Re: [expert] Cannot telnet or FTP in as root
Verious 2 is current. > > This is a multi-part message in MIME format... > > =_1000332475-7607-3198 > Content-type: text/plain; charset=us-ascii > Content-Disposition: inline > > > What Mr. Vetters explains on his mail is very true. > > You should always try to use ssh and sftp (and in general any s-flavor comm > program). > > This comment applies if you are working on the Internet, but if you are on > a private network, behind a firewall, you could use the unsecure flavors. > In any case you should not enable root access to telnet or ftp. su-ing like > Mr. Bart Vetters has stated is insecure if you suspect that you have > someone in your network that wants your root password really bad, as it is > very easy to write a sniffing or spoofing program (even though sequence > cracking on Linux is more difficult than NT it is still vulnerable). > Spoofing is very hard to eliminate so you should try to shut off any rpc > (or alike) services. > Nevertheless, as stated before if you are on your own little private > network don't bother with all of this stuff, but you should be very > carefull if you are exposed to the Internet or there are malintentioned > users on your LAN. > > There is an excelent book (there are many!) on Linux Security called > MAXIMUM Linux Security from SAMS - ISBN 0-672-32134-3 > Everyone should have a copy. It's very easy to read and precise. A must > have for exposed machines. > > Saludos, > Alejandro Imass > > And no, I don't work for SAMS press ;-] > > > > > > > > Bart Vetters <[EMAIL PROTECTED]> on 12/09/2001 04:51:47 PM > > Please respond to Bart Vetters <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > cc:(bcc: Alejandro Imass/MPR de Venezuela S.A.) > Subject: Re: [expert] Cannot telnet or FTP in as root > > > > > Hi, > > logging in as root over telnet or ftp is disabled by default. This is done > for security reasons, as both these protocols transmit data (including > passwords) in clear text over the network and it is trivial to collect > passwords from a telnet or ftp stream. Please note that logging in as a > user and then su'ing to root, as several people suggested, does not help in > any way - you're still typing root's password over an unencrypted > connection. > > The way root is kept from logging in via an insecure terminal (or > pseudo-terminal, as in telnet or ftp) is that /bin/login checks for the > presence of a file /etc/securetty that lists the terminals root is allowed > to log in on. If /etc/securetty is not present, root can log in via every > terminal. If it is present and empty, root can not log in anywhere except > the console. If any terminals are listed in the file, root can log in via > those and the console. The manpage on login has more information. > > So, if you want to live dangerously, remove /etc/securetty and root can log > in from anywhere. In the real world, use ssh. :) > > CU > > Bart > > -- > -- > Bart Vetters | [EMAIL PROTECTED] > KMI - IRM | Tel.: +32.2.373.04.77 > Ringlaan 3 | Fax.: +32.2.373.06.57 > 1180 Brussel | Pubkey ID: C182DF19 > -- > > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > > > > > > > > > > =_1000332475-7607-3198 > Content-Type: text/plain; name="message.footer" > Content-Disposition: inline; filename="message.footer" > Content-Transfer-Encoding: 8bit > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > > =_1000332475-7607-3198-- > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Cannot telnet or FTP in as root
What Mr. Vetters explains on his mail is very true. You should always try to use ssh and sftp (and in general any s-flavor comm program). This comment applies if you are working on the Internet, but if you are on a private network, behind a firewall, you could use the unsecure flavors. In any case you should not enable root access to telnet or ftp. su-ing like Mr. Bart Vetters has stated is insecure if you suspect that you have someone in your network that wants your root password really bad, as it is very easy to write a sniffing or spoofing program (even though sequence cracking on Linux is more difficult than NT it is still vulnerable). Spoofing is very hard to eliminate so you should try to shut off any rpc (or alike) services. Nevertheless, as stated before if you are on your own little private network don't bother with all of this stuff, but you should be very carefull if you are exposed to the Internet or there are malintentioned users on your LAN. There is an excelent book (there are many!) on Linux Security called MAXIMUM Linux Security from SAMS - ISBN 0-672-32134-3 Everyone should have a copy. It's very easy to read and precise. A must have for exposed machines. Saludos, Alejandro Imass And no, I don't work for SAMS press ;-] Bart Vetters <[EMAIL PROTECTED]> on 12/09/2001 04:51:47 PM Please respond to Bart Vetters <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] cc:(bcc: Alejandro Imass/MPR de Venezuela S.A.) Subject: Re: [expert] Cannot telnet or FTP in as root Hi, logging in as root over telnet or ftp is disabled by default. This is done for security reasons, as both these protocols transmit data (including passwords) in clear text over the network and it is trivial to collect passwords from a telnet or ftp stream. Please note that logging in as a user and then su'ing to root, as several people suggested, does not help in any way - you're still typing root's password over an unencrypted connection. The way root is kept from logging in via an insecure terminal (or pseudo-terminal, as in telnet or ftp) is that /bin/login checks for the presence of a file /etc/securetty that lists the terminals root is allowed to log in on. If /etc/securetty is not present, root can log in via every terminal. If it is present and empty, root can not log in anywhere except the console. If any terminals are listed in the file, root can log in via those and the console. The manpage on login has more information. So, if you want to live dangerously, remove /etc/securetty and root can log in from anywhere. In the real world, use ssh. :) CU Bart -- -- Bart Vetters | [EMAIL PROTECTED] KMI - IRM | Tel.: +32.2.373.04.77 Ringlaan 3 | Fax.: +32.2.373.06.57 1180 Brussel | Pubkey ID: C182DF19 -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Cannot telnet or FTP in as root
