Re: Secure Finger Daemon
On Sat, Jan 05, 2002 at 07:09:01PM +0100, eim wrote:
> I'm planing to install a secure finger daemon
> on one of the public boxes I admin.
> Which Finger daemon is *really* secure ?
> Shouldn't I install this service at all ?
> Any experiences about compromised systems ?
http://www.fefe.de/ffingerd/
cut
1. Does not need to be run as root
2. Does not support indirect queries
3. Does not allow global queries ("finger @bighost")
4. Users can disallow finger queries by creating the file ~/.nofinger
5. Does not view sensitive information like the home directory or the shell.
6. Displays .plan, .project and .pubkey (for PGP/GnuPG/PEM public keys)
Please note that ffingerd does not try to limit the number of ffingerd
processes running at the same time. That is the job of inetd. If your
inetd lacks support for this, I recommend xinetd or tcpserver.
cut
I have been running ffingerd on some boxes where users requested a
finger daemon for about 3 years and did not have any successfully
penetration attemps since I installed it.
With best regards
Hans
--
Hans-Joachim Picht, Consultant <[EMAIL PROTECTED]>
Linux Consulting Europe http://www.lnxce.net
Vogelhecke 2D - 35447 Reiskirchen Tel: +491751629201
Fax: +49640862649 Germany
Re: Secure Finger Daemon
On Sat, Jan 05, 2002 at 07:09:01PM +0100, eim wrote:
> I'm planing to install a secure finger daemon
> on one of the public boxes I admin.
> Which Finger daemon is *really* secure ?
> Shouldn't I install this service at all ?
> Any experiences about compromised systems ?
http://www.fefe.de/ffingerd/
cut
1. Does not need to be run as root
2. Does not support indirect queries
3. Does not allow global queries ("finger @bighost")
4. Users can disallow finger queries by creating the file ~/.nofinger
5. Does not view sensitive information like the home directory or the shell.
6. Displays .plan, .project and .pubkey (for PGP/GnuPG/PEM public keys)
Please note that ffingerd does not try to limit the number of ffingerd
processes running at the same time. That is the job of inetd. If your
inetd lacks support for this, I recommend xinetd or tcpserver.
cut
I have been running ffingerd on some boxes where users requested a
finger daemon for about 3 years and did not have any successfully
penetration attemps since I installed it.
With best regards
Hans
--
Hans-Joachim Picht, Consultant <[EMAIL PROTECTED]>
Linux Consulting Europe http://www.lnxce.net
Vogelhecke 2D - 35447 Reiskirchen Tel: +491751629201
Fax: +49640862649 Germany
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Secure Finger Daemon
Hi! Well, running it chrooted will prevent it from accessing the .plan files and all the other information you want to provide via finger service. At least if you provide a correct chroot environment. Anything providing access to files outside the chroot environment would be a security issue again. I mean, you can actually update the information in the finger sandbox using some kind of cronjob. This won't be accurate and may require some patches to the fingerd. Better think about a different way to provide the information you want to offer. Best regards and happy thinking, Oliver-who-is-quite-angry-about-getting-a-notebook-where-you-cant-run-linux-on -without-severe-constraints-on-functionality ;) > -Original Message- > From: eim [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 06, 2002 11:45 PM > To: Debian-Security List > Subject: Re: Secure Finger Daemon > > > my Finger Daemon conclusion... > > First, Thanks for all the answers to my question. > > Well, so it really seems it's better to avoid using > any finger daemon, security has always priority. > > Anyway I thought the finger daemon would be a nice > feature for the .plan files, userinfo and mail info > for the users of my box. > > Maybe running fingerd in a chrooted jail as not-root > user would be a secure-like solution, got to think about it. > > Thanks again for all the replays, > have a nice time... > -Ivo > > On Sat, 2002-01-05 at 19:09, eim wrote: > > Hello, > > > > I'm planing to install a secure finger daemon > > on one of the public boxes I admin. > > > > Well, out there are really many different finger > > daemons and in the Debian stable tree I can find: > > > > * efingerd - Another finger daemon for unix > > capable of fine-tuning your output. > > * xfingerd - BSD-like finger daemon with qmail support. > > * ffingerd - A secure finger daemon > > * fingerd - Remote user information server. > > * cfingerd - Configurable and secure finger daemon > > > > So I've considered using fingered which should be secure. > > > > Often I hear and read about exploited finger daemons which > > gave the attacker system access so I'm asking on this list > > help about the F Daemon. > > > > Which Finger daemon is *really* secure ? > > Shouldn't I install this service at all ? > > Any experiences about compromised systems ? > > > > Thanks for any help ! > > Have a nice time, > > - Ivo > > > > -- > > > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > Ivo Marino[EMAIL PROTECTED] > > UN*X Developer, running Debian GNU/Linux > > irc.OpenProjects.net #debian > > http://eimbox.org > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
