[Hudlug] Fwd: Re: [newbie] MLdonkey
Chris Wood
hudlug at mailman.lug.org.uk
Fri Nov 1 11:59:01 2002
On Thursday 31 October 2002 20:13 pm, you wrote:
>
> What's wrong with telnet ? The only reason it isn't liked is because of
> clear text password and nasty snoopers.
>
You've answered your own question, by and large.
Use (open)ssh instead. It's just as widely available, and the openssh
version is GPL.
Comms are encrypted, which is a good start, but more importantly, you need a
known public/private key pair to access the machine. Thus you won't even be
asked for your passphrase if the machine doesn't already have your public
key to hand. This makes things infinitely more secure to an old telnet
session that allows anyone to try and brute force guess the password...
Simply having telnet running on a machine which faces the internet is enough
to encourage script kiddies to brute force access to the machine.
In an effort to highten security, I ran cracker (as senior sys admin and
with managerial approval) on the 90+ staff at my last company's unix
passwords. We cracked a dozen in less than 24 hours, and half a dozen of
those within 2 hours or so. Now, of course this was working on a known
password file, but it just goes to show.
The moral? People are lazy when they choose passwords. Telnet allows hackers
to try and log in as many times as they want from any machine on the
internet. Given enough time with an automated script, they may well find a
username and password that matches.
Don't give them the opportunity! Don't run telnet!
And don't get me started with ftp....
I hope your not a sysadmin! You should certainly NEVER advocate the use of
telnet in an interview for a sysadmin role - you'd never get the job!
> It seems like a very good way to leave a program running in the
> background connect to it from time to time.
>
Ick! I hope you don't leave your PCs unlocked at work when your away from
them...
Leaving long term connections open to remote machines for whatever reason is
another move that's less than smart. Of course you may have no other option
in some cases, so please tell me that you at least lock your machines when
you go for a coffee/fag/leave for the evening...
If the remote machine has bash2, you could always disown the process too.
C.