Re: off topic: password strategy as an ISP
On 5 Jul, John Foster wrote: On Fri, 4 Jul 1997 [EMAIL PROTECTED] wrote: #!/bin/sh cat __EOF__ No telnet login allowed. ** Insert the motd here ** __EOF__ sleep 5 exit 0 And if the remote user managed to interrupt it would they get /bin/sh?, with EUID 0? And what if the sleep call was suspended? Did you tried the script ? If I try to suspend it, I get a Connection closed by foreign host. The same with STRG+C. I believe that as this script is the login shell, you can't interrupt it without being disconnected. But someone with better knowledge of unix internals can tell you the real explanation. Ciao, Martin -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
On Sat, Jul 05, 1997 at 07:44:02AM +1000, John Foster wrote: On Fri, 4 Jul 1997 [EMAIL PROTECTED] wrote: #!/bin/sh cat __EOF__ No telnet login allowed. ** Insert the motd here ** __EOF__ sleep 5 exit 0 And if the remote user managed to interrupt it would they get /bin/sh?, with EUID 0? And what if the sleep call was suspended? I don't think a shell script could ever be a secure shell... If they interrupted the script, the interpreter (/bin/sh) would exit, and so there'd be nothing left running. And it wouldn't be root anyway -- setuid scripts are not allowed (by the kernel) because they are prone to security problems. hamish -- Hamish Moffatt, StudIEAust[EMAIL PROTECTED] Student, computer science computer systems engineering.3rd year, RMIT. http://hamish.home.ml.org/ (PGP key here) CPOM: [* ] 50% The opposite of a profound truth may well be another profound truth. --Bohr -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
hello, John Foster wrote: We use the following strategy: 1) Generate a list of passwords with pwgen could you describe this utility? 2) On a SP2 supercomputer, try to crack them (after feeding them through crypt). do you use a wordlist and if so, how big? 3) Those who can't be cracked go into a safe, to be allocated when users sign up. then, you depend upon a wordlist. if you tested passwords on a small one, crackers may get lucky on one of those 11 mb ones on the coast security archives. as far as i know, all passwords can be cracked using brute force. (at least i had a 100% success) The company I work for was very badly hacked (rm -fR *), which is how I got my job (as a repairman!). They are now somewhat paranoid! then they must have been really insecure. only very lame people would ever do that. Just as a Debian is cool story: When they lost all their servers they were running Slacware 2 (shudders!). I refused to rebuild the system with Slackware so they said, OK, use Redhat. I installed Redhat (2 I think) and managed to crack it within a week. Redhat - the breakin paradise. last week, the whole #hack channel sat on #linux, noted down the ip addies of people who installed it and rooted them. ever saw an inetd.conf on a fresh install of redhat 4.2? just one unpatched version of imapd is sufficient ;) So I put Debian 1.2.4 on (I'd been using Debian in a research environment for some time), and since then I've seen a few attempts in the logs, but as far as I know no-one has got in who shouldn't! it doesn't mean they haven't ;)) I'm not so naive as to believe that Debian is 100% secure (that's impossible I reckon), but it seems to cope OK for a smallish ISP. I find some interesting things in the logs, like 500 consecutive attempts to telnet from the one source, but as we've disabled shell access for dial-in clients it'll just give them motd if they do get in that way! i'm not at all knowledgeable in linux, but chsh changes a default shell of the user in /etc/passwd. (at least on sunOS) On the subject of pwgen though, there is a definate pattern to the passwords it generates. This does concern me a bit. yep, that would certainly make it more susceptible to lame newbie attacks. paul -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
-BEGIN PGP SIGNED MESSAGE- On Thu, 3 Jul 1997, Pavel Galynin wrote: attempts to telnet from the one source, but as we've disabled shell access for dial-in clients it'll just give them motd if they do get in that way! i'm not at all knowledgeable in linux, but chsh changes a default shell of the user in /etc/passwd. (at least on sunOS) Yes, but how do you run it without getting a shell login in the first place? Nils - -- \ /| Nils Rennebarth --* WINDOWS 42 *-- | Schillerstr. 61 / \| 37083 Göttingen | ++49-551-71626 Micro$oft's final answer | http://www.nus.de/~nils -BEGIN PGP SIGNATURE- Version: 2.6.3i Charset: noconv iQB1AwUBM7zv6FptA0IhBm0NAQEcCgMAoIqYbsRZ9fJklnjPV24fsR40UtgV0ffg F6HBuNfs8USXtSiJ6JlpM32lys8ziO6CO2QlIZiU/K/102UKGpyOZelQ27pzdORy jCfNHG9WM7FTfVs1FOXvcc47hw7vSPhC =D+K5 -END PGP SIGNATURE- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
