Re: Sun Solaris login bug patches out

From: Jan-Philip Velders (jpv@jpv.xs4all.nl)
Date: 01/03/02


Date: Thu, 3 Jan 2002 15:53:29 +0100 (CET)
From: Jan-Philip Velders <jpv@jpv.xs4all.nl>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>


> Date: Wed, 02 Jan 2002 14:36:27 -0800
> From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
> Subject: Re: Sun Solaris login bug patches out

> [ ... ]
> > And breaking that expectency is very hard.

> I recall taking an IBM course about managing customer
> expectations. It is difficult but it can be done.

Hm... I'll contact some people I know there !

> [ ... ]
> > You have to balance it out. Which risks are deemed acceptable for
> > which systems ?
>
> Obviously. For example, we manage a system that is not connected to
> the network and has one authorized user. We don't patch it, ever. The
> risk of remote exploit of this system is 0. The risk of local exploit
> is ~ 0. For systems connected to the network, the very least thing we
> can do is apply patches at regular intervals (in addition to other good
> practices such as good passwords, etc.).

:) I agree. Usually established 'site-policy' determines how
'vigilant' one has to (or can) be when installing patches and securing
/ hardening systems...

I myself lock everything down, and then start opening stuff up...

> > I know who stripped the system, and trust in his capabilities.

> You're more adventurous than I am. I wish you the best of luck.

:) for a system running on a 100MB root partition, there aren't that
much services available ;)

> [ ... ]
> Replace the "r" services with ssh.

that's my usual perspective, but on the other hand, a lot of our users
work on systems where SSH isn't available. Those aren't 'little'
systems, mostly it's machines at the Dutch national SuperComputer
facility (http://www.sara.nl/)...

We're working on abolishing the r-services internally, but there are a
lot of people complaining about their disappearance...

> [ ... ]
> > 23/tcp open telnet
> Why would you need telnet if you already use ssh?

for people dialling in to a Cisco 2501, which only allows them to
telnet to the same system which allows telnet from over the Internet,
or to telnet to the SGI ans start SLIP...

> > 111/tcp open sunrpc
> Why is this in use? The list you posted did not include any RPC
> services or did you post a complete list? Is it possible that you have
> an NFS server running on this system?

nope no NFS...
RPC is up because sometimes we need to use a specific SGI IRIX program
which works via RPC...

> > 513/tcp open login
> > 514/tcp open shell

> Both of these can be replaced by ssh. Both can be exploited through
> DNS cache poisoning and IP address spoofing. IP addresses of trusted
> hosts can be spoofed by other hosts on the same physical network as the
> host you trust and can be used to spoof TCP connections. Also, rlogind
> and rshd have poor MITM attack detection.

rlogin and rsh are necessary for getting data from the Cisco to this
SGI...

> SSH V1 is better and SSH V2 is the best to protect against this.

I don't think V2 is that much better then V1.
V1 (using the latest OpenSSH) is as good as V2 for ordinary stuff.

> > Remote operating system guess: IRIX 6.2 - 6.5
> > Uptime 149.444 days (since Sat Aug 4 15:50:29 2001)

> You've posted some useful information about your SGI so far. What is
> its IP address? (I promise not to touch it). :)

it's IP was: 192.16.191.4
But as of 01/01/2002 it's been shutdown because our dial-in service
has been discontinued... ;)

> Regards,
> Cy Schubert

Regards,
JP Velders



Relevant Pages

  • RE: Commentary on the seven words
    ... When I was an operating systems programmer we all too often forgot that the Operating system existed to support the application, not the other way around. ... A Because the application that we run uses a telnet client that doesn't support ssh - and that's why I can't run ssh on this system. ... I administrate one system that has 128 clients on it and it's ...
    (RedHat)
  • Re: Commentary on the seven words
    ... A Because the application that we run uses a telnet client that doesn't ... support ssh - and that's why I can't run ssh on this system. ... General Red Hat Linux discussion list ... >operating system and utility advice and assistance and there are SEVEN ...
    (RedHat)
  • Re: I do not get ssh. Why is it more secure?
    ... How is this any more secure that plain old telnet? ... And, well, I just don't get the advantage of ssh ... If you put your ssh server on port 12345, it will be free from attacks. ... SSH connections, in the hands of someone who actually knows what they are doing, have the benefit of treating a remote machine as a remote machine. ...
    (comp.os.linux.misc)
  • Re: Commentary on the seven words
    ... routinely asked to help with enabling rsh and telnet. ... Shoot, I use SSH & all that, but if I wanted to allow it for some ... > I wrote in with a complaint that Linux will allow a process (like Tar, ... I administrate one system that has 128 clients ...
    (RedHat)
  • Re: I do not get ssh. Why is it more secure?
    ... I ask this because I will be needing to open SSH ... eavesdropped or modified under way (unlike telnet). ... Its only mire secure if you think your link can and will be ... When you have a connection that you want to make permanent, setting up a vpn is a good solution. ...
    (comp.os.linux.misc)