Preventing Remote Access Security Problems

Remote login access can be a security nightmare waiting to happen. As described in Chapter 18, "System Security," login servers are unusually high-risk servers because they give users unusually complete access to the computer. If a password is compromised, a miscreant can abuse that password to cause problems for local users and perhaps to exploit purely local security problems to acquire root privileges. For this reason, ensuring adequate security is very important with these servers.

A good first step to this end is to use encryption. If possible, disable Telnet, and certainly rlogind. The unencrypted nature of these protocols makes them high-risk, especially for use over the Internet at large. Tunneling GUI protocols through SSH can also help a lot. As further protection against abuse, restrict any but the local computer from connecting to your local GUI server ports, as described earlier, in "Tunneling GUI Logins through SSH."

You may be able to use TCP Wrappers, xinetd, or packet-filter firewall rules to limit who can connect to your login servers. For instance, perhaps only local users should be able to use a VNC login server, and you might have configured it to run via xinetd, as described in the earlier section, "Linking VNC to XDMCP." In this case, you can use xinetd's access restriction tools, as described in Chapter 20, to keep those from outside your local network from touching the local VNC server. Of course, if you tunnel these connections through SSH, even local users shouldn't be able to access the VNC server directly; they should use SSH to do the job.

Chapter 18 included information on the importance of selecting good user passwords. If you haven't already read that section, do so, and be sure you convey the information it contains to your users. Even if you use encryption and access control tools, poor passwords can be a threat, particularly if you have a local "bad apple" or a breach in one local computer that an outside miscreant might be able to exploit.

Team LiB

0 0

Post a comment