لطفا منتظر باشید ...
Remote
Administration Security Concerns
Remote system administration is a potentially
huge security loophole, no matter how it's conductedvia a text-mode or GUI
login or through a dedicated configuration tool like those discussed in this
chapter. There are two major classes of concerns: Compromised passwords If an unauthorized individual somehow obtains an administrative
password, that person can alter your system's configuration. Server bugs Security-related bugs have been found in many servers in the past,
and it's possible that bugs will be found in remote administration tools in the
future. If so, your systems may become vulnerable to attack even if your
passwords are unknown by unauthorized individuals.In both of these cases, the risks may be
increased if you run a dedicated remote administrative tool in addition to a
regular remote login tool, as opposed to running the remote login tool alone. As
described in
remote login tools send their passwords in an unencrypted form, but others
(such as the Secure Shell, SSH) encrypt passwords and even subsequent data. Linuxconf
and SWAT both use unencrypted passwords, so if you use only SSH locally for
security reasons, Linuxconf and SWAT greatly negate SSH's advantages. Webmin
may optionally use the Secure Sockets Layer (SSL; see
encryption, so Webmin can protect your passwords and other data; however,
configuring Webmin to use SSL requires installing and setting up SSL. Because
of the lack of encryption provided by these tools, I strongly recommend against
using Linuxconf, SWAT, or non-SSL-encoded versions of Webmin on anything but a
trusted local network.The remote access tools also grant access if
the user knows just one username and password. As described in
remote login protocols can be configured to accept logins only from ordinary
users, which means that an administrator must know two
passwords to administer the systeman ordinary username/password pair and the root password
(used in conjunction with su or a similar tool). In sum, of the remote access tools discussed in
this chapter, only Webmin provides the sort of encryption features found in
tools like SSH, and even at its best, Webmin is potentially slightly more
vulnerable to a password that's been obtained in some way other than Ethernet
sniffing.You can reduce some of the risks of
unauthorized access by limiting the systems that can connect to the
administrative server. As described earlier in this chapter, Linuxconf includes
tools to let you do this by specifying authorized IP addresses or network
ranges. Any of these programs can be protected by TCP Wrappers or xinetd , as
described in
start the servers from a super server, as is the default for Linuxconf and
SWAT. You can also configure a firewall to limit access to the remote
administration port, as described in
Configuring iptables. These measures won't limit the risks of password
sniffing, though, and IP addresses can be forged or even commandeered if the
intruder has physical access to a network. Thus, such procedures can't
eliminate all risks, although they're important.As a general rule, it's best to limit the
number of servers a system runs, both to minimize the risk of server bugs and
to restrict the number of entry points that might be abused. If a system must
run a remote login serverparticularly one that encrypts data, such as SSHthe
safest course from a security point of view is to use that login tool to
administer the system if remote administration is required;
administration-specific tools like those discussed in this chapter pose an
additional risk. This risk may be justified on sufficiently protected networks
if administrators are more comfortable with these tools, though. Also, remote
administration tools can be worth while if no conventional remote login servers
are being run but remote administration is desirable.You might be tempted to use limited
administrative servers, such as SWAT, in place of full-access servers, such as
Linuxconf and Webmin, as a security precaution. After all, if an intruder can
break into SWAT, the damage that intruder can do is limited, right? This may be
the case for some remote-access servers, but many provide enough leverage that
an intruder could do substantial damage. For instance, somebody who breaks into
SWAT can create a file share that provides full read/write access to the entire
/etc directory. The intruder could use this access to alter additional
key configuration files, such as activating Telnet access, adding accounts, and
so on. Nonetheless, using more limited administrative tools might at least slow
down an intruder.Finally, the security precautions described
here are only a start.
book is devoted to security matters. This section highlights some of the more
important issues because remote administration servers are particularly
powerful tools that can be more easily abused than most other servers, if
compromised.
