[NTLUG:Discuss] Strange iptables problem on CentOS 4.4
Leroy Tennison
leroy_tennison at prodigy.net
Wed Feb 21 00:10:47 CST 2007
. Daniel wrote:
>> Telnet needs to *die* - it's 100% obsolete. ssh isn't perfect but it's
>> heck of a lot better than nothing.
>>
>> Telnet was designed for use inside a little private network within
>> one building maybe. It's a lot older than the Internet and there is
>> a strong case to be made for deleting it along with every copy of it's
>> source code that we can find!
>>
>> With telnet, your data (including your password) goes across to the
>> other computer in plaintext. So anyone with any moderate amount of
>> skill and/or interest can find out what your password is on the remote
>> machine. Once they know that, they can also telnet in, pretend to be
>> you and do an awful lot of damage. This damage might include installing
>> their own software onto that machine to use it as a base for launching
>> Spam, DDOS attacks and all manner of other horrors USING YOUR ACCOUNT.
>>
>
> Okay you're just stating more of the same as everyone else but you're
> leaving out the details like "how." Yes, telnet is a plain-text protocol.
> But who listens and how? We know what people do when they get in. So the
> question remains, how do they listen? They got a router out there
> compromised? What are we talking about here?
>
>
>
>> Not only is this dangerous for you - but it's also exceedingly
>> antisocial because it gives the bad guys more computers to launch
>> their attacks from.
>>
>> So it's not just about you - it's about being a good netizen.
>>
>
> Still need to know how.
>
>
>> ssh encrypts everything. There may have been a time when this was
>> a significant burden in terms of CPU time - but these days the CPU
>> is so much faster than the network that it really doesn't matter
>> much except (perhaps) in the most demanding situations.
>>
>> So - get used to it. ssh and tools like scp are the way things
>> should be done...as the barest minimum.
>>
>
> It's not a concern over anything in terms of difficulty. After all, I can
> ssh in and use the root account with much more ease. But at the beginning,
> when the 'secure' connection is being negotiated, there's enough evidence
> both ways that, in theory, anyone who can be listening can also piece
> together the bits associated with the sessons being monitored. In fact,
> one could go so far as to assume they are expecting to do as much since ssh
> is more commonly used than telnet. Now if ssh involved the use of a key
> that was never transmitted during the negotiation part of the connection, I
> could be down with it being "secure." But so far, just as in the case of
> https or even secure digital media, it's just in the name as being secure.
>
>
>>> But fundamentally, I have to wonder about perceptions. Is it better to
>>>
> use
>
>>> something you don't fully understand simply because other people do?
>>>
> Or is
>
>>> it better to understand what you're doing? I have always subscribed to
>>>
> the
>
>>> latter as the former never made much sense to me. Been like that since
>>>
> I
>
>>> was a little boy though, so maybe it's just me.
>>>
>> When the consequences only affect you - then it's your call - but when
>> it affects us all, you owe it to the community to use at least a
>> minimally secure tool.
>>
>> ssh/scp are really easy to use and most (if not all) Linux/UNIX systems
>> have it installed. It shouldn't take you 20 minutes to learn all you
>> need to know about them. They aren't secure enough for military-grade
>> secrets - but for what you are likely to use it for, they are pretty
>> secure.
>>
>
> Ultimately, telnet is about as secure as http. The protocols are rather
> similar in nature. The same goes for SMTP and quite a few other protocols
> used on the net. Telnet is rarely used as far as I can tell, so it may
> even be [recklessly] easy to assume that since it's rare by comparison,
> 'They' aren't even looking. We don't hear people going on a tirade over
> non-secure SMTP nor HTTP and yet that's how a majority of traffic flows..
>
> I get that the protocol is largely deprecated by many. (And yet routers
> and many devices like switches still use that means.) All I ask for is
> why.. How is it exploited in ways that other protocols cannot be
> exploited? Why is telnet singled out in this case?
>
> _________________________________________________________________
> ミュージカル『ゴールデンメッセ劇場のテーマ』きらびやかなシーンに心が躍る!
> http://goldenmesse.jp/
>
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>
But who listens?
Potentially anyone who knows how. There's a certain percentage of those
who know how (and the more skilled network administrators DO know how)
that will be malicious. Whether it is plain old meanness or bragging
rights or whatever the result isn't pleasant.
how do they listen?
Unless you are on a switched network where each connection to the switch
is isolated from the others the "network" (cabling, hubs) is basically a
"party line" (hope you're old enough to know what I'm talking about).
Every device connected to the wire receives every message. By default
network cards are set up to only pass three types of messages to the
computer: broadcast (sent to everyone), multicast (sent to a group and
only if the card has been configured to be a part of that group) and
unicast (sent explicitly to that machine). However, one of the functions
of packet analyzers is to put the card in "promiscuous mode" where the
setup is changed to pass everything the card receives to the computer.
All you need to do to listen (the "how") is plug your computer into an
unused, active network port. With switched networks it does become more
difficult but there are supposedly ports on some switches where you can
connect and pick up all traffic (for troubleshooting). So where do you
get this program? In most cases it comes with every Linux distribution!
It's known as Etherreal (old name) or WireShark (new name).
But at the beginning, when the 'secure' connection is being negotiated, ...
Here's a high level of how public key cryptography works (be it https or
ftps or sftp or "other"):
1. What's encrypted with a public key can only be decrypted with the
corresponding private key and vice versa.
2. The "server" (whoever that is) sends it's public key to the "client"
3. The client encrypts a "session key" (generally not public/private
key but rather a symmetric key for performance reasons) created
partly with some random data using the server's public key and
sends it to the server.
4. The server decrypts the "session key" with it's private key (the
design of public key cryptography is such that, if it is even
possible, it is very resource intensive to derive a private key
from a public one and vice versa).
5. Both parties use the "session key" to encrypt/decrypt further
communications.
Because of the nature of public key cryptography, being able to capture
the beginning of a conversation is useless. The public key can't decrypt
anything encrypted with it, the private key is never transmitted, it is
basically impossible to derive the private key from the public key and
generally the session transmits too little data to provide an adequate
basis for brute force cracking of the session key. The attacker is out
of luck so to speak. There's a lot more which could be said about this
subject, for further reading go get RSA's "FAQ" and read it (WARNING:
This "FAQ" is a 269 page PDF which includes some of the gory details
about the algorithms, etc.).
We don't hear people going on a tirade over non-secure SMTP nor HTTP
Can't speak to SMTP but you hear a lot about making sure you have
switched to secure HTTP (the padlock, the https, lots of warnings with
the newer browsers) before sending any kind of sensitive information
over the Internet. You will also hear the howls about plain ftp because
it has the same problem. This is why there are Internet standards for
secure ftp (ftps - not to be confused with sftp, this is an additional
story in itself).
More information about the Discuss
mailing list