Re: [Exim] Eximon vs. Exim Webapp security challenge

Top Page
Delete this message
Reply to this message
Author: Marc Haber
Date:  
To: exim-users
Subject: Re: [Exim] Eximon vs. Exim Webapp security challenge
On Sat, 31 Jan 2004 08:12:24 -0500, Blaine Simpson
<blaine.simpson@???> wrote:
>Try doing a web search engine for "ssh exploit" or "ssh advisory" or go
>to any security advisory site like cvs.mitre.org.


Well, thanks. So you are not aware of any current problems with
openssh. Thanks for talking about this.

Can you spell FUD?

>If you apply security patches regularly and lock down with tcp wrappers or
>some other form of ip filtering, it's excellent. Otherwise it's not. Both
>ssh and http can be secure or insecure. The differentiation is that a
>break in to sshd is generally a much more serious thing than a break in to
>a web site.


ssh needs to be installed anyway. But there are, however, many mail
servers that do not have, and do not need, a web server.

>First off, the purpose of sshd is to use some authentication mechanism to
>give a login, including a root login. (Configuring sshd to prevent this
>is safer,


... and the default on all machines I install.

[Tomcat advertisement snipped]

>You may notice that the normal procedure at nearly every large IT company
>is as follows: The main firewalls from the Internet permit all incoming
>traffic on http and https ports.


There is no excuse for stupid firewall rules.

>On the
>other hand, ssh is usually prohibited from everywhere except specific IP
>addresses and/or VPN.


That's a typical suit stance. "If we don't use it, it must be
dangerous".

And no, I would never leave an exim admin interface open to the
general public over any access way - ssh or http.

ssh can be closed down with a packet filter or tcp wrappers since you
know from where your admins ssh in. If you have a public and a
non-public http service on the same machine, you'll need to rely on
the web swerver to separate the privileges.

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29