[BusyBox] Are telnetd and login save?

tom at ceisystems.com tom at ceisystems.com
Thu Jul 17 14:24:13 UTC 2003 

Steven,
	I think your best bet would bet to build a complete "test"
system, and bang on it for a while.  Include all of the options,
utilities, scripts, etc. that will be on your final system, and run a
utility like Nessus, or some other security scanner.  This is really the
only way to find out, other than looking at the source for every utility
you install.

Keep us posted,
Thomas Cameron
CEI Systems, Inc.

P.S. The first rule of security is to _not_ run any extra software.
Ditch telnet alltogether.


-----Original Message-----
From: Steven Scholz [mailto:steven.scholz at imc-berlin.de] 
Sent: Thursday, July 17, 2003 9:22 AM
To: Busybox
Subject: Re: [BusyBox] Are telnetd and login save?


Wolfgang Denk wrote:

> In message <3F169B04.1080804 at imc-berlin.de> you wrote:
> 
>>>>Or if we have to be prepared that someday someone comes up with an
>>>>buffer overflow exploit (or whatever) that allows hin to break in to
a 
>>>>busybox system (and get root access)?
>>>
>>>With telnet this is definitely the case.
>>
>>Why? I thought if you're carefully checking lenght and size of
>>incomming packets before processing them you're safe? Am I wrong?
> 
> 
> You will have to be afraid of breakins because someone  might  record 
> the  passwords  you're  transferring,  and use the regular root login 
> then.

Ok. I know that. I'm not planning to make root logins via telnet on a 
regular basis! I would use ssh for that (if I needed this).

What I meant is: I want to keep the telnet open. Just in case. And 
when I ever should use it, I know I have to have a secure network 
(cross link cable ;-)).
So what I wanted to know was, if the devices is somewhere in the 
world, and some bad guy does a port scan and discovers that a telnet 
would be possible then of course he tries to break in. Just for the 
sake of it. So if I choose a safe password that cannot be guessed, 
could he break into the (busybox) system by sending some manipulated 
packets (to let's say create a buffer overflow).

Ok?

Steven









_______________________________________________
busybox mailing list
busybox at busybox.net http://busybox.net/mailman/listinfo/busybox

More information about the busybox mailing list