Are Mini-Distributions without password secure?

On 2010-11-08, Manuel Rodriguez wrote:

i have a very stupid question about the passwords in mini-
distributions. Please don't laugh about me, i'm like Forest Gump ...
Ok, I wanna know, if mini-distributions (like Tinycore Linux,
MicroLinux) are secure? I mean, often they have no password-login at
start, instead you type in:
root
<no password>

and you have full access to the system. But how it looks from the
other side, the internet? Can a hacker see from outside, that i'm
logged in as root without password, and in worst case, can he do the
same?

Nobody can tell whether you supplied a password or not. But, if the
minidistro is running a telnetd or sshd, an attacker could simply try to
login as root with no password. So yes, if it's visible on the internet
then it's vulnerable.

Of course, if it's a CD-based distro, the attacker can't permanently
modify anything. But he can still use your machine for bouncing a
remote attack, or as an SMTP relay, or other nefarious purposes, so you
wouldn't want to leave it in this state.

You should be able to modify root's password once you log in using
passwd. It won't survive a reboot in a CD-based distro, but at least it
will be less vulnerable.




(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

In message , Keith Keller
wrote:

But, if the minidistro is running a telnetd or sshd, an attacker could
simply try to login as root with no password. So yes, if it's visible on
the internet then it's vulnerable.

a) No sensible minidistro maintainer would enable vulnerable services by
default. They would get pilloried in the blogs.
b) It is possible to enable something like sshd and disallow root logins, or
disallow logins with password altogether.

So there are lots of ways to use a minidistro that allows passwordless local
access on the Internet while minimizing your exposure to attacks.

On Nov 8, 6:19 pm, Lawrence D'Oliveiro
central.gen.new_zealand> wrote:

In message , Keith Keller
wrote:

> But, if the minidistro is running a telnetd or sshd, an attacker could
> simply try to login as root with no password.  So yes, if it's visible on
> the internet then it's vulnerable.

a) No sensible minidistro maintainer would enable vulnerable services by
default. They would get pilloried in the blogs.

Laurence? People get pilloried in the blogs all the time, and there
are plenty of incompetent people who whip up mini distributions for
particular uses, such as for testing utilities. This is not a reliable
assumption.

b) It is possible to enable something like sshd and disallow root logins, or
disallow logins with password altogether.

Quite, quite true.

So there are lots of ways to use a minidistro that allows passwordless local
access on the Internet while minimizing your exposure to attacks.

For example, thee are FTP daemons that allow restricted 'anonymous'
access, but control it reasonably tightly. Unfortunately, there are
also plenty of idiots who say "d00dz, you have to trust the machine
you're working on!!!!" and then rely on locally stored passwords
stored in clear text. (Subversion storing HTTPS passwords, and
Subversions's 'svnserve' protocol storing the list of passwords in
cleartext come to mind.)