Re: Secure Finger Daemon
On Sun, Jan 06, 2002 at 11:45:28PM +0100, eim wrote: > my Finger Daemon conclusion... > > First, Thanks for all the answers to my question. > > Well, so it really seems it's better to avoid using > any finger daemon, security has always priority. > > Anyway I thought the finger daemon would be a nice > feature for the .plan files, userinfo and mail info > for the users of my box. > > Maybe running fingerd in a chrooted jail as not-root > user would be a secure-like solution, got to think about it. I'm no security expert, but... Wouldn't running fingerd in a chroot jail prevent it from accessing users' .plan files? > > Thanks again for all the replays, > have a nice time... > -Ivo -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh pgpU7g8iGn9jc.pgp Description: PGP signature
RE: Secure Finger Daemon
Hi! Well, running it chrooted will prevent it from accessing the .plan files and all the other information you want to provide via finger service. At least if you provide a correct chroot environment. Anything providing access to files outside the chroot environment would be a security issue again. I mean, you can actually update the information in the finger sandbox using some kind of cronjob. This won't be accurate and may require some patches to the fingerd. Better think about a different way to provide the information you want to offer. Best regards and happy thinking, Oliver-who-is-quite-angry-about-getting-a-notebook-where-you-cant-run-linux-on -without-severe-constraints-on-functionality ;) > -Original Message- > From: eim [mailto:[EMAIL PROTECTED]] > Sent: Sunday, January 06, 2002 11:45 PM > To: Debian-Security List > Subject: Re: Secure Finger Daemon > > > my Finger Daemon conclusion... > > First, Thanks for all the answers to my question. > > Well, so it really seems it's better to avoid using > any finger daemon, security has always priority. > > Anyway I thought the finger daemon would be a nice > feature for the .plan files, userinfo and mail info > for the users of my box. > > Maybe running fingerd in a chrooted jail as not-root > user would be a secure-like solution, got to think about it. > > Thanks again for all the replays, > have a nice time... > -Ivo > > On Sat, 2002-01-05 at 19:09, eim wrote: > > Hello, > > > > I'm planing to install a secure finger daemon > > on one of the public boxes I admin. > > > > Well, out there are really many different finger > > daemons and in the Debian stable tree I can find: > > > > * efingerd - Another finger daemon for unix > > capable of fine-tuning your output. > > * xfingerd - BSD-like finger daemon with qmail support. > > * ffingerd - A secure finger daemon > > * fingerd - Remote user information server. > > * cfingerd - Configurable and secure finger daemon > > > > So I've considered using fingered which should be secure. > > > > Often I hear and read about exploited finger daemons which > > gave the attacker system access so I'm asking on this list > > help about the F Daemon. > > > > Which Finger daemon is *really* secure ? > > Shouldn't I install this service at all ? > > Any experiences about compromised systems ? > > > > Thanks for any help ! > > Have a nice time, > > - Ivo > > > > -- > > > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > Ivo Marino[EMAIL PROTECTED] > > UN*X Developer, running Debian GNU/Linux > > irc.OpenProjects.net #debian > > http://eimbox.org > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Finger Daemon
On Sun, Jan 06, 2002 at 11:45:28PM +0100, eim wrote: > my Finger Daemon conclusion... > > First, Thanks for all the answers to my question. > > Well, so it really seems it's better to avoid using > any finger daemon, security has always priority. > > Anyway I thought the finger daemon would be a nice > feature for the .plan files, userinfo and mail info > for the users of my box. > > Maybe running fingerd in a chrooted jail as not-root > user would be a secure-like solution, got to think about it. I'm no security expert, but... Wouldn't running fingerd in a chroot jail prevent it from accessing users' .plan files? > > Thanks again for all the replays, > have a nice time... > -Ivo -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh msg05062/pgp0.pgp Description: PGP signature
