From owner-freebsd-security Sun Jan 16 5:39:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from sblake.comcen.com.au (sblake.comcen.com.au [203.23.236.144]) by hub.freebsd.org (Postfix) with ESMTP id BEA9715176 for ; Sun, 16 Jan 2000 05:39:28 -0800 (PST) (envelope-from aunty@sblake.comcen.com.au) Received: (from aunty@localhost) by sblake.comcen.com.au (8.9.3/8.9.3) id AAA15517; Mon, 17 Jan 2000 00:40:45 +1100 (EST) (envelope-from aunty) Date: Mon, 17 Jan 2000 00:40:45 +1100 From: aunty To: Igor Roshchin Cc: freebsd-security@FreeBSD.ORG Subject: Re: Disallow remote login by regular user. Message-ID: <20000117004045.G14280@comcen.com.au> Mail-Followup-To: Igor Roshchin , freebsd-security@FreeBSD.ORG References: <20000116214058.D14280@comcen.com.au> <200001161255.GAA19043@alecto.physics.uiuc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i In-Reply-To: <200001161255.GAA19043@alecto.physics.uiuc.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Jan 16, 2000 at 06:55:46AM -0600, Igor Roshchin wrote: > > I realize that everybody might have local rather weird situation. > However, it sounds like you have some problems which are not related > to the _system_ administration, but just to the _personnel_ administration. Show me a site that doesn't :-) How many incidents are the result of a mistake or lack of insight/understanding or communication of the personnel? Enough to make optimistic predictions about future staff actions unwise. > I mean that you are trying protect your machine from somebody else, > changing its configuration (modification of /etc/shells, /etc/inetd.conf).. > > System can not be made fool-proof from one who has root-priveleges. :) Certainly :-) That doesn't mean one should stop offering extra precautions. Even if they don't deserve protection from themselves, their users do. For this particular machine, the security/convenience balance can afford to sway towards less convenient and more safe, so why not. > Let me through in one more stone in this pile of solutions. > Unless I missed it, nobody has mentioned it yet. > > One can configure tcpd (tcpwrappers) - "hosts.deny" (hosts.allow) file > to disallow any external access from any host via any protocol, > while allowing connections from specific hosts via specific protocols. > > While this does not do any per user access limitations, it still > can help you or other folks asking earlier in armoring their boxes. > > Hope, this helps... Thanks :-) -- Regards, -*Sue*- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message