). Most programs that have to deal with networking or identity (note outgoing web, telnet mail reading and sending all fit this category) need access to numerous fies in /etc and possible a few in /dev and other strange places. : o As soon as I noticed this, I changed the permissions of /etc with the : command : : chmod og-wrx /etc : : so that members could not access that directory. Is that a reasonable : thing to do? Will it hurt any running processes? Lots of things wont work for non root users, but perhaps you dont mind :-) : o Is there a way of disabling logins except for certain users? Typically you set the shell to a program that returns a message and exits. This makes the login sessions very short. You can also set the shell to something like /nonexistant which will disable the login. Becareful of putting entries in /etc/shells or you may allow ftp sessions that you hadn't intended. : o Can a user wreak havoc with the system by creating huge files in their : home directory, creating and running programs, etc.? Short answer - yes. Long answer - I dont have a spare 12 months, so ... yes. This is why I advise against letting them on at all. : o What do other sysops do about this? Some grin and bear it, others run separate machines (without user logins) for accounting, and other important (news, email, DNS :-) services. Also its still wise to disable extraneous services, and to run tcp_wrappers and chroot things if you let users onto the machine. : I am very interested in hearing the opinions of other members of this : group. You probably want to read security newsgroups. And possible the firewalls archives ftp://ftp.greatcircle.com/??? And then (or probably first) some books on unix security. But before you do all of that: How much time and money is appropriate ? Is it worth it ?