Date: Sat, 1 Feb 1997 19:46:54 -0800 (PST) From: Michael Dillon <michael@memra.com> To: "freebsd-isp@freebsd.org" <freebsd-isp@FreeBSD.ORG> Subject: Re: Spam from rival Message-ID: <Pine.BSI.3.93.970201194112.8699Y-100000@sidhe.memra.com> In-Reply-To: <199702020052.QAA20768@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 Feb 1997 dwoodward@intraserve.com wrote: > If the line is null (i.e. just a <CRLF> is sent) then finger > returns a ``default report" report that lists all people logged > into the system at that moment. > > By doing this several times over a period of days logging the results (a > cron perl script, logging to a file) do you think they would be able to > get list of users?? I know somebody who did this every 5 minutes for three months including a script to summarize the user list so he could keep track of the competitor's growth. The reason he stopped was that he discovered that he could just tftp the /etc/passwd file from the competitor's SCO system. > Plus giving out shell accounts isn't bad, since everyone is so honest > what possible harm could it cause? Why I just can't wait to sign up > more. That extra $10 a month is worth it It is possible to configure a shell machine so that the /etc/passwd file does not contain usernames, only the userid numbers. This is especially easy with FreeBSD where you have the complete source. Just change every mention of /etc/passwd to /.etc/.passwd and then modify adduser to keep a bogus /etc/passwd file in place for when you forget to modify a package that you install. There are probably a dozen other ways to secure a shell machine. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-250-546-3049 http://www.memra.com - E-mail: michael@memra.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.970201194112.8699Y-100000>