*BSD News Article 58766


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mira.net.au!yarrina.connect.com.au!news.mel.connect.com.au!munnari.OZ.AU!metro!metro!sunb.ocs.mq.edu.au!not-for-mail
From: jont@mpce.mq.edu.au (Jonathon Earnshaw TIDSWELL)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: A Matter of Security
Date: 11 Jan 1996 10:20:19 GMT
Organization: Macquarie University, School of MPCE
Lines: 103
Message-ID: <4d2o93$m0e@sunb.ocs.mq.edu.au>
References: <4d0qav$9j0@gol2.gol.com>
NNTP-Posting-Host: krakatoa.mpce.mq.edu.au
X-Newsreader: TIN [UNIX 1.3 950726BETA PL0]

Security is risk management, it is a series of tradeoffs (isnt all computing?).
Before you get paranoid, consider what you have to lose:
 1) a couple of hours reinstalling the OS from CDROM and a couple more hours
restoring your local modifications extensions, mail, etc, from backups.
[ You have tested your regular backup and restore procedures ? :-]
 2) millions of dollars in law suits from venture capitilists whose
confidential plans were leaked when an industrial spy broke in
Depending on whether you answer 1 or 2 (there is no grey area in between :-)
you decide how much time, money and effort its worth protecting your system.

After youve done that, then (if its worth the time and effort :-) read on ..

enjoy
- JonT

Doug (doug@gol.com) wrote:
: Our system now allows members to make PPP connections via our new 
: Portmaster (which is working well, along with RADIUS, thanks to the help 
: of members of this group).
 
I get the impression this is a ISP of sorts.

If you are primarily offering PPP/SLIP connectivity and don't need user logins,
then the best bet is to disable the extraneous (any you CAN do without) network
daemons and run a special encrypting login daemon with one time passwords for
remote administration purposes.
You may also want to consider wrapping your required network daemons with
tcp_wrappers or equivalent.
You also want to run them in a chroot'd environment.

: I noticed that unless I created a user account on the FreeBSD machine 
: for a user, he or she could not receive email. Well, that makes sense.

How are the users expected to access their mail ?
If the answer is with POP or samba or equivalent then see if you caqn avoid letting them log in at all via the techniques I mentioned above.

: But I also noticed that any user can now Telnet into our FreeBSD 
: machine.

Well you gave them accounts :-)

: What's more, because of the default settings, any user can roam around 
: and see almost everything, including most of the contents of /etc.
: 
: Questions!
: 
: o Is this normal? Does everybody allow this?

Unlike Windoze which only has one configuration (broken) Euniches systems
offer so much configurability most admins get it wrong (broken :-).

Most programs that have to deal with networking or identity (note outgoing web,
telnet mail reading and sending all fit this category) need access to numerous
fies in /etc and possible a few in /dev and other strange places.

: o As soon as I noticed this, I changed the permissions of /etc with the 
: command
: 
: chmod og-wrx /etc
: 
: so that members could not access that directory. Is that a reasonable 
: thing to do? Will it hurt any running processes?
 
Lots of things wont work for non root users, but perhaps you dont mind :-)

: o Is there a way of disabling logins except for certain users?

Typically you set the shell to a program that returns a message and exits.
This makes the login sessions very short.
You can also set the shell to something like /nonexistant which will disable
the login.

Becareful of putting entries in /etc/shells or you may allow ftp sessions that
you hadn't intended.
 
: o Can a user wreak havoc with the system by creating huge files in their 
: home directory, creating and running programs, etc.?
 
Short answer - yes.
Long answer - I dont have a spare 12 months, so ... yes.
This is why I advise against letting them on at all.

: o What do other sysops do about this?

Some grin and bear it, others run separate machines (without user logins)
for accounting, and other important (news, email, DNS :-) services. 

Also its still wise to disable extraneous services, and to run tcp_wrappers and chroot things if you let users onto the machine.

: I am very interested in hearing the opinions of other members of this 
: group.

You probably want to read security newsgroups.
And possible the firewalls archives ftp://ftp.greatcircle.com/???
And then (or probably first) some books on unix security.

But before you do all of that:
	How much time and money is appropriate ?
	Is it worth it ?