Hi, logging in as root over telnet or ftp is disabled by default. This is done for security reasons, as both these protocols transmit data (including passwords) in clear text over the network and it is trivial to collect passwords from a telnet or ftp stream. Please note that logging in as a user and then su'ing to root, as several people suggested, does not help in any way - you're still typing root's password over an unencrypted connection. The way root is kept from logging in via an insecure terminal (or pseudo-terminal, as in telnet or ftp) is that /bin/login checks for the presence of a file /etc/securetty that lists the terminals root is allowed to log in on. If /etc/securetty is not present, root can log in via every terminal. If it is present and empty, root can not log in anywhere except the console. If any terminals are listed in the file, root can log in via those and the console. The manpage on login has more information. So, if you want to live dangerously, remove /etc/securetty and root can log in from anywhere. In the real world, use ssh. :) CU Bart -- -- Bart Vetters | [EMAIL PROTECTED] KMI - IRM | Tel.: +32.2.373.04.77 Ringlaan 3 | Fax.: +32.2.373.06.57 1180 Brussel | Pubkey ID: C182DF19 -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] Cannot telnet or FTP in as root
Gregor Maier grabbed a keyboard and wrote (in answer to George Petri): > > That's for security. The root user should NEVER be allowed to login directly > over the network (the only acceptable is when using ssh). > I'm not familiar with the ftp config files but I'm not sure if it is possible > to configure the ftp server in a way to allow root logins. > > Also note that telnet and ftp transmit the password unecrypted. Everyone who is > "listening" on your network connection can get you root password. > > If you just connect from your local private network where ALL users are trusted > then you could use telnet (for normal users). In all other cases you should use > ssh. And George, most ssh clients that I know of support transferring files once you're logged in, so you should never need to FTP as root. Do a ssh login and then use your client's xfer function to transfer files. Allowing telnet or FTP access to the root user directly is just *asking* for someone to hack your machine --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Cannot telnet or FTP in as root
George Petri wrote: > Hello! Here's yet another problem that has completely stumped me: > > 1. If I try to telnet into my own machine with the root password: > > [root@cups166 /root]# telnet cups166 > Trying 192.168.1.2... > Connected to cups166.reisersun. > Escape character is '^]'. > Welcome to cups166.reisersun > Linux Mandrake release 8.0 (Traktopel) for i586 > Kernel 2.4.3-20mdk on an i586 > login: root > Password: > Login incorrect > > 2. If I try to ftp into my own machine with the root password: > > [root@cups166 /root]# ftp cups166 > Connected to cups166.reisersun. > 220 ProFTPD 1.2.2rc1 Server (ProFTPD Default Installation) [cups166.reisersun] > Name (cups166:root): > 331 Password required for root. > Password: > 530 Login incorrect. > Login failed. > ftp> > > I deleted the line "root" from /etc/ftpusers and restarted xinetd but it > still won't allow root to login. WuFTPd in Mandrake 7.2 allowed root to > login after that line was deleted. > > So how do I login using these services as root? I can login as any user > *other* than root, which is somewhat unusual :). I am using the "Medium" > security level. I know that I should use scp and ssh instead (which I do) > but I am just curious as to why ftp and telnet don't work in LM8 (telnet > doesn't either in LM7.2, but ftp does). > > Thanks again, > George > > > > > > Want to buy your Pack or Services from MandrakeSoft? > Go to http://www.mandrakestore.com > message.footer > > Content-Type: > > text/plain > Content-Encoding: > > 8bit > > telnet doesn't allow login as root login as user and then use su you better use ssh instead of telnet, telnet is obsolete and insecure good luck -- Mihai NECSA Romania Data Systems Network Engineer Ploiesti Branch Tel.: 044/196493, fax: 044/196493 http://www.rdsnet.ro . Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [expert] Cannot telnet or FTP in as root
That's for security. The root user should NEVER be allowed to login directly over the network (the only acceptable is when using ssh). I'm not familiar with the ftp config files but I'm not sure if it is possible to configure the ftp server in a way to allow root logins. Also note that telnet and ftp transmit the password unecrypted. Everyone who is "listening" on your network connection can get you root password. If you just connect from your local private network where ALL users are trusted then you could use telnet (for normal users). In all other cases you should use ssh. If you want to be able to root over a telnet session then use su -. I.e. telnet as normal user and then issue a su - Gregor On 12-Sep-2001 George Petri wrote: > Hello! Here's yet another problem that has completely stumped me: > > 1. If I try to telnet into my own machine with the root password: > > [root@cups166 /root]# telnet cups166 > Trying 192.168.1.2... > Connected to cups166.reisersun. > Escape character is '^]'. > Welcome to cups166.reisersun > Linux Mandrake release 8.0 (Traktopel) for i586 > Kernel 2.4.3-20mdk on an i586 > login: root > Password: > Login incorrect > > 2. If I try to ftp into my own machine with the root password: > > [root@cups166 /root]# ftp cups166 > Connected to cups166.reisersun. > 220 ProFTPD 1.2.2rc1 Server (ProFTPD Default Installation) > [cups166.reisersun] > Name (cups166:root): > 331 Password required for root. > Password: > 530 Login incorrect. > Login failed. > ftp> > > I deleted the line "root" from /etc/ftpusers and restarted xinetd but it > still won't allow root to login. WuFTPd in Mandrake 7.2 allowed root to > login after that line was deleted. > > So how do I login using these services as root? I can login as any user > *other* than root, which is somewhat unusual :). I am using the "Medium" > security level. I know that I should use scp and ssh instead (which I do) > but I am just curious as to why ftp and telnet don't work in LM8 (telnet > doesn't either in LM7.2, but ftp does). > > Thanks again, > George > > -- E-Mail: Gregor Maier <[EMAIL PROTECTED]> Date: 12-Sep-2001 Time: 14:16:42 -- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
