RE: [Cooker] login delay
On Tue, 30 Jan 2001, Eaon wrote: > > So sprach Valdas Andrulis am Tue, Jan 30, 2001 at 01:11:48PM +0200: > > > I have noticed, that previously when someone entered incorect username > > > or password during login, there was the delay before another login > > > prompt. And now (I think this happened in 7.x series) it gives login: > > > prompt instantly, wich is bad from security view. > > > > You're talking about the telnet login? Well, telnet is insecure > > anyway, so > > that's no wonder. And after 3 unsuccessful tries the connection > > is dropped. > > I don't seem to understand why it's so bad - how was it in the > > old days? > > was the delay increased after each try? And why is it more > > secure, if > > there's a delay? > > > > An increased or random delay between login attempts discourages brute force > attacks using scripts that just send username/password over and over until > they get in. Or at least, that's what I learned in school. :-) > > But you're right, if we're talking about telnet here, kill the service > anyway and install SSH. In fact this is true for all apps that use PAM for authentication. The responsable module is /lib/security/pam_unix.so. It has option 'nodelay', so the default action should be some kind of delay. But... it does not do it. (pam-0.72-12mdk) Valdas > > Eaon > > >
Re: [Cooker] vim-minimal-6.0-0.10mdk.i586.rpm
On Tue, 30 Jan 2001, Valdas Andrulis wrote: > On Tue, 30 Jan 2001, Pixel wrote: > > > David Odin <[EMAIL PROTECTED]> writes: > > > > > To sum up, /bin/vi is only pointing to /bin/vim (minimal) if only > > > vim minimal is installed, else, it's pointing to /usr/bin/vim (enhanced). > > > > pbs: > > > > - /bin/vim not included in vim-minimal > > That's what I meant in my message. > > > - people used to call "vim" will get vim-minimal as /bin is usually before > > /usr/bin in $PATH > > So it is beter to call vim-minimal /bin/vim-minimal or wathever but not > /bin/vim. update-alternatives takes care of /bin/vi setting to > /bin/vim-minimal or /usr/bin/vim. And at the installation time if user set / and /usr to two separate partitions vim-minimal should be marked mandatory and installed in order to retain the purpose of /bin/vi IMHO. Valdas > > Valdas > > > > > > > > > >
Re: [Cooker] vim-minimal-6.0-0.10mdk.i586.rpm
On Tue, 30 Jan 2001, Pixel wrote: > David Odin <[EMAIL PROTECTED]> writes: > > > To sum up, /bin/vi is only pointing to /bin/vim (minimal) if only > > vim minimal is installed, else, it's pointing to /usr/bin/vim (enhanced). > > pbs: > > - /bin/vim not included in vim-minimal That's what I meant in my message. > - people used to call "vim" will get vim-minimal as /bin is usually before > /usr/bin in $PATH So it is beter to call vim-minimal /bin/vim-minimal or wathever but not /bin/vim. update-alternatives takes care of /bin/vi setting to /bin/vim-minimal or /usr/bin/vim. Valdas > >
[Cooker] login delay
I have noticed, that previously when someone entered incorect username or password during login, there was the delay before another login prompt. And now (I think this happened in 7.x series) it gives login: prompt instantly, wich is bad from security view. Valdas
[Cooker] vim-minimal-6.0-0.10mdk.i586.rpm
vim-minimal-6.0-0.10mdk.i586.rpm is bad: it does not include /bin/vi Valdas
[Cooker] pam_limits
Hello, I am using /lib/security/pam_limits.so.. In my confuguration /etc/security/limits.conf I limit nproc - max number of processes for users. ... * softnproc 40 * hardnproc 70 ... But, with 2.4.0 kernel it is not working as expected. Upon login pam is called, it sets limits acording to config file. But if in 2.2.x kernels root user is not actually constrained with set limits, in 2.4.0 root is forced for limits like normal user, and it results in "fork: resourse temporary unavailable, cannot start login shell" error, as there are more than 40 or 70 root owned processes already. Is this issue can be resolved easily? If not it at least should be pointed out for all who uses this. This setting is of course not bullet proof, but it protects from ordinary users quite well IMHO. Valdas