Re: Secure Finger Daemon
my Finger Daemon conclusion... First, Thanks for all the answers to my question. Well, so it really seems it's better to avoid using any finger daemon, security has always priority. Anyway I thought the finger daemon would be a nice feature for the .plan files, userinfo and mail info for the users of my box. Maybe running fingerd in a chrooted jail as not-root user would be a secure-like solution, got to think about it. Thanks again for all the replays, have a nice time... -Ivo On Sat, 2002-01-05 at 19:09, eim wrote: > Hello, > > I'm planing to install a secure finger daemon > on one of the public boxes I admin. > > Well, out there are really many different finger > daemons and in the Debian stable tree I can find: > > * efingerd - Another finger daemon for unix > capable of fine-tuning your output. > * xfingerd - BSD-like finger daemon with qmail support. > * ffingerd - A secure finger daemon > * fingerd - Remote user information server. > * cfingerd - Configurable and secure finger daemon > > So I've considered using fingered which should be secure. > > Often I hear and read about exploited finger daemons which > gave the attacker system access so I'm asking on this list > help about the F Daemon. > > Which Finger daemon is *really* secure ? > Shouldn't I install this service at all ? > Any experiences about compromised systems ? > > Thanks for any help ! > Have a nice time, > - Ivo > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
RE: Secure Finger Daemon
We've "given the finger" to the finger daemon years ago... no need for it. g -Original Message- From: Moritz Schulte [mailto:[EMAIL PROTECTED] Behalf Of Moritz Schulte Sent: Sunday, January 06, 2002 11:20 AM To: Debian-Security List Subject: Re: Secure Finger Daemon eim <[EMAIL PROTECTED]> writes: Sorry, I can't tell you which fingerd is the most secure one. But... > Shouldn't I install this service at all ? ... do you really need it? Every additional service is a potential security risk; only run these services, which you really need. moritz -- [EMAIL PROTECTED] - http://duesseldorf.ccc.de/~moritz/ GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001
Re: Secure Finger Daemon
my Finger Daemon conclusion... First, Thanks for all the answers to my question. Well, so it really seems it's better to avoid using any finger daemon, security has always priority. Anyway I thought the finger daemon would be a nice feature for the .plan files, userinfo and mail info for the users of my box. Maybe running fingerd in a chrooted jail as not-root user would be a secure-like solution, got to think about it. Thanks again for all the replays, have a nice time... -Ivo On Sat, 2002-01-05 at 19:09, eim wrote: > Hello, > > I'm planing to install a secure finger daemon > on one of the public boxes I admin. > > Well, out there are really many different finger > daemons and in the Debian stable tree I can find: > > * efingerd - Another finger daemon for unix > capable of fine-tuning your output. > * xfingerd - BSD-like finger daemon with qmail support. > * ffingerd - A secure finger daemon > * fingerd - Remote user information server. > * cfingerd - Configurable and secure finger daemon > > So I've considered using fingered which should be secure. > > Often I hear and read about exploited finger daemons which > gave the attacker system access so I'm asking on this list > help about the F Daemon. > > Which Finger daemon is *really* secure ? > Shouldn't I install this service at all ? > Any experiences about compromised systems ? > > Thanks for any help ! > Have a nice time, > - Ivo > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Secure Finger Daemon
We've "given the finger" to the finger daemon years ago... no need for it. g -Original Message- From: Moritz Schulte [mailto:[EMAIL PROTECTED]]On Behalf Of Moritz Schulte Sent: Sunday, January 06, 2002 11:20 AM To: Debian-Security List Subject: Re: Secure Finger Daemon eim <[EMAIL PROTECTED]> writes: Sorry, I can't tell you which fingerd is the most secure one. But... > Shouldn't I install this service at all ? ... do you really need it? Every additional service is a potential security risk; only run these services, which you really need. moritz -- [EMAIL PROTECTED] - http://duesseldorf.ccc.de/~moritz/ GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
cfingerd bugs [Re: Secure Finger Daemon]
Wichert Akkerman <[EMAIL PROTECTED]> writes: > Previously eim wrote: > > Which Finger daemon is *really* secure ? > > I haven't looked at all of them, but cfingerd most certainly is not. I notice the security-related bug reports against cfingerd are all marked 'normal' -- shouldn't they be 'critical' ? I know nothing in detail about [c]fingerd.
