On Fri, Jul 07, 2000 at 05:54:44PM -0400 or thereabouts, Susannah D. Rosenberg wrote:
> sorry, no clue. oooh... . damn.
> it's like a little howto on being a group-based access nazi. cool!
>
> quote from the default suse group.conf:
> '# Example: games are alowed between the hours of 6pm and
[EMAIL PROTECTED]:
> Summary:
>
> /bin/false or /bin/true as a login shell prevents an individual from
> logging in via telnet, ssh or rlogin.
>
> Closing off rlogind and telnetd prevents ANYONE from logging in via
> rlogin or telnet. (But not ssh. Which is usually deliberately permitted)
sshd
"Susannah D. Rosenberg" wrote:
>
> Samantha Jo Moore wrote:
> > If you change this for /bin/false then they won't
> > be able to telnet in.
>
> yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> you say "telnet to port 25", boys and girls?
>
> gaping security flaws are
Hey All,
A firewall cannot tell the difference btwn a telnet connection and a smtp
connection, that I am aware of. Telnet doesn't really do anything special
beside open a connection to a particluar port (usu. 23). In addition to
that many smtp's have to be configured to allow for somewhat non-sta
Aaron Malone wrote:
>
> On Fri, Jul 07, 2000 at 05:36:41PM -0400, Susannah D. Rosenberg wrote:
> > maybe "dodgy" is a bad word. "non-extensible" and "klduge" might be
> > better. it probably comes down to the fact that, personally, i don't
> > like to fsck around with things like /etc/passwd if i
On Fri, Jul 07, 2000 at 04:45:02PM -0500, Aaron Malone wrote:
> Incidentally, does the /etc/security/access.conf thing work with ssh?
> I just tried disabling my access to our mail server, but it still let
> me in. I didn't spend much time on the docs, maybe I did it wrong. :)
To answer my own q
On Fri, Jul 07, 2000 at 05:36:41PM -0400, Susannah D. Rosenberg wrote:
> maybe "dodgy" is a bad word. "non-extensible" and "klduge" might be
> better. it probably comes down to the fact that, personally, i don't
> like to fsck around with things like /etc/passwd if i don't have to.
> call me paran
Brian Sweeney wrote:
>
> Hey all-
>
> Thanks everyone for the responses; the setting login to /bin/false is a neat
> trick. Also, FYI to those who feared for the security of my server, I DO
> have a firewall implemented, and this machine is behind it. I don't have to
> worry as much about what
Aaron Malone wrote:
>
> On Fri, Jul 07, 2000 at 05:10:21PM -0400, Susannah D. Rosenberg wrote:
> > yeah, but it's still a slightly dodgy way of doing it, imho. the
> > etc/security/access.conf thing is probably a better way of doing it, or
> > putting people into a group that has restricted acces
On Fri, Jul 07, 2000 at 05:10:21PM -0400, Susannah D. Rosenberg wrote:
> yeah, but it's still a slightly dodgy way of doing it, imho. the
> etc/security/access.conf thing is probably a better way of doing it, or
> putting people into a group that has restricted access.
Just out of curiosity, coul
Hey all-
Thanks everyone for the responses; the setting login to /bin/false is a neat
trick. Also, FYI to those who feared for the security of my server, I DO
have a firewall implemented, and this machine is behind it. I don't have to
worry as much about what ports are open where b/c the firewa
Aaron Malone wrote:
>
> On Fri, Jul 07, 2000 at 01:54:41PM -0400, Susannah D. Rosenberg wrote:
> > yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> > you say "telnet to port 25", boys and girls?
> >
> > gaping security flaws are /bad/.
>
> This has been discussed a bit a
On Fri, Jul 07, 2000 at 01:54:41PM -0400, Susannah D. Rosenberg wrote:
> yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> you say "telnet to port 25", boys and girls?
>
> gaping security flaws are /bad/.
This has been discussed a bit already, but I think there's some dee
On Fri, 07 Jul 2000 16:34:30 -0400, "Susannah D. Rosenberg" <[EMAIL PROTECTED]>
said:
>packet filtering mean anything to you?
