[linux-elitists] telnet weenie frenzy!
Mon Feb 26 12:58:21 PST 2001
DM> [...] This is all regarding an item that appeared in Linux Journal
DM> (appended). Any of you all security experts have an opinion?
I am NOT a security expert, but I do have an opinion.
DM> [..] Teaching people how to set up telnet or ftp servers is
DM> irresponsible, so we won't do it.
I don't agree. You could instead teach them why it might be preferable not
to provide telnet or ftp on the interface facing the internet and/or
point out references for further reading.
DM> Shred your dusty old
DM> no-sense-of-security Internet books that explain these two
DM> insecure protocols (don't give them to a library; a kid might
DM> see them) and install ssh.
SSH is vulnerable to man-in-the-middle attacks in the deafault config
installed by most of the disributions I know. If you take careless
system administration as a given, it is also vulnerable to dictionary
attacks much like telnet (extrapolate to ftp for regular users).
Anonymous read-only ftp is just as secure IMHO as http, if we can
assume solid server software.
DM> Most distributions have
DM> easy-to-install ssh packages now.
Usually delivered by insecure methods. It seems to me that if we will
be scared of adversaries who can sniff tcp connections, we should also
be scared of adversaries who will muck with DNS and cause
ftp.redhat.com or http.debian.org and such to resolve to whatever
server they want.
I DO agree that ssh is a better option. But you solicited devil's
More information about the linux-elitists