[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security tips requested



On Wed, Sep 12, 2001 at 07:54:38AM -0700, Robert Threet wrote:
> I read a doc on armoring Solaris that said "there are 35
> services in inetd.conf... you can turn them all off but
> telnet and ftp".  Is this true?  Actually, I've already
> turned off telnet and ftp.  So, I can turn off all of the
> rest?!  Is this common?  What might I miss?

In general, if you don't know that you need a service, turn it off.
AFAIK, it's pretty common to disable most of the services in inetd
as one of the first steps after installation.  No one uses chargen
or echo except for DOS attacks, anyway. :)

> Also, How insecure are POP and IMAP?

POP - very insecure.  Fire up a packet sniffer on any host that the
pop traffic goes through, and check out the traffic on port 110.  I
reccomend ethereal for this, it's free and will reassemble the packets
for you.  Look at the data that's sent back and forth - the passwords
and usernames are sent completely in the clear.  Notice that any
random person can do the exact same thing you're doing.  APOP is just
a shade better, as it kinda hides the password, but it's still trivial
to break - and it's not a real popular protocol for popd's or MUAs.

IMAP is a better protocol for mail handling, but is just as "here, take
my password, it's in the clear" as POP is.  IMAP can be tunneled through
ssl (IMAPS), which is signifigantly better.  It seems that more mail
clients support secure imap, so it might be easier to roll out - though
some MUAs only support POP 'cause it's quite a bit easier to deal with
a few commands than all of the IMAP communication protocol stuff.

Personally, I'm partial to forcing all users over to secure imap, as I
just really like IMAP better.  That requires you to find a good imap
client, though, which is a little tougher due to the complexity of IMAP
(and the incompetency of MS, in the case of their MUAs).  Most IMAP MUAs
deal with user's folders and mail fine, but have issues when they get
around to creating subfolders and shared folders.  If you're not wanting
to use IMAP to its fullest extent, then the MUA difficulties become less
relevent.  Or, you could just go one more step and use a web-based mail
system (like IMP) with an IMAP backend.  Put the web mail system on a
secured web server, keep all the user info in a fast db-type backend, set
the imapd (or popd) to only listen on localhost.  That helps you stop
worrying about your mail system's security *and* gets you a single interface
to support. :)

As always, someone surely knows more about these things than I do, and I
fully expect them to correct me where I'm mistaken.

HTH,
Danny
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.