Date: Wed, 17 May 2000 19:27:31 +0530 From: Rahul Siddharthan <rsidd@physics.iisc.ernet.in> To: Rob <robert@namodn.com> Cc: questions@FreeBSD.ORG Subject: Re: Is port scanning a problem? Message-ID: <20000517192730.A81730@physics.iisc.ernet.in> In-Reply-To: <20000517040133.A14908@theo.namodn.com>; from robert@namodn.com on Wed, May 17, 2000 at 04:01:33AM -0700 References: <20000516203849.A1491@parish> <20000517141125.A79652@physics.iisc.ernet.in> <20000517040133.A14908@theo.namodn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi Rahul, > > > Well, you have fingerd running.. > > Any particularly good reason? > > The only real issue there is that > people can guess at usernames without > triggering any alarms. Well -- people can guess that from publicly archived email, anyway; and on this particular machine, finger @host isn't allowed so you have to have some information in the first place, either the login id or the real name, to be able to finger. But yes, we tend not to be very security conscious out here... On a related note, there seems to be a *huge* security problem with NIS, which I haven't seen discussed anywhere. Namely, if you get root access on a client machine, you can su to any NIS account even though the accounts are on the NIS server, not the same machine. At least that's how it works with our NIS server. Anyone has comments on that, or how to change that behaviour? > I generally run sshd and whatever service(s) the box > is to perform ( generally one on servers, but my home > machine has to be stretched a bit farther.. :) We've tried removing telnet/rlogin but users tend to complain -- and worse, they just telnet to another machine on the network, not under our control, and ssh from there, which is worse than useless because they're now transmitting *two* passwords in plain text over the internet... > Which does bring to mind, why does sshd by default > only ask for a password when a user account exists? > Seems to open up the aforementioned fingerd prob... Haven't seen that happen, on either the current SSH1/SSH2 or OpenSSH. Rahul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000517192730.A81730>