I understand the concept. I'm stating that there's no way you can
tell a TCP SYN on port 25 from an MTA from a TCP SYN on port 25 from
telnet. They look exactly the s
[EMAIL PROTECTED] wrote:
>
> On Fri, 7 Jul 2000 15:14:59 -0400 , "Fan, Laurel" <[EMAIL PROTECTED]> said:
>
> >If I can, from my computer, open an "smtp connection" to port 25 on
> >somehost, I can run "telnet somehost 25". Neither of which has
> >anything at all to do with telnetd.
>
> I am in
in inetd.conf - turn off all services you don't want. This includes rlogin,
rtelnet, and telnet.
in /etc/passwd set the last to /dev/null
use tcpwrappers on all incoming services you left open (via inetd.conf).
Do not run any stand alone servers you don't trust.
That is all.
Bill
On Fri, 7
On Fri, 7 Jul 2000 15:14:59 -0400 , "Fan, Laurel" <[EMAIL PROTECTED]> said:
>If I can, from my computer, open an "smtp connection" to port 25 on
>somehost, I can run "telnet somehost 25". Neither of which has
>anything at all to do with telnetd.
I am indeed at a loss to tell how a firewall coul
On Fri, 7 Jul 2000 13:52:46 -0400, "Brian Sweeney" <[EMAIL PROTECTED]> said:
>Does anyone know how to restrict users on a RHL 6.0 box from being able to
>actually login?
RH 6.0 has so many security flaws that you simply should not run it in
an open environment. Upgrading bind is absolutely es
Susannah D. Rosenberg, [EMAIL PROTECTED], said:
> yep. but there's a difference between being able to /telnet/ to port 25,
> and opening an smtp connection to port 25.
No, there is not.
Unless by "telnet" you mean something besides "run a program named telnet
and connect to port 25". (In which
"Fan, Laurel" wrote:
>
> Susannah D. Rosenberg, [EMAIL PROTECTED], said:
> > yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> > you say "telnet to port 25", boys and girls?
> >
> > gaping security flaws are /bad/.
>
> Taking out rlogind and telnetd won't close port 25.
Susannah D. Rosenberg, [EMAIL PROTECTED], said:
> yeah, but it still leaves rlogind and telnetd flapping in the wind. can
> you say "telnet to port 25", boys and girls?
>
> gaping security flaws are /bad/.
Taking out rlogind and telnetd won't close port 25. And I'm assuming a
mail server would
Hi!
On Fri, Jul 07, 2000 at 01:52:46PM -0400, Brian Sweeney wrote:
> Does anyone know how to restrict users on a RHL 6.0 box from being able to
> actually login? I know this sounds strange, but hear me out. I have this
> new mailserver up, and I want people to be able to POP to it to retrieve
>
Hi Brian and all,
Du hast am Fri, Jul 07, 2000 at 01:52:46PM -0400 folgendes geschrieben:
>
> Does anyone know how to restrict users on a RHL 6.0 box from being able to
> actually login? I know this sounds strange, but hear me out. I have this
What about /bin/nologin, /bin/false or something
Samantha Jo Moore wrote:
>
> > Does anyone know how to restrict users on a RHL 6.0 box from being able to
> > actually login? I know this sounds strange, but hear me out. I have this
> > new mailserver up, and I want people to be able to POP to it to retrieve
> > mail, but not anything else. I
Brian Sweeney wrote:
>
> Hello all-
>
> Does anyone know how to restrict users on a RHL 6.0 box from being able to
> actually login?
> PS-If I could at least make it so that they couldn't login via telnet, THAT
> would be a big help...
edit /etc/inetd.conf (as root).
turn off rlogind and tel
> Does anyone know how to restrict users on a RHL 6.0 box from being able to
> actually login? I know this sounds strange, but hear me out. I have this
> new mailserver up, and I want people to be able to POP to it to retrieve
> mail, but not anything else. I had thought the way to do this was
Hello all-
Does anyone know how to restrict users on a RHL 6.0 box from being able to
actually login? I know this sounds strange, but hear me out. I have this
new mailserver up, and I want people to be able to POP to it to retrieve
mail, but not anything else. I had thought the way to do this
27 matches
Mail list logo
