Title: Re: disabling telnet and rlogin
IMHO the best
security solution in terms of maintenance costs and
guaranteed
uniformity of security policy is to place the operational IOC's
behind a firewall.
This
is somewhat similar to Steve's solution, but the firewall is easier to
maintain, has higher
performance, has better control over security, incorporates
industrial strength
security capabilities, has improved access logging capabilities,
costs about
the same as a Solaris workstation, allows unlimited IP address range
for the control
system ...
High quality
firewalls will allow transparent FTP initiated by the IOCs to the outside,
and
therefore
the IOCs can boot from development machines during maintenance
periods.
Jeff
At 10:18 AM -0600 2000/02/22, Andrew Johnson wrote:
"Porter, Rodney" wrote: > >
Following up on your security talk at APS, I was wondering if there is
a
> standard way to disable telnet and
rlogin. If not could one be made?
You can inspect the INCLUDE_CONFIGURATION_5_2 macro, which is just
a bunch of #defines, and pick what you want, leaving out telnet and
rlogin. Just move the onces you do want from the grouping
after
#ifdef FALSE to just above it.
By the way, I leave them in, because they are useful to me;
further,
I assume VxWorks is extremeley vulnerable, so to get some real
security,
I:
- put my IOCs on a hidden subnet, for example, using IP
masquerading
on one of my dual-homed servers. This really hides
them from the
Internet (and is good practice for your console Unix/NT
machines as well--
they can still see "out".);
- do not give the IOCs a DEFAULT route; at most, give them
single-host
routes to special hosts not on the hidden subnet. They
will not reply
to any packet not on their own LAN (which would not occur if
using
the IP masquerading technique, of course). You can
still access them
by using ssh once to your above server; then rlogin or via
you serial
port acess method;
- change the default password and login supplied by WRS. Do
this by
looking further down in configAll.h;
- finally, VxWorks is pretty obscure; I still forget to put
quotes
around the arguments to cd and ls.
_________________________________________ ____________________________ Stephen
A.
Lewis
| [email protected]Mail Stop
71-259
| http://www.lbl.gov/~salewis Lawrence Berkeley National
Laboratory | Tel: +1.510.486.7702 Berkeley, CA
94720
USA
| FAX: +1.510.486.4544
- References:
- Re: disabling telnet and rlogin Steve Lewis
- Navigate by Date:
- Prev:
Re: disabling telnet and rlogin Steve Lewis
- Next:
Problems with messages... Bonnie Madre
- Index:
1994
1995
1996
1997
1998
1999
<2000>
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: disabling telnet and rlogin Steve Lewis
- Next:
Problems with messages... Bonnie Madre
- Index:
1994
1995
1996
1997
1998
1999
<2000>
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
|