Re: [MiNT] Security

[Maurits van de Kamp <maurits@bassment.nu>]

Dang, I sent it to Brian instead of the mintlist. (As someone mentioned
earlier, mint@fishpool.com should be in the reply-to field, even the Yahoo
groups do this) :)

Sorry for the double posting, Brian.

> from anywhere on the internet, and to have root only open to very specific
> trusted sites over telnet

I don't think there's a way to configure which remote IP can become root,
but you can configure your Falcon to accept telnet/ssh connections only
from certain IP addresses in the first place. And the NAT firewall can
probably do that too.

> just erasing everything that's not locked down (they are natrually going to take
> cracks at username root if running any kind of password snoop).

Probably.. which is why it's not possible to login as root directly. :)
Besides, cracking passwords usually happens after someone manages to get
his hands on your password file. Which requires user access in the first
place, unless you have NYS open to the outside world. Password cracking
requires trying thousands of combinations to see which password leads to
the right encrypted string. If you use good passwords (no dictionary words
etc), this will take at least hours (usually days or weeks) even when the
password cracker has your encrypted passwords in a file. Trying out all
the combinations by telnetting to your machine, which means having to wait
for about 2 seconds after each attempt and being thrown out after every
4th failed attempt, would take months or years. By then you'll see in your
/var/log/secure that there are a lot more failed login attempts than the
ones you were responsible for yourself.

I get a lot of scans on my online linux box, usually just checking whether
certain ports are open, but apart from a lot of idle anonymous ftp
logins, nothing is being done with them. As for Windows, there are a LOT
of security leaks known for just about every windows version and service
pack in use, and people are constantly scanning for any machine that might
have those vulnerabilities (my linuxbox gets Nimbda worm attacks about
once an hour, but it's harmless on non-windoze systems). :) If MiNT even
has such an exploitable bug, nobody knows about it. When queried by Queso
(to check which OS is running), Queso will report an unknown operating
system, which isn't very appealing to hackers either.

In my situation, where I use a Linux box as firewall (and ADSL router), I
don't have to open up a port to any of my Ataris at all; when I want to
log in on one of them, I login to the Linux box first and then telnet to
any local host from there. This leaves the local hosts protected from any
scans and stuff. Your ADSl switch might have the possibiliy for that too;
at least I've seen isdn routers with telnet functionality, where you could
telnet to other hosts from within their configuration menu.

Maurits.

-- 
 ,______________________________________________________________,
 |                 BassMent Productions - Freedom of creativity!|
 |______________________________________________________________|
 | Music productions - Projects - Internet presence - Webdesign |___
 |                     http://www.bassment.nu/                  |  |
 \______________________________________________________________/  |
                             |      http://www.muzikanten.nu/      |
                             | Het muzikantennetwerk van Nederland |
                             |_____________________________________|