Re: Secure Finger Daemon
eim <[EMAIL PROTECTED]> writes: Sorry, I can't tell you which fingerd is the most secure one. But... > Shouldn't I install this service at all ? ... do you really need it? Every additional service is a potential security risk; only run these services, which you really need. moritz -- [EMAIL PROTECTED] - http://duesseldorf.ccc.de/~moritz/ GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199
Re: Secure Finger Daemon
I'm not sure which are secure. However, if you plan to use any of them, I suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your hosts.allow file and explicitly allow only certain machines to access your box. Also, consider running whichever finger daemon as a separate user (i.e. finger). Most of the famous exploits of finger are due to the fact that it is often run as root. However, fingerd requires no information that requires root access to the machine. -rishi On 5 Jan 2002, eim wrote: > Hello, > > I'm planing to install a secure finger daemon > on one of the public boxes I admin. > > Well, out there are really many different finger > daemons and in the Debian stable tree I can find: > > * efingerd - Another finger daemon for unix > capable of fine-tuning your output. > * xfingerd - BSD-like finger daemon with qmail support. > * ffingerd - A secure finger daemon > * fingerd - Remote user information server. > * cfingerd - Configurable and secure finger daemon > > So I've considered using fingered which should be secure. > > Often I hear and read about exploited finger daemons which > gave the attacker system access so I'm asking on this list > help about the F Daemon. > > Which Finger daemon is *really* secure ? > Shouldn't I install this service at all ? > Any experiences about compromised systems ? > > Thanks for any help ! > Have a nice time, > - Ivo > > -- > > ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
RE: Secure Finger Daemon
Hi, well I can't provide any infos about these finger daemons, as I am not using any finger services at all during the past years. I stopped using this service, when one of my box was hacked using an exploit in the fingerd. Then I asked myself for what reason I am running finger service at all and didn't come up with a useful reason for doing it. So, I would suggest that you rethink if you really need this service and then I would think about implementations. I would suggest to forget it and don't use it. Best regards, Oli > -Original Message- > From: eim [mailto:[EMAIL PROTECTED] > Sent: Saturday, January 05, 2002 7:09 PM > To: Debian-Security List > Subject: Secure Finger Daemon > > > Hello, > > I'm planing to install a secure finger daemon > on one of the public boxes I admin. > > Well, out there are really many different finger > daemons and in the Debian stable tree I can find: > > * efingerd - Another finger daemon for unix > capable of fine-tuning your output. > * xfingerd - BSD-like finger daemon with qmail support. > * ffingerd - A secure finger daemon > * fingerd - Remote user information server. > * cfingerd - Configurable and secure finger daemon > > So I've considered using fingered which should be secure. > > Often I hear and read about exploited finger daemons which > gave the attacker system access so I'm asking on this list > help about the F Daemon. > > Which Finger daemon is *really* secure ? > Shouldn't I install this service at all ? > Any experiences about compromised systems ? > > Thanks for any help ! > Have a nice time, > - Ivo > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
cfingerd bugs [Re: Secure Finger Daemon]
Wichert Akkerman <[EMAIL PROTECTED]> writes: > Previously eim wrote: > > Which Finger daemon is *really* secure ? > > I haven't looked at all of them, but cfingerd most certainly is not. I notice the security-related bug reports against cfingerd are all marked 'normal' -- shouldn't they be 'critical' ? I know nothing in detail about [c]fingerd. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Finger Daemon
Previously eim wrote: > Which Finger daemon is *really* secure ? I haven't looked at all of them, but cfingerd most certainly is not. Wichet. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Secure Finger Daemon
eim <[EMAIL PROTECTED]> writes: Sorry, I can't tell you which fingerd is the most secure one. But... > Shouldn't I install this service at all ? ... do you really need it? Every additional service is a potential security risk; only run these services, which you really need. moritz -- [EMAIL PROTECTED] - http://duesseldorf.ccc.de/~moritz/ GPG fingerprint = 3A14 3923 15BE FD57 FC06 B501 0841 2D7B 6F98 4199 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure Finger Daemon