hello, Nils Rennebarth wrote: -BEGIN PGP SIGNED MESSAGE- On Thu, 3 Jul 1997, Pavel Galynin wrote: attempts to telnet from the one source, but as we've disabled shell access for dial-in clients it'll just give them motd if they do get in that way! i'm not at all knowledgeable in linux, but chsh changes a default shell of the user in /etc/passwd. (at least on sunOS) Yes, but how do you run it without getting a shell login in the first place? some admins suid cgi scripts, like phf, php, jj and glimpse (the latest victim). all those buffer overflows in suid shell scripts, uid:0 daemons, etc. enough? ;)) paul -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
On 4 Jul, Nils Rennebarth wrote: -BEGIN PGP SIGNED MESSAGE- On Thu, 3 Jul 1997, Pavel Galynin wrote: attempts to telnet from the one source, but as we've disabled shell access for dial-in clients it'll just give them motd if they do get in that way! i'm not at all knowledgeable in linux, but chsh changes a default shell of the user in /etc/passwd. (at least on sunOS) Yes, but how do you run it without getting a shell login in the first place? Easy. The users login shells are: #!/bin/sh cat __EOF__ No telnet login allowed. ** Insert the motd here ** __EOF__ sleep 5 exit 0 Ciao, Martin -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
On Fri, 4 Jul 1997 [EMAIL PROTECTED] wrote: #!/bin/sh cat __EOF__ No telnet login allowed. ** Insert the motd here ** __EOF__ sleep 5 exit 0 And if the remote user managed to interrupt it would they get /bin/sh?, with EUID 0? And what if the sleep call was suspended? I don't think a shell script could ever be a secure shell... John Foster -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
off topic: password strategy as an ISP
As you can see, this message is very offtopic, but still somewhat Debian related. I am curious how folks who use Debian in a production environment deal with allocating passwords. Do you use the pwgen package and let users worry about it from there, or do you let them choose within the confines of what passwd allows? I can see a lot of...no, you can't have anything that appears in the dictionary, no thats too short, you need a capital or a number in it.. or...ok, to change your password you have to telnet in...ok, telnet is...then type passwd... It is interesting. I've had ISP's who use BSD, Slackware Linux, and NT. The BSD ISP gave me a rather cryptic looking password. I had my choice with the Slackware ISP. (Debian would not have accepted my password...too simple) Likewise, the NT ISP, allowed me to choose a rather simple password. Even though hard to remember at first, the password I had with BSD was likely the most secure. TIA for sharing your strategies. Rich M [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: off topic: password strategy as an ISP
We use the following strategy: 1) Generate a list of passwords with pwgen 2) On a SP2 supercomputer, try to crack them (after feeding them through crypt). 3) Those who can't be cracked go into a safe, to be allocated when users sign up. The company I work for was very badly hacked (rm -fR *), which is how I got my job (as a repairman!). They are now somewhat paranoid! Just as a Debian is cool story: When they lost all their servers they were running Slacware 2 (shudders!). I refused to rebuild the system with Slackware so they said, OK, use Redhat. I installed Redhat (2 I think) and managed to crack it within a week. So I put Debian 1.2.4 on (I'd been using Debian in a research environment for some time), and since then I've seen a few attempts in the logs, but as far as I know no-one has got in who shouldn't! I'm not so naive as to believe that Debian is 100% secure (that's impossible I reckon), but it seems to cope OK for a smallish ISP. I find some interesting things in the logs, like 500 consecutive attempts to telnet from the one source, but as we've disabled shell access for dial-in clients it'll just give them motd if they do get in that way! On the subject of pwgen though, there is a definate pattern to the passwords it generates. This does concern me a bit. John Foster As you can see, this message is very offtopic, but still somewhat Debian related. I am curious how folks who use Debian in a production environment deal with allocating passwords. Do you use the pwgen package and let users worry about it from there, or do you let them choose within the confines of what passwd allows? I can see a lot of...no, you can't have anything that appears in the dictionary, no thats too short, you need a capital or a number in it.. or...ok, to change your password you have to telnet in...ok, telnet is...then type passwd... It is interesting. I've had ISP's who use BSD, Slackware Linux, and NT. The BSD ISP gave me a rather cryptic looking password. I had my choice with the Slackware ISP. (Debian would not have accepted my password...too simple) Likewise, the NT ISP, allowed me to choose a rather simple password. Even though hard to remember at first, the password I had with BSD was likely the most secure. TIA for sharing your strategies. Rich M [EMAIL PROTECTED] -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .