Re: Sun Solaris login bug patches out

From: Jan-Philip Velders (jpv@jpv.xs4all.nl)
Date: 01/03/02 

Date: Thu, 3 Jan 2002 15:53:29 +0100 (CET)
From: Jan-Philip Velders <jpv@jpv.xs4all.nl>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>

> Date: Wed, 02 Jan 2002 14:36:27 -0800
> From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
> Subject: Re: Sun Solaris login bug patches out

> [ ... ]
> > And breaking that expectency is very hard.

> I recall taking an IBM course about managing customer
> expectations. It is difficult but it can be done.

Hm... I'll contact some people I know there !

> [ ... ]
> > You have to balance it out. Which risks are deemed acceptable for
> > which systems ?
>
> Obviously. For example, we manage a system that is not connected to
> the network and has one authorized user. We don't patch it, ever. The
> risk of remote exploit of this system is 0. The risk of local exploit
> is ~ 0. For systems connected to the network, the very least thing we
> can do is apply patches at regular intervals (in addition to other good
> practices such as good passwords, etc.).

:) I agree. Usually established 'site-policy' determines how
'vigilant' one has to (or can) be when installing patches and securing
/ hardening systems...

I myself lock everything down, and then start opening stuff up...

> > I know who stripped the system, and trust in his capabilities.

> You're more adventurous than I am. I wish you the best of luck.

:) for a system running on a 100MB root partition, there aren't that
much services available ;)

> [ ... ]
> Replace the "r" services with ssh.

that's my usual perspective, but on the other hand, a lot of our users
work on systems where SSH isn't available. Those aren't 'little'
systems, mostly it's machines at the Dutch national SuperComputer
facility (http://www.sara.nl/)...

We're working on abolishing the r-services internally, but there are a
lot of people complaining about their disappearance...

> [ ... ]
> > 23/tcp open telnet
> Why would you need telnet if you already use ssh?

for people dialling in to a Cisco 2501, which only allows them to
telnet to the same system which allows telnet from over the Internet,
or to telnet to the SGI ans start SLIP...

> > 111/tcp open sunrpc
> Why is this in use? The list you posted did not include any RPC
> services or did you post a complete list? Is it possible that you have
> an NFS server running on this system?

nope no NFS...
RPC is up because sometimes we need to use a specific SGI IRIX program
which works via RPC...

> > 513/tcp open login
> > 514/tcp open shell

> Both of these can be replaced by ssh. Both can be exploited through
> DNS cache poisoning and IP address spoofing. IP addresses of trusted
> hosts can be spoofed by other hosts on the same physical network as the
> host you trust and can be used to spoof TCP connections. Also, rlogind
> and rshd have poor MITM attack detection.

rlogin and rsh are necessary for getting data from the Cisco to this
SGI...

> SSH V1 is better and SSH V2 is the best to protect against this.

I don't think V2 is that much better then V1.
V1 (using the latest OpenSSH) is as good as V2 for ordinary stuff.

> > Remote operating system guess: IRIX 6.2 - 6.5
> > Uptime 149.444 days (since Sat Aug 4 15:50:29 2001)

> You've posted some useful information about your SGI so far. What is
> its IP address? (I promise not to touch it). :)

it's IP was: 192.16.191.4
But as of 01/01/2002 it's been shutdown because our dial-in service
has been discontinued... ;)

> Regards,
> Cy Schubert

Regards,
JP Velders

Relevant Pages

  • RE: Commentary on the seven words
    ... When I was an operating systems programmer we all too often forgot that the Operating system existed to support the application, not the other way around. ... A Because the application that we run uses a telnet client that doesn't support ssh - and that's why I can't run ssh on this system. ... I administrate one system that has 128 clients on it and it's ...
    (RedHat)
  • Re: Commentary on the seven words
    ... A Because the application that we run uses a telnet client that doesn't ... support ssh - and that's why I can't run ssh on this system. ... General Red Hat Linux discussion list ... >operating system and utility advice and assistance and there are SEVEN ...
    (RedHat)
  • Re: Commentary on the seven words
    ... routinely asked to help with enabling rsh and telnet. ... Shoot, I use SSH & all that, but if I wanted to allow it for some ... > I wrote in with a complaint that Linux will allow a process (like Tar, ... I administrate one system that has 128 clients ...
    (RedHat)
  • Re: OSR507: xm_vtcld : could not open libXm.so
    ... laptop, I can run successfully "scoadmin software" if I'm through SSH, ... LINUXLAPTOP $ telnet 172.xxx.101.66 ... Similarly cron jobs have a different environment, and cgi-bin scripts ...
    (comp.unix.sco.misc)
  • Re: SSH newbie question
    ... I had to enable SSH on one alpha in order to be able to "telnet" to my ... I didn't have to configure the mac on the VMS host and vice versa. ... Unless you take steps to block connections to it (via firewall rules, ...
    (comp.os.vms)