I'm not sure which are secure. However, if you plan to use any of them, I suggest using tcp-wrappers (tcpd) via inetd (or xinetd). Then edit your hosts.allow file and explicitly allow only certain machines to access your box. Also, consider running whichever finger daemon as a separate user (i.e. finger). Most of the famous exploits of finger are due to the fact that it is often run as root. However, fingerd requires no information that requires root access to the machine. -rishi On 5 Jan 2002, eim wrote: > Hello, > > I'm planing to install a secure finger daemon > on one of the public boxes I admin. > > Well, out there are really many different finger > daemons and in the Debian stable tree I can find: > > * efingerd - Another finger daemon for unix > capable of fine-tuning your output. > * xfingerd - BSD-like finger daemon with qmail support. > * ffingerd - A secure finger daemon > * fingerd - Remote user information server. > * cfingerd - Configurable and secure finger daemon > > So I've considered using fingered which should be secure. > > Often I hear and read about exploited finger daemons which > gave the attacker system access so I'm asking on this list > help about the F Daemon. > > Which Finger daemon is *really* secure ? > Shouldn't I install this service at all ? > Any experiences about compromised systems ? > > Thanks for any help ! > Have a nice time, > - Ivo > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Secure Finger Daemon
Hi, well I can't provide any infos about these finger daemons, as I am not using any finger services at all during the past years. I stopped using this service, when one of my box was hacked using an exploit in the fingerd. Then I asked myself for what reason I am running finger service at all and didn't come up with a useful reason for doing it. So, I would suggest that you rethink if you really need this service and then I would think about implementations. I would suggest to forget it and don't use it. Best regards, Oli > -Original Message- > From: eim [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 05, 2002 7:09 PM > To: Debian-Security List > Subject: Secure Finger Daemon > > > Hello, > > I'm planing to install a secure finger daemon > on one of the public boxes I admin. > > Well, out there are really many different finger > daemons and in the Debian stable tree I can find: > > * efingerd - Another finger daemon for unix > capable of fine-tuning your output. > * xfingerd - BSD-like finger daemon with qmail support. > * ffingerd - A secure finger daemon > * fingerd - Remote user information server. > * cfingerd - Configurable and secure finger daemon > > So I've considered using fingered which should be secure. > > Often I hear and read about exploited finger daemons which > gave the attacker system access so I'm asking on this list > help about the F Daemon. > > Which Finger daemon is *really* secure ? > Shouldn't I install this service at all ? > Any experiences about compromised systems ? > > Thanks for any help ! > Have a nice time, > - Ivo > > -- > > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > Ivo Marino[EMAIL PROTECTED] > UN*X Developer, running Debian GNU/Linux > irc.OpenProjects.net #debian > http://eimbox.org > »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Secure Finger Daemon
Hello, I'm planing to install a secure finger daemon on one of the public boxes I admin. Well, out there are really many different finger daemons and in the Debian stable tree I can find: * efingerd - Another finger daemon for unix capable of fine-tuning your output. * xfingerd - BSD-like finger daemon with qmail support. * ffingerd - A secure finger daemon * fingerd - Remote user information server. * cfingerd - Configurable and secure finger daemon So I've considered using fingered which should be secure. Often I hear and read about exploited finger daemons which gave the attacker system access so I'm asking on this list help about the F Daemon. Which Finger daemon is *really* secure ? Shouldn't I install this service at all ? Any experiences about compromised systems ? Thanks for any help ! Have a nice time, - Ivo -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »«
Re: Secure Finger Daemon
Previously eim wrote: > Which Finger daemon is *really* secure ? I haven't looked at all of them, but cfingerd most certainly is not. Wichet. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Secure Finger Daemon
Hello, I'm planing to install a secure finger daemon on one of the public boxes I admin. Well, out there are really many different finger daemons and in the Debian stable tree I can find: * efingerd - Another finger daemon for unix capable of fine-tuning your output. * xfingerd - BSD-like finger daemon with qmail support. * ffingerd - A secure finger daemon * fingerd - Remote user information server. * cfingerd - Configurable and secure finger daemon So I've considered using fingered which should be secure. Often I hear and read about exploited finger daemons which gave the attacker system access so I'm asking on this list help about the F Daemon. Which Finger daemon is *really* secure ? Shouldn't I install this service at all ? Any experiences about compromised systems ? Thanks for any help ! Have a nice time, - Ivo -- »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« Ivo Marino[EMAIL PROTECTED] UN*X Developer, running Debian GNU/Linux irc.OpenProjects.net #debian http://eimbox.org »« »« »« »« »« »« »« »« »« »« »« »« »« »« »« -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
