lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Re: Re: open telnet port

On Thu, 2004-09-09 at 14:28, ktabic wrote: 
> How about, as a service to enable as you are updating SSH remotely from
> the other side of the country to fix the most recent problem security
> problem and need a backup system to get into the server in the event
> that something goes wrong?
> 
> ktabic

In that case I'd do one of the following,

1. Run a separate instance of ssh on another port and keep an active
connection.

2. Run any other encrypted access method.

3. Call my data centre to help me out, since thats what i pay them for.

Telnet should not be used as a last resort, it should only be used as
the _only_ resort, by that I mean embedded devices not capable of
anything other than telnet. Although anyone with security in mind
wouldn't purchase a device of this type.

This is the second post recommending telnet as a backup access method.
So you guys are telling us.....

"People are sniffing your passwords, use SSL!!!! but if you want plain
text just use it, they don't sniff your passwords when you are doing
emergency repairs" 
_slightly_ paraphrased obviously. 

Do you guys honestly believe the things you say?

Set your systems up properly with a backup login method if you need it,
but don't run it until you are doing something that might make it
necessary and ENCRYPT it. Laziness on the part of the admin is a major
contributing factor to most security incidents, Using telnet has only
been justified by the fact that you are too lazy to setup a proper
alternate access method.

On my server if I break the firewall rules or in some other way prevent
myself getting remote access (including halting the machine), I have an
alternate login method which I can access over ssh giving me access to
the machines local terminals, provided by my data centre. That's because
the people employed in the data centre are not lazy admins and know what
they are doing.
-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040909/cd535bdb/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