Subj : Really in need of help...
To   : Ganiman
From : niter3
Date : Tue Dec 06 2022 02:42 pm

 Ga> If your BBS gets compromised, then that person has root access to your
 Ga> system and whatever else that might mean for your environment. It is
 Ga> generally bad practice to run any services as root, especially untrusted
 Ga> ones like Mystic - I would not say Mystic is "trusted" by any means. It
 Ga> does not seem to support modern crypto ciphers: try ssh'ing to any
 Ga> Mystic BBS with a "normal" client, like `ssh` from a linux command line,
 Ga> and by default you will get an error about weak ciphers, to which you
 Ga> need to either update your ssh_config or explicitly use the weak cipher
 Ga> in your command string - TLS with SMTP also seems to have similar cipher
 Ga> issues. Mystic, to my knowledge anyway, is not pen tested, it is not
 Ga> open source to allow for peer reviewing, it does not get frequent
 Ga> updates, etc. That is not a dig at the g00r00 or anyone who contributes
 Ga> to it, and advanced security shouldn't be the job of Mystic anyway. On
 Ga> top of that and other things, most of us are all using TELNET which is
 Ga> the most *unsecure* thing you can do on the Internet. No, you should not
 Ga> be running Mystic or most other things with root privilges.
 Ga> 
 Ga> There *are* generally safe ways to run untrusted software like Mystic
 Ga> and there are ways to use to ports 22 and 23 *without* giving Mystic
 Ga> root access (simple firewall rules to forward each of them to ports
 Ga> above 1024 are easy enough to write and search for).
 Ga> 
 Ga> We live in a "zero trust" world today.
 Ga> 

The only thing I can think in regards to this being an issue is if MIS itself got compromised. sudo access for my bbs user can only run MIS with elevated permissions. Nothing more.

.... Real Programmers balance their checkbooks in hex

--- Mystic BBS v1.12 A48 2022/07/15 (Linux/64)
 * Origin: Clutch BBS * telnet://bbs.clutchbbs.com (21:1/199)

.